sftp 服务器外网访问设置
这个是需要在本机上设定用户名的。根据不同的用户权限。然后让不同的人来到本机上取得数据。
参考一下有用的文章:http://www.ericstockwell.com/?p=54 (强烈建议阅读此文章,别的先不用探讨了)
还有:http://superuser.com/questions/370953/how-to-not-allow-user-outside-of-home-directory-with-sftp (这是个人问的问题,他说的很通俗易懂,是我们想要的功能)
想对于ftp来说,sftp安全许多,而且,途径许多。用的ssh默认端口22传输的文件。如果更改的话,要另外指明。
是经过这样一个过程来到的。user_a, user_b, 使他们只能访问/home/user_a, /home/user_b 的各自的目录下的内容,而不能访问其他的文件夹的内容。就是说没有root权限那样的,到处查看文件,/ 等是不允许的。
所以,最简单的办法是,要在ssh.conf里面更改一些东西。在ubutnu的衍生版里面,需要先下载sshd这个东西,现在都在用openssh, 不错的东西。用后台来启动ssh服务的。
那么,下载安装完以后,我们开始
步骤。
1. 编辑/etc/ssh/sshd_config 文档
找到 Subsystem sftp 这一行,修改成
Subsystem sftp internal-sftp
再增加几行在/etc/ssh/sshd_config 的最下面
Match User user_a
ChrootDirectory %h
ForceCommand internal-sftp Match User user_b
ChrootDirectory %h
ForceCommand internal-sftp
上面的%h的意思是 当前用户的主目录。这里对user_a 的是 /home/user_a (这个在创建用户的时候有了解,具体请查看 man adduser, man usermod, chown, chmod 来操作一些用户, 文件权限 )
2. 比较重要的是用户权限问题,这个在下面的文章引用里面有介绍了。
3. 比较重要的都在下面,很详细,关于文件权限,上传,修改,删除,复写等操作,都可以这样做。跟本机差不多。所以非常方便的。
#######################################
最后还是没忍心,把原文章拿来引用了。可以直接跳过上面的所有东西,很全,全部看这个就够了。
文章出处:http://www.ericstockwell.com/?p=54
作者:Blither.
How to set up and chroot SFTP users with OpenSSH 5.1p1 in Ubuntu 8.10
(This is mostly an edited copy-and-paste from a forum post I wrote several months ago.)
I had been wanting to set up an encrypted-transaction FTP server for a while (SFTP) in a chrooted environment, so I did a few hours of half-baked-blog parsing and keyboard-pounding in order to figure this out in a way that would work consistently, even if it isn’t 100% efficient. Your noob-radar should be flashing right about now ;). Since version 4.8, openssh has had the ability to (fairly) easily chroot sftp users into a specified directory using a new sshd_config directive, ChrootDirectory. The purpose of this guide is to demonstrate how to set up a simple chrooted sftp system from square one implementing this self-contained chroot mechanism (using only openssh without the need for rssh), and how to add users under this paradigm.
(1) Installation and initial configuration
It is possible that ssh is not installed, so:
$ sudo apt-get install ssh
We need to configure the sftp subsystem to use the internal sftp module. Open
/etc/ssh/sshd_config
in a text editor (you will probably have to use “sudo”), and find the line that starts with “Subsystem sftp”. Comment out (or delete) this line, and replace it with:
Subsystem sftp internal-sftp
Save and exit your editor.
(2) User Setup
This section should be repeated for each user to whom you grant sftp-only access.
Because sftp (as included with openssh) wraps around ssh, your users are going to need system accounts. Let’s prepare a user named “johndoe” (replace “johndoe” with whatever new user account you wish). The user “johndoe” should, in this case, only be able to log in using sftp (as opposed to ssh) once we’re done.
$ sudo mkdir /home/johndoe
$ sudo useradd johndoe
We’ll have to set their home directory permissions appropriately. It’s important that root owns this and that its group ID is identical to the username, and that the permissions are set so that only root can write:
$ sudo chown root:johndoe /home/johndoe
$ sudo chmod 755 /home/johndoe
Force the normal login directory just in case:
$ sudo usermod -d /home/johndoe johndoe
Now give him a password:
$ sudo passwd johndoe
Set the new user a dummy shell (so they don’t have real shell access).
$ sudo usermod -s /bin/false johndoe
Now we need to indicate that this particular user must be jailed into their home directory. Once again, open /etc/ssh/sshd_config in a text editor, and add the following at the end of the file:
Match User johndoe
ChrootDirectory /home/johndoe
ForceCommand internal-sftp
Now, user johndoe should have read access to his home directory. Let’s give him a place to upload stuff:
$ sudo mkdir /home/johndoe/upload
$ sudo chown johndoe:johndoe /home/johndoe/upload
$ sudo chmod 755 /home/johndoe/upload
Done! Restart the ssh daemon (run this any time you want changes to become effective):
sudo /etc/init.d/ssh restart
(3) Giving SFTP users read access to some other directory
As an interesting aside, let’s say you (the sysadmin) have a common info/media/data directory you wish to share with your sftp users without actually copying all that data over (or allowing it to be edited/deleted/corrupted). We can do this by mounting it read-only somewhere in their login directory. They’re going to need a place to get to it:
$ sudo mkdir /home/johndoe/readonly
Now we mount our directory of choice (in this example, /home/sysadmin/junk/shared-data) as read-only in said folder:
$ sudo mount -r --bind /home/sysadmin/junk/shared-data /home/johndoe/readonly
It will probably help to have this happen automatically on startup. Anything added to rc.local will run as root at startup, so there is no need to indicate ’sudo’. If you have multiple users (or even just one) it helps to add something like this to /etc/rc.local (before the “exit 0″ line of course):
for user in johndoe marysue someguy
do
mount -r --bind /home/sysadmin/junk/shared-data /home/$user/readonly
done
Note: You cannot mount more than one folder/device/partition/netshare in a particular location. Doing so won’t damage anything, but the mount point will only display the object mounted last in sequence. There are other constraints which you may discover, but those are beyond the scope of this guide (and they make me drink).
×××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××
sftp 服务器外网访问设置的更多相关文章
- vsftp FTP服务器外网访问设置
引用: linux中VSFTP无法从外网访问问题! http://blog.csdn.net/zbulrush/article/details/841978 原文: FTP协议有两种工作方式:PORT ...
- ubuntu下安装mysql及外网访问设置
这么多年一直是mssql或者Oracle,mysql基本没用过,借着.net即将跨平台之际,也mysql一把.windows安装基本没啥难度,然后就是试了把linux下...结果坑不少,由于linux ...
- vs visual studio 让外网访问设置
vs2015 提供外网访问我是这么解决的 有时我们经常会用到连接外网的方式来调试自己写的莫名bug.而我们通常有两种解决方式 一.捕捉错误日志进行代码分析. 二.则是将我们的源码项目提供外网访问进行直 ...
- python restful 框架之 eve 外网访问设置
官网地址: http://python-eve.org/ 配合mongodb进行crud使用起来很方便,但是部署的时候遇到一个问题,按照官网和Deom说的,servername使用 '127.0.0. ...
- elasticsearch外网访问设置
默认情况下安装elasticsearch之后是无法进行外网访问的,可以通过设置来完成这一目的 1.更改配置文件 [***@elk01 ~]$ vim elk/config/elasticsearch. ...
- 在虚拟机发布网站,设置服务器外网访问ip端口号
这是虚机上的发布网站的网站端口号 这一步要在实机设置 做完这一步,在外网就可以访问你刚刚发布的站点了
- Aliyun搭建svn服务器外网访问报错权限配置失败错误
搭建完后所有的配置如下 [root@iZuf655czz7lmtn8v15tsjZ conf]# pwd /home/SVN/conf [root@iZuf655czz7lmtn8v15tsjZ co ...
- 2019-3-9-通过-frp-开启服务器打开本地的-ZeroNet-服务器外网访问
title author date CreateTime categories 通过 frp 开启服务器打开本地的 ZeroNet 服务器外网访问 lindexi 2019-03-09 11:47:4 ...
- mysql 设置服务器的MySQL允许远程访问/外网访问
设置服务器的MySQL允许远程访问/外网访问 https://blog.csdn.net/weixin_34232363/article/details/85889037
随机推荐
- python元类分析
刚開始接触到Python新式类中的元类的概念的时候非常是纠结了下..不知道这是个啥东西... 用下面几个定义来说明吧: (1)Python中,类也是对象..仅仅只是这样的对象比較的特殊,他用于创建别的 ...
- 关于s2sh框架关于hibernate懒加载问题的说明和解决方案
首先我们来看下面这个图,解释了一个web程序的一次请求流程! 懒加载异常的说明: 懒加载就是我们在查询一个对象时,它所有的属性是否要被查出来! 如果懒加载开启的话,session在service层就被 ...
- C#抓取AJAX页面的内容
原文 C#抓取AJAX页面的内容 现在的网页有相当一部分是采用了AJAX技术,所谓的AJAX技术简单一点讲就是事件驱动吧(当然这种说法可能很不全面),在你提交了URL后,服务器发给你的并不是所有是页面 ...
- cform 开发框架介绍
CForm是从2012年开始研发的一套灵活,易用,简单,成熟的中小型应用系统开发框架.目前已成功应用在浙江大学.温州科技职业学院.广西农业局.青岛市农业局.乐清妇保院.老博会.婚尚起义结婚网等单位. ...
- or1200于IMMU分析
以下摘录<步骤吓得核心--软-core处理器的室内设计与分析>一本书 1 IMMU结构 OR1200中实现IMMU的文件有or1200_immu_top.v.or1200_immu_tlb ...
- [翻译]如何编写GIMP插件(二)
写在前面: 本人翻译并不专业,甚至英语不好,翻译内容仅供参考.由于博主是边学边翻译,所以不能保证翻译的准确性和正确性,如果可以,请查看原版学习,本文仅作学习记录之用. <How to write ...
- Windows在结构FTPserver
同Windows8 案件,结构介绍 FTPserver脚步: 1.为Windows开启FTP功能:控制面板->程序->启用或关闭Windows功能.将下图所看到的的复选框选中 waterm ...
- js 图片点击放大功能
<!doctype html> <html lang="en"> <head> <meta charset="UTF-8&quo ...
- NodeJs技术
我的NodeJs技术总结——第一篇 既然是我的技术总结,那就是以我的技术水平为基础的,写浅了大家不要笑话,如果有错误的地方还望指正. 这第一篇就谈谈NodeJs的一些编程细节吧. 1.遍历数组 f ...
- NET 类库
NET 类库研究必备参考 扣丁格鲁 .NET 类库的强大让我们很轻松的解决常见问题,作为一个好专研的程序员,为了更上一层楼,研究CLR的基础类库实现是快速稳定的捷径. 一般场景下,采用 Reflect ...