主页 / server / 问题 / 1095709
Accepted
user2100826
Asked: 2022-03-09 14:22:59 +0800 CST

SFTP更改默认目录

  • 772

我正在为一组我只想拥有 SFTP 访问权限的用户设置 SFTP,以便将文件上传到服务器。我已经让他们入狱到他们自己的主目录,并阻止了 shell 登录。每个主目录都有一个用于接收上传的子文件夹。我希望 SFTP 连接在登录时自动更改为此上传文件夹。很标准。

我正在使用该ForceCommand指令在旧服务器上成功实现这一目标。但是,在我目前正在准备的新服务器上,这不起作用。为什么?

/etc/ssh/sshd_config.d/sftpgroup.conf
Match Group ftpgroup
  # The following two directives force ftpgroup to become chrooted
  # and only have SFTP available. No other chroot setup is required.
  ChrootDirectory /home/ftp_users/%u
  ForceCommand internal-sftp -u 0002
  # For additional paranoia, disallow all types of port forwardings.
  AllowTcpForwarding no
  GatewayPorts no
  X11Forwarding no
  # Force local logging
  ForceCommand /usr/lib/openssh/sftp-server -l VERBOSE
  # Change default directory to ~/upload
  ForceCommand cd /upload
/var/log/auth.log 与 LogLevel DEBUG3
Mar  9 15:18:03 MyServer sshd[393644]: debug1: userauth-request for user myuser service ssh-connection method none [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug1: attempt 0 failures 0 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_getpwnamallow entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 8 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 9 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 8
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_pwnamallow
Mar  9 15:18:03 MyServer sshd[393644]: debug2: parse_server_config_depth: config reprocess config len 383
Mar  9 15:18:03 MyServer sshd[393644]: debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/sftpgroup.conf len 228
Mar  9 15:18:03 MyServer sshd[393644]: debug3: checking match for 'Group ftpgroup,!sftpgroup' user myuser host 1.2.3.4 addr 1.2.3.4 laddr 10.0.0.4 lport 22
Mar  9 15:18:03 MyServer sshd[393644]: debug1: user myuser does not match group list ftpgroup,!sftpgroup at line 4
Mar  9 15:18:03 MyServer sshd[393644]: debug3: match not found
Mar  9 15:18:03 MyServer sshd[393644]: debug3: checking match for 'Group ftpgroup' user myuser host 1.2.3.4 addr 1.2.3.4 laddr 10.0.0.4 lport 22
Mar  9 15:18:03 MyServer sshd[393644]: debug1: user myuser matched group list ftpgroup at line 9
Mar  9 15:18:03 MyServer sshd[393644]: debug3: match found
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:12 setting ChrootDirectory /home/ftp_users/%u
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:13 setting ForceCommand internal-sftp -u 0002
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:15 setting AllowTcpForwarding no
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:16 setting GatewayPorts no
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:17 setting X11Forwarding no
Mar  9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:21 setting ForceCommand cd /upload
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 9
Mar  9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 8 used once, disabling now
Mar  9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: setting up authctxt for myuser [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_start_pam entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 100 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_inform_authserv entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 4 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: try method none [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: ensure_minimum_time_since: elapsed 2.862ms, delaying 4.136ms (requested 6.998ms) [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 100
Mar  9 15:18:03 MyServer sshd[393644]: debug1: PAM: initializing for "myuser"
Mar  9 15:18:03 MyServer sshd[393644]: debug1: PAM: setting PAM_RHOST to "1.2.3.4"
Mar  9 15:18:03 MyServer sshd[393644]: debug1: PAM: setting PAM_TTY to "ssh"
Mar  9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 100 used once, disabling now
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 4
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_authserv: service=ssh-connection, style=, role=
Mar  9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 4 used once, disabling now
Mar  9 15:18:03 MyServer sshd[393644]: debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: send packet: type 51 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: receive packet: type 2 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: Received SSH2_MSG_IGNORE [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: receive packet: type 50 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug1: userauth-request for user myuser service ssh-connection method password [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug1: attempt 1 failures 0 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: try method password [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 12 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 13 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 12
Mar  9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_passwd_conv called with 1 messages
Mar  9 15:18:03 MyServer sshd[393644]: debug1: PAM: password authentication accepted for myuser
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_authpassword: sending result 1
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 13
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 102
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug1: do_pam_account: called
Mar  9 15:18:03 MyServer sshd[393644]: debug2: do_pam_account: auth information in SSH_AUTH_INFO_0
Mar  9 15:18:03 MyServer sshd[393644]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 103
Mar  9 15:18:03 MyServer sshd[393644]: Accepted password for myuser from 1.2.3.4 port 55095 ssh2
Mar  9 15:18:03 MyServer sshd[393644]: debug1: monitor_child_preauth: myuser has been authenticated by privileged process
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_get_keystate: Waiting for new keys
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 26
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_get_keystate: GOT new keys
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password: user authenticated [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: ensure_minimum_time_since: elapsed 7.172ms, delaying 6.825ms (requested 6.998ms) [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_do_pam_account entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 102 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 103 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_do_pam_account returning 1 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: send packet: type 52 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 26 [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug3: mm_send_keystate: Finished sending state [preauth]
Mar  9 15:18:03 MyServer sshd[393644]: debug1: monitor_read_log: child log fd closed
Mar  9 15:18:03 MyServer sshd[393644]: debug3: ssh_sandbox_parent_finish: finished
Mar  9 15:18:03 MyServer sshd[393644]: debug1: PAM: establishing credentials
Mar  9 15:18:03 MyServer sshd[393644]: debug3: PAM: opening session
Mar  9 15:18:03 MyServer sshd[393644]: debug2: do_pam_session: auth information in SSH_AUTH_INFO_0
Mar  9 15:18:03 MyServer sshd[393644]: pam_unix(sshd:session): session opened for user myuser(uid=1001) by (uid=0)
Mar  9 15:18:03 MyServer systemd-logind[607]: New session 530 of user myuser.
Mar  9 15:18:03 MyServer systemd: pam_unix(systemd-user:session): session opened for user myuser(uid=1001) by (uid=0)
Mar  9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_store_conv called with 1 messages
Mar  9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_store_conv called with 1 messages
Mar  9 15:18:03 MyServer sshd[393644]: User child is on pid 393672
Mar  9 15:18:03 MyServer sshd[393672]: debug1: SELinux support disabled
Mar  9 15:18:03 MyServer sshd[393672]: debug1: PAM: establishing credentials
Mar  9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/'
Mar  9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/'
Mar  9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/ftp_users/'
Mar  9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/ftp_users/myuser'
Mar  9 15:18:04 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar  9 15:18:04 MyServer sshd[393644]: debug3: monitor_read: checking request 113
Mar  9 15:18:04 MyServer sshd[393644]: debug3: mm_answer_audit_command entering
ssh -V

老服务器:

  • OpenSSH_7.9p1 Debian-10+deb10u2,OpenSSL 1.1.1d 2019 年 9 月 10 日

新服务器:

  • OpenSSH_8.4p1 Debian-5,OpenSSL 1.1.1k 2021 年 3 月 25 日

更新

事实证明,在旧系统上,这实际上是由于操纵的主文件夹和符号链接而起作用,而不是因为ForceCommand该系统上的指令(即使该指令存在)。

ln -s /home/ftp_users/myuser /home/myuser
usermod -d /home/myuser myuser
ln -s ../upload /home/ftp_users/myuser/home/myuser

因此,当用户登录并对其进行更改时,~它会转到/home/myuser哪个是/upload. 当将主文件夹设置与旧系统匹配时,新系统现在可以在登录时正确路由。有点骇人听闻,而且绝对不是最理想的(试图避免它),但它“有效”。

那么问题就变成了,为什么不ForceCommand覆盖这个?它在执行吗?我怎么知道?

linux debian sftp

1 个回答

  1. Best Answer

    sftp-server您可以添加选项以-d path在登录时更改起始目录。配置行应该是:

    Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE -d /upload

    在更高版本的 OpenSSH 中,SFTP 服务器功能默认在进程中可用,或者使用显式internal-sftp指示符作为运行命令。

    @user2100826通过这篇文章确认internal-sftpsftp-server共享相同的命令行选项(但我无法在相关man页面中明确指出这一点)。请咨询man sftp-server以检查 ChrootDirectorywithForceCommand或的使用情况Subsystem

    因此,也可以通过以下行配置所需的行为:

    Subsystem sftp internal-sftp -l VERBOSE -d /upload

    另外,请检查此答案

    • 1

相关问题