公司基于安全考虑,要求给用户SFTP,SCP权限可以上传相关文件到指定目录,但不能SSH登录,考虑到RSSH也是个解决方案,但有点麻烦,最后找到了SCPONLY
直接说下配置过程,
如果你的系统是CENTOS,那直接用这个配置
<code>1.wget -c http:</code><code>//nchc</code><code>.dl.sourceforge.net</code><code>/s</code> <code>… nly</code><code>/scponly-4</code><code>.8.tgz </code><code>#scponly 支持的软件有scp、sfp、rsync、subversion、gftp等客户端</code>
<code>2. .</code><code>/configure</code> <code>–prefix=</code><code>/usr/local/scponly</code> <code>–</code><code>enable</code><code>-chrooted-binary –</code><code>enable</code><code>-</code><code>sftp</code><code>-logging-compat –</code><code>enable</code><code>-</code><code>scp</code><code>-compat –</code><code>enable</code><code>-</code><code>passwd</code><code>-compat</code>
<code>3. </code><code>make</code> <code>&& </code><code>make</code> <code>install</code> <code>#安装配置</code>
<code>4.</code><code>echo</code> <code>/usr/local/scponly/sbin/scponlyc</code> <code>>> </code><code>/etc/shells</code>
<code>5.</code><code>make</code> <code>jail </code><code>#建立chroot用户、目录及上传文件夹, 根据提示输入</code>
<code>然后我们要写一个脚本</code>
<code>#vi limit_scp.sh</code>
<code>#!/bin/bash</code>
<code>cp</code> <code>/lib64/ld-linux-x86-64</code><code>.so.* </code><code>in</code> <code>/home/</code><code>$1</code><code>/lib64/</code>
<code>cp</code> <code>/lib64/libnss_files</code><code>.so.2 </code><code>/home/</code><code>$1</code><code>/usr/lib64/</code>
<code>ldconfig -r </code><code>/home/</code><code>$1/</code>
<code>cp</code> <code>/etc/group</code> <code>/home/</code><code>$1</code><code>/etc/</code>
<code>mkdir</code> <code>/home/</code><code>$1</code><code>/dev</code>
<code>mknod</code> <code>/home/</code><code>$1</code><code>/dev/null</code> <code>c 1 3</code>
<code>chmod</code> <code>666 </code><code>/home/</code><code>$1</code><code>/dev/null</code>
<code>cat</code> <code>> </code><code>/etc/sysconfig/selinux</code> <code><< EOF</code>
<code>SELINUX=disabled</code>
<code>SELINUXTYPE=targeted</code>
<code>EOF</code>
<code>exit</code> <code>0</code>
<code>6.</code><code>#sh +x limit_scp.sh username #username 是jail时 我们设置的</code>
<code>经过以上步骤就完成了对SCP</code><code>/SFTP</code><code>上传目录做出了限制。</code>
<code>好了,可以直接到我们的测试环节了</code>
如果你的系统是UBUNTU,那就要注意版本了,我的是Ubuntu 12.04.1 LTS
<code>#wget http://ncu.dl.sourceforge.net/project/scponly/scponly/scponly-4.8/scponly-4.8.tgz</code>
<code>#tar -zxvf scponly-4.8.tgz</code>
<code>#./configure -prefix=/usr/local/scponly -enable-chrooted-binary -enable-sftp-logging-compat - enable-scp-compat -enable-passwd-compat</code>
<code># make</code>
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/scponly/etc/scponly/debuglevel"'
-o scponly.o -c scponly.c
scponly.c: In function ‘main’:
scponly.c:226:9: warning: ignoring return value of ‘fscanf’, declared with attribute
warn_unused_result [-Wunused-result]
-o helper.o -c helper.c
helper.c: In function ‘check_dangerous_args’:
helper.c:233:6: error: #elif with no expression
make: *** [helper.o] Error 1
<code>root@ubuntu:/tmp/scponly-</code><code>4.8</code><code>#vi helper.c</code>
把第 233 行
#elif
改成
#else
再重新make
<code>root@ubuntu:/tmp/scponly-</code><code>4.8</code><code>#make && make install</code>
<code>root@ubuntu:/tmp/scponly-</code><code>4.8</code><code>#echo /usr/local/scponly/sbin/scponlyc >> /etc/shells</code>
<code>root@ubuntu:/tmp/scponly-</code><code>4.8</code><code>#ln -s /lib64/ld-linux-x86-</code><code>64</code><code>.so.</code><code>2</code> <code>/lib/ld.so</code>
<code>root@ubuntu:/tmp/scponly-</code><code>4.8</code><code>#make jail #建立chroot用户、目录及上传文件夹, 根据提示输入</code>
-en Username to install [scponly]
mytest #要建的用户
-en home directory you wish to set for this user [/home/usertest]
#用户的目录
-en name of the writeable subdirectory [incoming]
www #用户上传的目录
Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
- joe at sublimation dot org
please set the password for usertest:
Enter new UNIX password:
<code>root@ubuntu:/tmp/scponly-</code><code>4.8</code><code>#mkdir /home/usertest/dev</code>
<code>root@ubuntu:/tmp/scponly-</code><code>4.8</code><code>#cp -rp /dev/</code><code>null</code> <code>/home/usertest/dev</code>
<code>root@ubuntu:/tmp/scponly-</code><code>4.8</code><code>#mkdir /home/usertest/lib64/</code>
<code>root@ubuntu:/tmp/scponly-</code><code>4.8</code><code>#cp /lib64/ld-linux-x86-</code><code>64</code><code>.so.</code><code>2</code> <code>/home/usertest/lib64/</code>
<code>root@ubuntu:/tmp/scponly-</code><code>4.8</code><code>#cp /lib/x86_64-linux-gnu/libnss_* -av /home/usertest/lib</code>
注意:如果没有拷贝lib,就报错,类似:
scponly unknown user 1005 lost connection
好了,我们测试下
SSH
<code>root@ubuntu:</code><code>/home/mygod</code><code># ssh [email protected] </code>
<code>The authenticity of host </code><code>'18.92.185.2 (18.92.185.2)'</code> <code>can't be established.</code>
<code>ECDSA key fingerprint is c1:c2:6a:7a:68:c8:e5:a6:87:f4:9b:95:d5:fd:ff:09.</code>
<code>Are you sure you want to </code><code>continue</code> <code>connecting (</code><code>yes</code><code>/no</code><code>)? </code><code>yes</code>
<code>Warning: Permanently added </code><code>'18.92.185.2'</code> <code>(ECDSA) to the list of known hosts.</code>
<code>[email protected]'s password: </code>
<code>Welcome to aliyun Elastic Compute Service!</code>
<code>The programs included with the Ubuntu system are </code><code>free</code> <code>software;</code>
<code>the exact distribution terms </code><code>for</code> <code>each program are described </code><code>in</code> <code>the</code>
<code>individual files </code><code>in</code> <code>/usr/share/doc/</code><code>*</code><code>/copyright</code><code>.</code>
<code>Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by</code>
<code>applicable law.</code>
<code>Last login: Tue May 5 16:57:18 2015 from 183.11.156.185</code>
<code>Connection to 18.92.185.2 closed.</code>
SFTP
<code>root@ubuntu:</code><code>/home/mygod</code><code># sftp [email protected]</code>
<code>Connected to 18.92.185.2.</code>
<code>sftp</code><code>> </code><code>ls</code>
<code>bin dev etc lib lib64 usr www </code>
<code>sftp</code><code>> </code><code>cd</code> <code>/</code>
<code>sftp</code><code>> </code><code>cd</code> <code>/root</code>
<code>Couldn't canonicalise: No such </code><code>file</code> <code>or directory</code>
<code>sftp</code><code>></code>
SCP
<code>root@ubuntu:</code><code>/tmp</code><code># scp a.txt [email protected]:www</code>
<code>a.txt 100% 4 0.0KB</code><code>/s</code> <code>00:00</code>
验证下目录锁定
<code>root@ubuntu:</code><code>/tmp</code><code># scp [email protected]:/etc/group ./</code>
<code>scp</code><code>: </code><code>/etc/group</code><code>: No such </code><code>file</code> <code>or directory</code>
<code></code>
本文转自 jackjiaxiong 51CTO博客,原文链接:http://blog.51cto.com/xiangcun168/1663153
![ACS基本配置-权限等级管理[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)