openssh sftp chroot

时间 2019-11-08

标签 openssh sftp chroot 栏目 FTP 繁體版

原文原文链接

# for RHEL 7
https://wiki.moonshot.ja.net/pages/viewpage.action?pageId=6422607
https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshootinghtml

#1. for init os config.
wget --directory-prefix=/root/ins http://10.245.254.171/linux/DFS/openssh/openssh-7.7p1.tar.gz
wget --directory-prefix=/root/ins http://10.245.254.171/linux/DFS/openssh/openssl-1.0.2o.tar.gz
wget --directory-prefix=/root/ins http://10.245.254.171/linux/DFS/openssh/openssl-fips-2.0.16.tar.gzlinux

yum install -y gcc zlib-devel pam-devel perlandroid

#2. install openssl & openssh
tar zxpf /root/ins/openssl-fips-2.0.16.tar.gz -C /root/ins
cd /root/ins/openssl-fips-2.0.16
./config
make && make installweb

tar zxpf /root/ins/openssl-1.0.2o.tar.gz -C /root/ins
cd /root/ins/openssl-1.0.2o
./config fips shared --prefix=/usr no-ssl3
make && make installshell

tar zxpf /root/ins/openssh-7.7p1.tar.gz -C /root/ins
cd /root/ins/openssh-7.7p1
./configure \
   --prefix=/usr \
   --sysconfdir=/etc/ssh \
   --disable-strip \
   --with-ssl-engine \
   --with-ipaddr-display网络

make && make installssh

chmod 0600 /etc/ssh/*key
/usr/bin/cp sshd_config /etc/ssh
sed -i "s/notify/focking/g" /usr/lib/systemd/system/sshd.service
systemctl daemon-reloadide

#3. configuration for sftp.
sed -i '/'Subsystem'/s/^\|^#/#/' /etc/ssh/sshd_configui

cat <<EOF>>/etc/ssh/sshd_config
Subsystem sftp internal-sftp
DenyGroups sftpxxx # this one must behand option match.this

Match group sftponly
ChrootDirectory /sftproot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -l INFO -f LOCAL5
PasswordAuthentication no
ClientAliveInterval 60
AuthorizedKeysFile /sftproot/%u/.ssh/authorized_keys
EOF

systemctl restart sshd

#4. config chroot sftp logging,
for rsyslog 8.24 and openssh-server 7.4p1, OS base on RHEL7

cat <<EOF>/etc/rsyslog.d/sftp.conf
\$AddUnixListenSocket /sftproot/sftpu1/dev/log
:msg, contains, "opendir" stop
:msg, contains, "closedir" stop
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" stop
EOF

systemctl restart rsyslog

#5. create user.
groupadd -g 521 sftponly
echo "/bin/false" >> /etc/shells
useradd -M -g sftponly -s /bin/false sftpu1
echo "Foxconn123" | passwd sftpu1 --stdin > /dev/null 2>&1

#6. config sftp user directory permission
因为chroot必须目录是只有root可写，因此咱们 ChrootDirectory /sftproot/%u 以后，必须把/sftproot/%u 改成root权限; 另建 %u/data目录，供用户读写；

mkdir -p /sftproot/sftpu1/{data,dev}
chown sftpu1:sftponly /sftproot/sftpu1/data
chmod 700 /sftproot/sftpu1/data

#7. AuthorizedKeysFile config
若是计划使用密钥登录，authorized_keys密钥文件，需放置在默认的帐号目录/sftproot/%u/.ssh
- /sftproot/%u/.ssh 权限为700
- /sftproot/%u/.ssh/authorized_keys 权限为600

mkdir -m 700 /sftproot/sftpu1/.ssh
cp ~/.ssh/authorized_keys /sftproot/sftpu1/.ssh/
chmod 0600 /sftproot/sftpu1/.ssh/authorized_keys
chown sftpu1:sftponly /sftproot/sftpu1/.ssh -R

说明：
1. Match 引入一个条件块。块的结尾标志是另外一个 Match 指令或者文件结尾。若是 Match 行上指定的条件都知足，那么随后的指令将覆盖全局配置中的指令。详细可查询man sshd_config
2. FYI a small update rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
This discusses the use of & stop instead of & ~:
https://www.rsyslog.com/doc/v8-stable/compatibility/v7compatibility.html
The discard action (tilde character) has been replaced by the “stop” RainerScript directive. It is considered more intuitive and offers slightly better performance.
在rsyslog7后，有此变动；网络上多数文章，就是基于rsyslog5版本。因此此处须要注意

3. 写的较完整的一篇文章 https://www.the-art-of-web.com/system/sftp-logging-chroot/

/usr/bin/ld: warning: -z retpolineplt ignored.

https://unix.stackexchange.com/questions/137943/cross-compiling-openssh-for-android
https://www.tecmint.com/find-failed-ssh-login-attempts-in-linux/

说明1，若是ssl 不是安装在/usr 目录，那么，其它软件将有可能调用不到ssl 库文件；这状况下处理以下： # echo "/usr/local/lib64" > /etc/ld.so.conf # ldconfig