Last modified: Sep. 11, 2009 Contents 1 - Summary 2 - Service configuration 5 - Create new group and user 6 - Service check 1 - Summary This guide will show how to configure OpenSSH with chrooted SFTP using public key authentication in Red Hat Enterprise Linux. This setup is only going to allow for sftp logins and not ssh access to the shell using public key or password authentication. This has been tested using OpenSSH 5.0 portable in Red Hat Enterprise Linux 4. 2 - Service configuration Configure the SSH service. SSH is located in /usr/local/etc on this server since it was compiled from source. # su - root # cd /usr/local/etc # cp sshd_config sshd_config.original Make sure the following lines are in the configuration file. This will allow public key and password authentication. It will also be chrooted for SFTP connections for the users in the group named external. The users in the group named external will only have access to their directory which is located in the /ftp directory. AllowGroups external AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes PubkeyAuthentication yes Subsystem sftp internal-sftp Match Group external ForceCommand internal-sftp ChrootDirectory /ftp/%u # vi sshd_config # service sshd restart Stopping sshd:[ OK ] Starting sshd:[ OK ] 3 - Create new group and user Create the new group and user along with the directory permissions. These commands will be run as the root user. The password expiration will be disabled since the users don't have ssh access to the shell. The user will login and their home diretory will show up as /. Also, with this setup the user has read access to their home directory and full access to the Uploads directory. # groupadd external # cd / # mkdir /ftp # chown -R root:root /ftp # chmod -R 755 /ftp # useradd -c 'Test User' -G external -M -s /sbin/nologin user # chage -m 0 -M 99999 -I -1 -E -1 -W 7 user # passwd user Changing password for user user. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. # usermod -d / user # mkdir /ftp/user # mkdir /ftp/user/.ssh # mkdir /ftp/user/Uploads # chown -R user:user /ftp/user/.ssh # chown -R user:user /ftp/user/Uploads # chmod -R 777 /ftp/user/Uploads 4 - Create public key on workstation Create a public key on the client workstation. We will create an RSA key and not give the key a passphrase in this example. # cd ~ # ssh-keygen -q -b 4096 -t rsa Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Next, get the public key (/home/user/.ssh/id_rsa.pub) to the server. 5 - Configure server to use public key Stay as the root user and copy the public key to the following locations and set the permissions. # mkdir /.ssh # cat id_rsa.pub >> /.ssh/authorized_keys # chmod 644 /.ssh/authorized_keys # cat id_rsa.pub > /ftp/user/.ssh/authorized_keys # chown -R user:user /ftp/user/.ssh/authorized_keys # chmod 400 /ftp/user/.ssh/authorized_keys 6 - Sample session From the client workstation test out sftp using the account that was just created on the server. # sftp user@server.test.com Connecting to server.test.com... * * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE PUNISHABLE UNDER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM, DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING AND AUDITING. * * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * sftp> ls -la drwxr-xr-x 4 0 0 4096 Sep 11 15:42 . drwxr-xr-x 4 0 0 4096 Sep 11 15:42 .. drwxr-xr-x 2 520 522 4096 Sep 11 16:07 .ssh drwxrwxrwx 2 520 522 4096 Sep 11 15:42 Uploads sftp> pwd Remote working directory: / sftp> cd .. sftp> pwd Remote working directory: / sftp> ls -la .ssh drwxr-xr-x 2 520 522 4096 Sep 11 16:07 . drwxr-xr-x 4 0 0 4096 Sep 11 15:42 .. -r-------- 1 520 522 753 Sep 11 16:07 authorized_keys sftp> bye
转自:http://www.packetwatch.net/documents/guides/2009091101.php