ssh and sftp and the permissions setting method are configured under linux operating system

ssh-based sftp services have better security (non-plaintext password transfer) and easier access management (limiting the user's active directory) than ftp.

1. Open the sftp account, so that the user can only operate the file sftp, but not ssh to the server

2. Limit the user's active directory so that the user can only be active in the specified directory, using ChrootDirectory configuration of sftp

Determine the version

[

# Make sure ssh's version is above 4.8p1 or upgrade 1 and next will be above this version
ssh -V

]

New users and user groups

[

# Add user group sftp
groupadd sftp
User specified home Directory Specified user group does not allow shell logins
useradd -d /home/sftp -m -g sftp -s /bin/false sftp
# Set user password
passwd sftp

]

Active directory

[

Set the active directory you want to qualify
mkdir -p /var/www/sftp
Note that the directory owner must be root and must be if this directory is to be used for the active directory of subsequent chroot!!
chown root.sftp /var/www/sftp

]

Basic ssh configuration

[

Configuration file for # ssh service
vi /etc/ssh/sshd_config

# Basic ssh remote login configuration
# Enable validation
PasswordAuthentication yes
# Disable empty password login
PermitEmptyPasswords no
Enable remote login
PermitRootLogin yes

]

At this point, you can log in to the server remotely using ssh

Configuration sftp

[

Here we can use the es88EN-ES89en service provided by the system to meet the requirements
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

]

Subsystem

Subsystem refers to the sftp module enabled here. We use the built-in internal-sftp to provide this service. In fact, when configured here, you can log in with the account ssh or the client sftp.

If you want the user to be sftp only and not ssh logged in to the server, and you want to limit the user's active directory, go ahead and look at the configuration below

[

Limit the logged-in user
Match Group sftp
ChrootDirectory /var/www/sftp # can also be used as %h for the user home directory %u for the user name
ForceCommand ES127en-ES128en # forces the use of the system's built-in ES129en-ES130en service so that users can only log in using ftp mode
AllowTcpForwarding no
X11Forwarding no

]

Match [User|Group] userName|groupName

Match [User|Group] sftp here is the permission limited configuration for the logged in user. Match will work for the user or user group that is matched and is higher than ssh's general configuration

The active directory of the ChrootDirectory user can be identified with %h as the user's home directory %u for the user name and the root of the session will switch to this directory when the Match matching user logs in two issues in particular

1. For all directories on the chroot path, the owner must be root and the maximum permissions are 0755. This point must be noted and matched

2. Once chroot 1 is set, the root directory of the corresponding user's session when logging in will be changed to "/". If you log in using ssh instead of sftp, you are likely to be prompted:

/bin/bash: No such file or directory

For the logged in user, the root directory "/" in the session has been changed to the chroot directory you set. Unless your chroot is the system's "/" directory, there will be no bash command under chroot/bin. This is similar to the -ES176en /bin/false parameter set when adding the user. The initial command /bin/false of shell will not be able to remotely log on to ssh

ForceCommand forces the initial command to be used when the user logs in to the session. If this is configured above then the user from Match can only log in using the sftp protocol, and the user who cannot log in using ssh will be prompted
This service allows sftp connections only.

The configuration is complete and the sshd service is restarted

service sshd restart

Note:

1. Possible problems with chroot since chroot will switch the root directory of the session to this point, the ssh login is likely to prompt an error with /bin/bash: No such file or directory as the path for this session will be chroot/bin/bash

ForceCommand is the initial command at the beginning of the session. If you specify such as ES218en-ES219en, you will be prompted to say This service allows sftp connections only. This is similar to the ES226en-ES227en /bin/false command 1. The user cannot call /bin/bash command when logging in to the session, so the ssh cannot log in to the server

conclusion