SFTP全称Secret File Transfer Protocol,即安全文件传输协议。随着越来越多的企业对安全意识的提高,一般每年也会内部开展数次安全检查整改工作,其中使用密文传输的SFTP替代明文传输的FTP便是常见的整改项之一。
实验环境
操作系统:RHEL 6.10
OpenSSH:8.4p1
服务端篇
第一步 安装OpenSSH
OpenSSH 4.8p1之后的版本自带SFTP功能模块,建议使用最新版本的OpenSSH,参考教程:RHEL6编译安装OpenSSH
第二步 创建用户组和用户
- # groupadd sftp
- # useradd wanghualang -g sftp -s /sbin/nologin -M
- # echo wanghualang:123456 | chpasswd
第三步 创建父目录并赋权
- # mkdir /sftp
- # chown root:root /sftp
- # chmod 755 /sftp
第四步 创建子目录并赋权
- # mkdir /sftp/wanghualang
- # chown wanghualang:sftp /sftp/wanghualang
- # chmod 755 /sftp/wanghualang
第五步 修改SSH配置文件
- # vim /etc/ssh/sshd_config
- #在配置文件末尾插入以下内容
- Subsystem sftp internal-sftp -l INFO -f AUTHPRIV
- #ForceCommand internal-sftp
- Match Group sftp
- ChrootDirectory /sftp/
- X11Forwarding no
- AllowTcpForwarding no
完整配置参考展开
- #Port 22
- AddressFamily inet
- #ListenAddress 0.0.0.0
- #ListenAddress ::
- #HostKey /etc/ssh/ssh_host_rsa_key
- #HostKey /etc/ssh/ssh_host_ecdsa_key
- #HostKey /etc/ssh/ssh_host_ed25519_key
- #RekeyLimit default none
- #SyslogFacility AUTH
- SyslogFacility AUTHPRIV
- #LogLevel INFO
- #LoginGraceTime 2m
- PermitRootLogin yes
- #StrictModes yes
- #MaxAuthTries 6
- #MaxSessions 10
- #PubkeyAuthentication yes
- AuthorizedKeysFile .ssh/authorized_keys
- #AuthorizedPrincipalsFile none
- #AuthorizedKeysCommand none
- #AuthorizedKeysCommandUser nobody
- #HostbasedAuthentication no
- #IgnoreUserKnownHosts no
- #IgnoreRhosts yes
- #PasswordAuthentication yes
- #PermitEmptyPasswords no
- ChallengeResponseAuthentication no
- #KerberosAuthentication no
- #KerberosOrLocalPasswd yes
- #KerberosTicketCleanup yes
- #KerberosGetAFSToken no
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
- #UsePAM yes
- #AllowAgentForwarding yes
- #AllowTcpForwarding yes
- #GatewayPorts no
- X11Forwarding yes
- #X11DisplayOffset 10
- #X11UseLocalhost yes
- #PermitTTY yes
- PrintMotd no
- PrintLastLog no
- #TCPKeepAlive yes
- #PermitUserEnvironment no
- #Compression delayed
- #ClientAliveInterval 10
- #ClientAliveCountMax 3
- UseDNS no
- #PidFile /var/run/sshd.pid
- #MaxStartups 10:30:100
- #PermitTunnel no
- #ChrootDirectory none
- #VersionAddendum none
- #Banner none
- Subsystem sftp internal-sftp -l INFO -f AUTHPRIV
- #ForceCommand internal-sftp
- Match Group sftp
- ChrootDirectory /sftp/
- X11Forwarding no
- AllowTcpForwarding no
第六步 重启服务
- # service sshd restart
第七步 登陆测试
- # sftp wanghualang@127.0.0.1
- wanghualang@127.0.0.1's password: 123456
- Connected to wanghualang@127.0.0.1.
- sftp>
您可以选择一种方式赞助本站
支付宝扫一扫
微信扫一扫
赏