Linux

SFTP更改預設目錄

  • March 14, 2022

我正在為一組我只想擁有 SFTP 訪問權限的使用者設置 SFTP,以便將文件上傳到伺服器。我已經讓他們入獄到他們自己的主目錄,並阻止了 shell 登錄。每個主目錄都有一個用於接收上傳的子文件夾。我希望 SFTP 連接在登錄時自動更改為此上傳文件夾。很標準。

我正在使用該ForceCommand指令在舊伺服器上成功實現這一目標。但是,在我目前正在準備的新伺服器上,這不起作用。為什麼?

/etc/ssh/sshd_config.d/sftpgroup.conf
Match Group ftpgroup
 # The following two directives force ftpgroup to become chrooted
 # and only have SFTP available. No other chroot setup is required.
 ChrootDirectory /home/ftp_users/%u
 ForceCommand internal-sftp -u 0002
 # For additional paranoia, disallow all types of port forwardings.
 AllowTcpForwarding no
 GatewayPorts no
 X11Forwarding no
 # Force local logging
 ForceCommand /usr/lib/openssh/sftp-server -l VERBOSE
 # Change default directory to ~/upload
 ForceCommand cd /upload
/var/log/auth.log 與 LogLevel DEBUG3
Mar  9 15:18:03 MyServer sshd[393644]: debug1: userauth-request for user myuser service ssh-connection method none [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug1: attempt 0 failures 0 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_getpwnamallow entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 8 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 9 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 8
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_pwnamallow
Mar  9 15:18:03 MyServer sshd[393644]: debug2: parse_server_config_depth: config reprocess config len 383
Mar  9 15:18:03 MyServer sshd[393644]: debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/sftpgroup.conf len 228
Mar  9 15:18:03 MyServer sshd[393644]: debug3: checking match for 'Group ftpgroup,!sftpgroup' user myuser host 1.2.3.4 addr 1.2.3.4 laddr 10.0.0.4 lport 22
Mar  9 15:18:03 MyServer sshd[393644]: debug1: user myuser does not match group list ftpgroup,!sftpgroup at line 4
Mar  9 15:18:03 MyServer sshd[393644]: debug3: match not found
Mar  9 15:18:03 MyServer sshd[393644]: debug3: checking match for 'Group ftpgroup' user myuser host 1.2.3.4 addr 1.2.3.4 laddr 10.0.0.4 lport 22
Mar  9 15:18:03 MyServer sshd[393644]: debug1: user myuser matched group list ftpgroup at line 9
Mar  9 15:18:03 MyServer sshd[393644]: debug3: match found
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:12 setting ChrootDirectory /home/ftp_users/%u
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:13 setting ForceCommand internal-sftp -u 0002
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:15 setting AllowTcpForwarding no
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:16 setting GatewayPorts no
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:17 setting X11Forwarding no
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:21 setting ForceCommand cd /upload
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 9
Mar  9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 8 used once, disabling now
Mar  9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: setting up authctxt for myuser [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_start_pam entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 100 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_inform_authserv entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 4 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: try method none [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: ensure_minimum_time_since: elapsed 2.862ms, delaying 4.136ms (requested 6.998ms) [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 100
Mar  9 15:18:03 MyServer sshd[393644]: debug1: PAM: initializing for "myuser"
Mar  9 15:18:03 MyServer sshd[393644]: debug1: PAM: setting PAM_RHOST to "1.2.3.4"
Mar  9 15:18:03 MyServer sshd[393644]: debug1: PAM: setting PAM_TTY to "ssh"
Mar  9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 100 used once, disabling now
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 4
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_authserv: service=ssh-connection, style=, role=
Mar  9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 4 used once, disabling now
Mar  9 15:18:03 MyServer sshd[393644]: debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: send packet: type 51 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: receive packet: type 2 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: Received SSH2_MSG_IGNORE [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: receive packet: type 50 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug1: userauth-request for user myuser service ssh-connection method password [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug1: attempt 1 failures 0 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: try method password [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 12 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 13 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 12
Mar  9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_passwd_conv called with 1 messages
Mar  9 15:18:03 MyServer sshd[393644]: debug1: PAM: password authentication accepted for myuser
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_authpassword: sending result 1
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 13
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 102
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug1: do_pam_account: called
Mar  9 15:18:03 MyServer sshd[393644]: debug2: do_pam_account: auth information in SSH_AUTH_INFO_0
Mar  9 15:18:03 MyServer sshd[393644]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 103
Mar  9 15:18:03 MyServer sshd[393644]: Accepted password for myuser from 1.2.3.4 port 55095 ssh2
Mar  9 15:18:03 MyServer sshd[393644]: debug1: monitor_child_preauth: myuser has been authenticated by privileged process
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_get_keystate: Waiting for new keys
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 26
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_get_keystate: GOT new keys
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password: user authenticated [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: ensure_minimum_time_since: elapsed 7.172ms, delaying 6.825ms (requested 6.998ms) [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_do_pam_account entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 102 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 103 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_do_pam_account returning 1 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: send packet: type 52 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 26 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_send_keystate: Finished sending state [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug1: monitor_read_log: child log fd closed
Mar  9 15:18:03 MyServer sshd[393644]: debug3: ssh_sandbox_parent_finish: finished
Mar  9 15:18:03 MyServer sshd[393644]: debug1: PAM: establishing credentials
Mar  9 15:18:03 MyServer sshd[393644]: debug3: PAM: opening session
Mar  9 15:18:03 MyServer sshd[393644]: debug2: do_pam_session: auth information in SSH_AUTH_INFO_0
Mar  9 15:18:03 MyServer sshd[393644]: pam_unix(sshd:session): session opened for user myuser(uid=1001) by (uid=0)
Mar  9 15:18:03 MyServer systemd-logind[607]: New session 530 of user myuser.
Mar  9 15:18:03 MyServer systemd: pam_unix(systemd-user:session): session opened for user myuser(uid=1001) by (uid=0)
Mar  9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_store_conv called with 1 messages
Mar  9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_store_conv called with 1 messages
Mar  9 15:18:03 MyServer sshd[393644]: User child is on pid 393672
Mar  9 15:18:03 MyServer sshd[393672]: debug1: SELinux support disabled
Mar  9 15:18:03 MyServer sshd[393672]: debug1: PAM: establishing credentials
Mar  9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/'
Mar  9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/'
Mar  9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/ftp_users/'
Mar  9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/ftp_users/myuser'
Mar  9 15:18:04 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:04 MyServer sshd[393644]: debug3: monitor_read: checking request 113
Mar  9 15:18:04 MyServer sshd[393644]: debug3: mm_answer_audit_command entering
ssh -V

老伺服器:

  • OpenSSH_7.9p1 Debian-10+deb10u2,OpenSSL 1.1.1d 2019 年 9 月 10 日

新伺服器:

  • OpenSSH_8.4p1 Debian-5,OpenSSL 1.1.1k 2021 年 3 月 25 日

更新

事實證明,在舊系統上,這實際上是因為操縱了主文件夾和符號連結,而不是因為ForceCommand該系統上的指令(即使該指令存在)。

ln -s /home/ftp_users/myuser /home/myuser
usermod -d /home/myuser myuser
ln -s ../upload /home/ftp_users/myuser/home/myuser

因此,當使用者登錄並對其進行更改時,~它會轉到/home/myuser哪個是/upload. 當將主文件夾設置與舊系統匹配時,新系統現在可以在登錄時正確路由。有點駭人聽聞,而且絕對不是最理想的(試圖避免它),但它“有效”。

那麼問題就變成了,為什麼不ForceCommand覆蓋這個?它在執行嗎?我怎麼知道?

sftp-server您可以添加選項以-d path在登錄時更改起始目錄。配置行應該是:

Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE -d /upload

在更高版本的 OpenSSH 中,SFTP 伺服器功能預設在程序中可用,或者使用顯式internal-sftp指示符作為執行命令。

@user2100826通過這篇文章確認internal-sftpsftp-server共享相同的命令行選項(但我無法在相關man頁面中明確指出這一點)。請諮詢man sftp-server以檢查 ChrootDirectorywithForceCommand或的使用情況Subsystem

因此,也可以通過以下行配置所需的行為:

Subsystem sftp internal-sftp -l VERBOSE -d /upload

另外,請檢查此答案

引用自:https://serverfault.com/questions/1095709