Configure the SFTP server on Linux (CentOS)
- 2020-05-27 08:00:39
- OfStack
Compared with the traditional ftp service, SFTP is more convenient and secure. After installing ssh in the general system 1, the service is installed by default.
However, the SFTP account is based on the SSH account (that is, the system account), and the access to the server is large by default. The following tutorial will teach you to restrict access to the SFTP account as ftp does.
Necessary conditions:
Your version of openssh-server is at least 4.8p1, because the configuration permissions require the new configuration item ChrootDirectory added to the version to do this.
How do I view the version of ssh on my own server? Try the following command
$ ssh -V
Specific implementation steps
We need to create a user group specifically for sftp users
$ groupadd sftpusers
We create a user test
$ useradd -s /bin/false -G sftpusers test
Note that we have set the shell of the test user to /bin/false so that he does not have access to shell
Edit/etc/ssh/sshd_config
Find the Subsystem configuration item and change it to
Subsystem sftp internal-sftp
Why use internal-sftp instead of the default sftp-server is this:
This is the sftp service within a process. When the user ChrootDirectory, no files will be requested.
Better performance without having to open another process for sftp.
Then go to the end of the file and add the configuration Settings so that users belonging to the sftpusers group can only access their own home folder
# Match user groups, if multiple groups are to be matched, the groups are separated by commas
Match Group sftpusers
# Specify the logged-in user to your own user directory
ChrootDirectory %h
# The specified sftp The command
ForceCommand internal-sftp
# These two lines are added if you don't want the user to be able to use port forwarding, otherwise delete
X11Forwarding no
AllowTcpForwarding no
Save and close the file
Modify the permissions of the test user home folder so that it belongs to the root user
chown root ~test
Restart the sshd service
$ service sshd restart
# or
$ systemctl restart sshd
Test user account
$ ssh test@localhost
The connection will be denied or unable to log in
$ sftp tesst@localhost
Once you log in, you'll find that you can't switch your account to anything other than your home directory
Frequently asked questions:
If you link to a server, the following prompt appears:
> Write failed: Broken pipe
> Couldn't read packet: Connection reset by peer
The reason for this problem is the permission problem of ChrootDirectory. The directory you set must be owned by root users, otherwise there will be a problem. So make sure that the sftp user root is owned by root with 750 or 755 permissions. Note the following two principles:
Directory owners can only be root up to the root of the system, and user groups can not be root.You can't have group write permissions until you go from directory 1 up to system root
Configure the sftp plug-in for sublime text3
Practical st3 package tool search to install sftp, you can participate in the following articles:
sublime text3 installs and configures the sftp plug-in
$ groupadd sftpusers
0
remote_path and ftp are different. ftp is the directory and subdirectory that can be seen remotely. sftp refers to the directory path on the remote server such as /home/html.
Set upload_on_save to true, and it will be automatically uploaded to the server when you save it.
Setting sync_down_on_open to true will automatically download the remote file to update the local file when you open the local file editing.