https://www.cnblogs.com/huahuot/p/14010374.html
    https://www.cnblogs.com/wooya/p/9392142.html

    ssh和sftp通过openssh服务ftp加密访问但却和sah服务共用一个端口,安全基线是不符合,特别是通过公网与其他公司文件交互时 ssh的端口就完全被暴露在公网上,就算使用 /etc/hosts.alow限制IP地址访问也会涉及暴露ssh端口的风险,因此需要把sftp从ssh服务里分离出来,只暴露sftp的端口和锁定家目录 这样基于白名单和密钥验证方式部署ftp服务器才能保证安全

    1 注释ssh配置文件里的sftp子服务

    2 添加sftp服务和配置文件

    3 锁定sftp用户家目录

    该方式适用于为编译升级过openssh 系统部署 CentOS 7

    2. cp /usr/lib/systemd/system/sshd.service  /etc/systemd/system/sftpd.service
    3. cp /etc/pam.d/sshd  /etc/pam.d/sftpd
    4. cp /etc/ssh/sshd_config  /etc/ssh/sftpd_config
    5. ln -sf  /usr/sbin/service  /usr/sbin/rcsftpd
    6. ln -sf  /usr/sbin/sshd  /usr/sbin/sftpd
    7. cp /etc/sysconfig/sshd  /etc/sysconfig/sftp
    8. cp /var/run/sshd.pid  /var/run/sftpd.pid
    12. cat > /etc/systemd/system/sftpd.service<<EOF
    13. [Unit]
    14. Description=OpenSSH server daemon
    15. #Documentation=man:sshd(8) man:sshd_config(5)
    16. Description=Sftp server daemon
    17. After=network.target sshd-keygen.service
    18. Wants=sshd-keygen.service
    20. [Service]
    21. Type=notify
    22. #EnvironmentFile=/etc/sysconfig/sshd
    23. #ExecStart=/usr/sbin/sshd -D $OPTIONS
    24. EnvironmentFile=-/etc/sysconfig/sftpd
    25. ExecStart=/usr/sbin/sftpd -f /etc/ssh/sftpd_config
    26. ExecReload=/bin/kill -HUP $MAINPID
    27. KillMode=process
    28. Restart=on-failure
    29. RestartSec=42s
    31. [Install]
    32. WantedBy=multi-user.target
    33. EOF
    41. [root@n9e ~]# grep ^[^#] /etc/pam.d/sftpd
    42. auth     required     pam_tally2.so   deny=6  unlock_time=300
    43. auth       required    pam_sepermit.so
    44. auth       substack     password-auth
    45. auth       include      postlogin
    46. -auth      optional     pam_reauthorize.so prepare
    47. account    required     pam_nologin.so
    48. account    include      password-auth
    49. password   include      password-auth
    50. session    required     pam_selinux.so close
    51. session    required     pam_loginuid.so
    52. session    required     pam_selinux.so open env_params
    53. session    required     pam_namespace.so
    54. session    optional     pam_keyinit.so force revoke
    55. session    include      password-auth
    56. session    include      postlogin
    57. -session   optional     pam_reauthorize.so prepare
    58. [root@n9e ~]#
    65. [root@n9e home]# grep ^[^#] /etc/ssh/sftpd_config
    66. cat > /etc/ssh/sftpd_config<<EOF
    67. Port 22222
    68. HostKey /etc/ssh/ssh_host_rsa_key
    69. HostKey /etc/ssh/ssh_host_ecdsa_key
    70. HostKey /etc/ssh/ssh_host_ed25519_key
    71. SyslogFacility AUTHPRIV
    72. PermitRootLogin yes
    73. AuthorizedKeysFile    .ssh/authorized_keys
    74. PasswordAuthentication yes
    75. ChallengeResponseAuthentication no
    76. GSSAPIAuthentication yes
    77. GSSAPICleanupCredentials no
    78. UsePAM yes
    79. X11Forwarding yes
    80. UseDNS no
    81. Banner /etc/issue.net
    82. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    83. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    84. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    85. AcceptEnv XMODIFIERS
    86. PidFile /var/run/sftpd.pid
    87. Subsystem sftp internal-sftp
    88. Match Group sftp
    89. X11Forwarding no
    90. AllowTcpForwarding no
    91. ForceCommand internal-sftp
    92. ChrootDirectory /data/sftp/%u
    93. EOF
    98. [root@n9e ~]# cat /etc/sysconfig/sftp
    99. # Configuration file for the sshd service.
    101. # The server keys are automatically generated if they are missing.
    102. # To change the automatic creation uncomment and change the appropriate
    103. # line. Accepted key types are: DSA RSA ECDSA ED25519.
    104. # The default is "RSA ECDSA ED25519"
    106. # AUTOCREATE_SERVER_KEYS=""
    107. # AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
    109. # Do not change this option unless you have hardware random
    110. # generator and you REALLY know what you are doing
    112. SSH_USE_STRONG_RNG=0
    113. # SSH_USE_STRONG_RNG=1
    114. [root@n9e ~]# 
    118. [root@n9e ~]# grep ^[^#] /etc/sysconfig/sftp
    119. SSH_USE_STRONG_RNG=0
    120. [root@n9e ~]#
    126. > /var/run/sftpd.pid
    130. systemctl daemon-reload
    131. systemctl enable sftpd.service
    132. systemctl restart sftpd.service
    139. 锁定家目录:
    140. groupadd sftp
    141. useradd -g sftp -s /bin/false mysftp
    142. passwd mysftp 
    143. mkdir -p /data/sftp/mysftp
    144. usermod -d /data/sftp/mysftp mysftp
    145. chown root:sftp /data/sftp/mysftp
    146. chmod 755 /data/sftp/mysftp
    147. 读写目录:
    148. chmod 775 /data/sftp/mysftp-witer
    149. systemctl restart sftpd.service 
    153. mkdir -p /home/mysftp/.ssh
    155. chown mysftp:sftp /home/zhangsan/.ssh
    157. chmod 700 /home/mysftp/.ssh
    159. cat xxx.pub >/home/mysftp/.ssh/authorized_keys
    161. chown mysftp:sftp /home/mysftp/.ssh/authorized_keys
    163. chmod 700 /home/mysftp/.ssh/authorized_keys
    166. 目录的权限设定有两个要点:
    167. 1、由ChrootDirectory指定的目录开始一直往上到系统根目录为止的目录拥有者都只能是root
    168. 2、由ChrootDirectory指定的目录开始一直往上到系统根目录为止都不可以具有群组写入权限
    171. [root@n9e ~]# ll /data/
    172. total 0
    173. drwxr-xr-x 5 root root 68 Oct 26 09:05 filebrowser
    174. drwxr-xr-x 3 root root 20 Dec 11 19:23 sftp
    175. [root@n9e ~]# cd /data/sftp/
    176. [root@n9e sftp]# pwd
    177. /data/sftp
    178. [root@n9e sftp]# ll
    179. total 0
    180. drwxr-xr-x 2 root sftp 6 Dec 11 19:23 mysftp
    181. [root@n9e sftp]# 
    182. [root@n9e sftp]# cd mysftp/
    183. [root@n9e mysftp]# ls -l
    184. total 0
    185. [root@n9e mysftp]# touch test
    186. [root@n9e mysftp]# ll
    187. total 0
    188. -rw-r--r-- 1 root root 0 Dec 11 19:40 test
    189. [root@n9e mysftp]#

    image.png

    image.png

    image.png

    1. [chroot@riyimei ~]$ sftp -oPort=22222 -v mysftp@192.168.11.81
    2. OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
    3. debug1: Reading configuration data /etc/ssh/ssh_config
    4. debug1: /etc/ssh/ssh_config line 58: Applying options for *
    5. debug1: Connecting to 192.168.11.81 [192.168.11.81] port 22222.
    6. debug1: Connection established.
    7. debug1: SELinux support disabled
    8. debug1: key_load_public: No such file or directory
    9. debug1: identity file /home/chroot/.ssh/id_rsa type -1
    10. debug1: key_load_public: No such file or directory
    11. debug1: identity file /home/chroot/.ssh/id_rsa-cert type -1
    12. debug1: key_load_public: No such file or directory
    13. debug1: identity file /home/chroot/.ssh/id_dsa type -1
    14. debug1: key_load_public: No such file or directory
    15. debug1: identity file /home/chroot/.ssh/id_dsa-cert type -1
    16. debug1: key_load_public: No such file or directory
    17. debug1: identity file /home/chroot/.ssh/id_ecdsa type -1
    18. debug1: key_load_public: No such file or directory
    19. debug1: identity file /home/chroot/.ssh/id_ecdsa-cert type -1
    20. debug1: key_load_public: No such file or directory
    21. debug1: identity file /home/chroot/.ssh/id_ed25519 type -1
    22. debug1: key_load_public: No such file or directory
    23. debug1: identity file /home/chroot/.ssh/id_ed25519-cert type -1
    24. debug1: Enabling compatibility mode for protocol 2.0
    25. debug1: Local version string SSH-2.0-OpenSSH_7.4
    26. debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
    27. debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
    28. debug1: Authenticating to 192.168.11.81:22222 as 'mysftp'
    29. debug1: SSH2_MSG_KEXINIT sent
    30. debug1: SSH2_MSG_KEXINIT received
    31. debug1: kex: algorithm: curve25519-sha256
    32. debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    33. debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    34. debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    35. debug1: kex: curve25519-sha256 need=64 dh_need=64
    36. debug1: kex: curve25519-sha256 need=64 dh_need=64
    37. debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    38. debug1: Server host key: ecdsa-sha2-nistp256 SHA256:xvABNXYzwRw/ORT/FVX8uFJ3p4hdc8PcZEdrPFmCGGQ
    39. debug1: checking without port identifier
    40. The authenticity of host '[192.168.11.81]:22222 ([192.168.11.81]:22222)' can't be established.
    41. ECDSA key fingerprint is SHA256:xvABNXYzwRw/ORT/FVX8uFJ3p4hdc8PcZEdrPFmCGGQ.
    42. ECDSA key fingerprint is MD5:8a:50:00:d0:ff:7d:5e:f7:90:80:06:76:02:18:7d:a1.
    43. Are you sure you want to continue connecting (yes/no)? yes
    44. Warning: Permanently added '[192.168.11.81]:22222' (ECDSA) to the list of known hosts.
    45. debug1: rekey after 134217728 blocks
    46. debug1: SSH2_MSG_NEWKEYS sent
    47. debug1: expecting SSH2_MSG_NEWKEYS
    48. debug1: SSH2_MSG_NEWKEYS received
    49. debug1: rekey after 134217728 blocks
    50. debug1: SSH2_MSG_EXT_INFO received
    51. debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
    52. debug1: SSH2_MSG_SERVICE_ACCEPT received
    53. Be sure you are authorized to access this system!
    54. debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    55. debug1: Next authentication method: gssapi-keyex
    56. debug1: No valid Key exchange context
    57. debug1: Next authentication method: gssapi-with-mic
    58. debug1: Unspecified GSS failure.  Minor code may provide more information
    59. No Kerberos credentials available (default cache: KEYRING:persistent:700)
    61. debug1: Unspecified GSS failure.  Minor code may provide more information
    62. No Kerberos credentials available (default cache: KEYRING:persistent:700)
    64. debug1: Next authentication method: publickey
    65. debug1: Trying private key: /home/chroot/.ssh/id_rsa
    66. debug1: Trying private key: /home/chroot/.ssh/id_dsa
    67. debug1: Trying private key: /home/chroot/.ssh/id_ecdsa
    68. debug1: Trying private key: /home/chroot/.ssh/id_ed25519
    69. debug1: Next authentication method: password
    70. mysftp@192.168.11.81's password: 
    71. debug1: Authentication succeeded (password).
    72. Authenticated to 192.168.11.81 ([192.168.11.81]:22222).
    73. debug1: channel 0: new [client-session]
    74. debug1: Requesting no-more-sessions@openssh.com
    75. debug1: Entering interactive session.
    76. debug1: pledge: network
    77. debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
    78. debug1: Sending environment.
    79. debug1: Sending env LANG = en_US.UTF-8
    80. debug1: Sending subsystem: sftp
    81. Connected to 192.168.11.81.
    82. sftp> ls
    83. test  
    84. sftp> pwd
    85. Remote working directory: /
    86. sftp> lls
    87. sftp> lpwd
    88. Local working directory: /home/chroot
    89. sftp> cd /home
    90. Couldn't stat remote file: No such file or directory
    91. sftp> cd /data
    92. Couldn't stat remote file: No such file or directory
    93. sftp> ls
    94. test  
    95. sftp> lpwd
    96. Local working directory: /home/chroot
    97. sftp> lls
    98. sftp>

    设置多用户权限和锁定家目录

    1. PidFile /var/run/sftpd.pid
    2. Subsystem sftp internal-sftp
    3. Match Group sftp
    4. X11Forwarding no
    5. AllowTcpForwarding no
    6. ForceCommand internal-sftp
    7. ChrootDirectory /data/sftp/%u
    8. Match User riyimei
    9. X11Forwarding no
    10. AllowTcpForwarding no
    11. ForceCommand internal-sftp
    12. ChrootDirectory /data/sftp/riyimei
    13. Match User liwm
    14. X11Forwarding no
    15. AllowTcpForwarding no
    16. ForceCommand internal-sftp
    17. ChrootDirectory /data/sftp/riyimei
    18. [root@n9e riyimei]#