Linux环境sftp搭建
一、sftp应用场景:
sftp默认端口22,内含协议ssh。
对文件传输协议sftp和ftp对比如下:
1.sftp基于ssh,不需要安装,配置简单
2.sftp是对ftp数据上进行加密,相较于ftp文件传输更安全
3.sftp在数据传输效率上低于ftp
二、创建sftp登录用户(sftp-user)
[root@node1 ~]# useradd sftp-user #创建用户sftp-user
[root@node1 ~]# passwd sftp-user
Changing password for user sftp-user.
New password:
BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic
Retype new password:
passwd: all authentication tokens updated successfully.
三、sftp环境搭建
1.修改配置文件sshd.conf,搭建sftp环境
vim /etc/ssh/sshd.conf
注释配置文件下面内容
#Subsystem sftp /usr/libexec/openssh/sftp-server
在配置文件中添加下面内容
Subsystem sftp internal-sftp
Match User sftp-user #sftp登录用户
ChrootDirectory /sftp/ #sftp的根目录
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
2.sftp根目录创建
[root@node1 ~]# mkdir /sftp/
[root@node1 ~]# chown root:sftp-user /sftp
[root@node1 ~]# chmod 755 /sftp/
[root@node1 ~]# cd /sftp/
[root@node1 sftp]# mkdir upload
[root@node1 sftp]# chown sftp-user:sftp-user upload/
[root@node1 sftp]# chmod 755 upload/
3.重启sshd
[root@node1 ~]# systemctl restart sshd
三、sftp服务本地测试
[root@node1 ~]# cd /sftp/
[root@node1 sftp]# touch 1.txt #创建测试文件
[root@node1 sftp]# sftp sftp-user@localhost
sftp-user@localhost's password:
Connected to localhost.
sftp> ls #查看服务端根目录下的文件
1.txt
sftp> get 1.txt #将服务端文件下载至本地
Fetching /1.txt to 1.txt
sftp>lls #查看本地当前目录下的文件
a.txt 1.txt
sftp>put a.txt #上传本地文件至服务端
sftp> ls
a.txt 1.txt
四、实践报错总结:
1.sftp不能正常登录
错误示例1:
[root@node1 ~]# chown sftp-user:sftp-user /sftp
[root@node1 ~]# sftp sftp-user@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:nM7u1T6u76wQSVGDKZElZ5BLEc3UanGcHvT2M0xmJ98.
ECDSA key fingerprint is MD5:ba:f4:48:1b:96:f0:f2:0e:bc:b8:c2:95:e8:93:b8:bf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
sftp-user@localhost's password:
packet_write_wait: Connection to ::1 port 22: Broken pipe
Couldn't read packet: Connection reset by peer
更改示例1:
[root@node1 ~]# chown root:sftp-user /sftp
[root@node1 ~]# sftp sftp-user@localhost
sftp-user@localhost's password:
Connected to localhost.
sftp>
错误示例2:
[root@node1 ~]# chmod 777 /sftp/
[root@node1 ~]# sftp sftp-user@localhost
sftp-user@localhost's password:
packet_write_wait: Connection to ::1 port 22: Broken pipe
Couldn't read packet: Connection reset by peer
更改示例2:
[root@node1 ~]# chmod 755 /sftp
[root@node1 ~]# sftp sftp-user@localhost
sftp-user@localhost's password:
Connected to localhost.
sftp>
2.sftp的根目录上传文件没权限
错误示例1:
[root@node1 ~]# chmod 755 /sftp
[root@node1 ~]# sftp sftp-user@localhost
sftp-user@localhost's password:
Connected to localhost.
sftp> put
You must specify at least one path after a put command.
sftp> put a.txt
Uploading a.txt to /a.txt
remote open("/a.txt"): Permission denied
更改示例1:
[root@node1 ~]# cd /sftp/
[root@node1 sftp]# mkdir upload
[root@node1 sftp]# chown sftp-user:sftp-user upload/
[root@node1 sftp]# chmod 755 upload/
[root@node1 sftp]# sftp sftp-user@localhost
sftp-user@localhost's password:
Connected to localhost.
sftp> lls
1.txt docker-1.12.6-71.git3e8e77d.el7.centos.x86_64.rpm flannel-0.7.1-2.el7.x86_64.rpm
anaconda-ks.cfg docker-client-1.12.6-71.git3e8e77d.el7.centos.x86_64.rpm xmrig
a.txt docker-common-1.12.6-71.git3e8e77d.el7.centos.x86_64.rpm
sftp> put a.txt
Uploading a.txt to /a.txt
remote open("/a.txt"): Permission denied
sftp> cd upload
sftp> put a.txt
Uploading a.txt to /upload/a.txt
a.txt