Linux
SFTP更改預設目錄
我正在為一組我只想擁有 SFTP 訪問權限的使用者設置 SFTP,以便將文件上傳到伺服器。我已經讓他們入獄到他們自己的主目錄,並阻止了 shell 登錄。每個主目錄都有一個用於接收上傳的子文件夾。我希望 SFTP 連接在登錄時自動更改為此上傳文件夾。很標準。
我正在使用該
ForceCommand
指令在舊伺服器上成功實現這一目標。但是,在我目前正在準備的新伺服器上,這不起作用。為什麼?/etc/ssh/sshd_config.d/sftpgroup.conf
Match Group ftpgroup # The following two directives force ftpgroup to become chrooted # and only have SFTP available. No other chroot setup is required. ChrootDirectory /home/ftp_users/%u ForceCommand internal-sftp -u 0002 # For additional paranoia, disallow all types of port forwardings. AllowTcpForwarding no GatewayPorts no X11Forwarding no # Force local logging ForceCommand /usr/lib/openssh/sftp-server -l VERBOSE # Change default directory to ~/upload ForceCommand cd /upload
/var/log/auth.log 與 LogLevel DEBUG3
Mar 9 15:18:03 MyServer sshd[393644]: debug1: userauth-request for user myuser service ssh-connection method none [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug1: attempt 0 failures 0 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_getpwnamallow entering [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 8 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 9 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering Mar 9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 8 Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_pwnamallow Mar 9 15:18:03 MyServer sshd[393644]: debug2: parse_server_config_depth: config reprocess config len 383 Mar 9 15:18:03 MyServer sshd[393644]: debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/sftpgroup.conf len 228 Mar 9 15:18:03 MyServer sshd[393644]: debug3: checking match for 'Group ftpgroup,!sftpgroup' user myuser host 1.2.3.4 addr 1.2.3.4 laddr 10.0.0.4 lport 22 Mar 9 15:18:03 MyServer sshd[393644]: debug1: user myuser does not match group list ftpgroup,!sftpgroup at line 4 Mar 9 15:18:03 MyServer sshd[393644]: debug3: match not found Mar 9 15:18:03 MyServer sshd[393644]: debug3: checking match for 'Group ftpgroup' user myuser host 1.2.3.4 addr 1.2.3.4 laddr 10.0.0.4 lport 22 Mar 9 15:18:03 MyServer sshd[393644]: debug1: user myuser matched group list ftpgroup at line 9 Mar 9 15:18:03 MyServer sshd[393644]: debug3: match found Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:12 setting ChrootDirectory /home/ftp_users/%u Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:13 setting ForceCommand internal-sftp -u 0002 Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:15 setting AllowTcpForwarding no Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:16 setting GatewayPorts no Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:17 setting X11Forwarding no Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:21 setting ForceCommand cd /upload Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 9 Mar 9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 8 used once, disabling now Mar 9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: setting up authctxt for myuser [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_start_pam entering [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 100 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_inform_authserv entering [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 4 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: try method none [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: user_specific_delay: user specific delay 0.000ms [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: ensure_minimum_time_since: elapsed 2.862ms, delaying 4.136ms (requested 6.998ms) [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering Mar 9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 100 Mar 9 15:18:03 MyServer sshd[393644]: debug1: PAM: initializing for "myuser" Mar 9 15:18:03 MyServer sshd[393644]: debug1: PAM: setting PAM_RHOST to "1.2.3.4" Mar 9 15:18:03 MyServer sshd[393644]: debug1: PAM: setting PAM_TTY to "ssh" Mar 9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 100 used once, disabling now Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering Mar 9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 4 Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_authserv: service=ssh-connection, style=, role= Mar 9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 4 used once, disabling now Mar 9 15:18:03 MyServer sshd[393644]: debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: send packet: type 51 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: receive packet: type 2 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: Received SSH2_MSG_IGNORE [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: receive packet: type 50 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug1: userauth-request for user myuser service ssh-connection method password [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug1: attempt 1 failures 0 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: try method password [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password entering [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 12 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 13 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering Mar 9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 12 Mar 9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_passwd_conv called with 1 messages Mar 9 15:18:03 MyServer sshd[393644]: debug1: PAM: password authentication accepted for myuser Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_authpassword: sending result 1 Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 13 Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 102 Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering Mar 9 15:18:03 MyServer sshd[393644]: debug1: do_pam_account: called Mar 9 15:18:03 MyServer sshd[393644]: debug2: do_pam_account: auth information in SSH_AUTH_INFO_0 Mar 9 15:18:03 MyServer sshd[393644]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success) Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 103 Mar 9 15:18:03 MyServer sshd[393644]: Accepted password for myuser from 1.2.3.4 port 55095 ssh2 Mar 9 15:18:03 MyServer sshd[393644]: debug1: monitor_child_preauth: myuser has been authenticated by privileged process Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_get_keystate: Waiting for new keys Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 26 Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_get_keystate: GOT new keys Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password: user authenticated [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: user_specific_delay: user specific delay 0.000ms [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: ensure_minimum_time_since: elapsed 7.172ms, delaying 6.825ms (requested 6.998ms) [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_do_pam_account entering [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 102 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 103 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_do_pam_account returning 1 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: send packet: type 52 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 26 [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_send_keystate: Finished sending state [preauth] Mar 9 15:18:03 MyServer sshd[393644]: debug1: monitor_read_log: child log fd closed Mar 9 15:18:03 MyServer sshd[393644]: debug3: ssh_sandbox_parent_finish: finished Mar 9 15:18:03 MyServer sshd[393644]: debug1: PAM: establishing credentials Mar 9 15:18:03 MyServer sshd[393644]: debug3: PAM: opening session Mar 9 15:18:03 MyServer sshd[393644]: debug2: do_pam_session: auth information in SSH_AUTH_INFO_0 Mar 9 15:18:03 MyServer sshd[393644]: pam_unix(sshd:session): session opened for user myuser(uid=1001) by (uid=0) Mar 9 15:18:03 MyServer systemd-logind[607]: New session 530 of user myuser. Mar 9 15:18:03 MyServer systemd: pam_unix(systemd-user:session): session opened for user myuser(uid=1001) by (uid=0) Mar 9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_store_conv called with 1 messages Mar 9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_store_conv called with 1 messages Mar 9 15:18:03 MyServer sshd[393644]: User child is on pid 393672 Mar 9 15:18:03 MyServer sshd[393672]: debug1: SELinux support disabled Mar 9 15:18:03 MyServer sshd[393672]: debug1: PAM: establishing credentials Mar 9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/' Mar 9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/' Mar 9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/ftp_users/' Mar 9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/ftp_users/myuser' Mar 9 15:18:04 MyServer sshd[393644]: debug3: mm_request_receive entering Mar 9 15:18:04 MyServer sshd[393644]: debug3: monitor_read: checking request 113 Mar 9 15:18:04 MyServer sshd[393644]: debug3: mm_answer_audit_command entering
ssh -V
老伺服器:
- OpenSSH_7.9p1 Debian-10+deb10u2,OpenSSL 1.1.1d 2019 年 9 月 10 日
新伺服器:
- OpenSSH_8.4p1 Debian-5,OpenSSL 1.1.1k 2021 年 3 月 25 日
更新
事實證明,在舊系統上,這實際上是因為操縱了主文件夾和符號連結,而不是因為
ForceCommand
該系統上的指令(即使該指令存在)。ln -s /home/ftp_users/myuser /home/myuser usermod -d /home/myuser myuser ln -s ../upload /home/ftp_users/myuser/home/myuser
因此,當使用者登錄並對其進行更改時,
~
它會轉到/home/myuser
哪個是/upload
. 當將主文件夾設置與舊系統匹配時,新系統現在可以在登錄時正確路由。有點駭人聽聞,而且絕對不是最理想的(試圖避免它),但它“有效”。那麼問題就變成了,為什麼不
ForceCommand
覆蓋這個?它在執行嗎?我怎麼知道?
sftp-server
您可以添加選項以-d path
在登錄時更改起始目錄。配置行應該是:Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE -d /upload
在更高版本的 OpenSSH 中,SFTP 伺服器功能預設在程序中可用,或者使用顯式
internal-sftp
指示符作為執行命令。@user2100826通過這篇文章確認
internal-sftp
並sftp-server
共享相同的命令行選項(但我無法在相關man
頁面中明確指出這一點)。請諮詢man sftp-server
以檢查ChrootDirectory
withForceCommand
或的使用情況Subsystem
。因此,也可以通過以下行配置所需的行為:
Subsystem sftp internal-sftp -l VERBOSE -d /upload
另外,請檢查此答案。