使用MySecureShell做sftp服务器安装与配置
有些合作方需要我们提供sftp服务帐号来交换信息,linux自带的sftp开出去不是很安全,网上找了一下,发现了MySecureShell这个东东作sftp服务器非常不错。
1. 安装
下载页: http://mysecureshell.sourceforge.net/en/download.html
wget http://mysecureshell.free.fr/repository/index.php/centos/6.4/mysecureshell-1.33-1.x86_64.rpm
rpm -ivh mysecureshell-1.33-1.x86_64.rpm
2. 配置
vim /etc/ssh/sftp_config
## MySecureShell Configuration File ##
#Default rules for everybody
<Default>
GlobalDownload 0 #total speed download for all clients
# o -> bytes k -> kilo bytes m -> mega bytes
GlobalUpload 0 #total speed download for all clients (0 for unlimited)
Download 0 #limit speed download for each connection
Upload 0 #unlimit speed upload for each connection
StayAtHome true #limit client to his home
VirtualChroot true #fake a chroot to the home account
LimitConnection 100 #max connection for the server sftp
LimitConnectionByUser 50 #max connection for the account
LimitConnectionByIP 5 #max connection by ip for the account
Home /home/$USER #overrite home of the user but if you want you can use
# environment variable (ie: Home /home/$USER)
IdleTimeOut 5m #(in second) deconnect client is idle too long time
ResolveIP true #resolve ip to dns
# IgnoreHidden true #treat all hidden files as if they don't exist
# DirFakeUser true #Hide real file/directory owner (just change displayed permissions)
# DirFakeGroup true #Hide real file/directory group (just change displayed permissions)
# DirFakeMode 0400 #Hide real file/directory rights (just change displayed permissions)
#Add execution right for directory if read right is set
HideNoAccess true #Hide file/directory which user has no access
# MaxOpenFilesForUser 20 #limit user to open x files on same time
# MaxWriteFilesForUser 10 #limit user to x upload on same time
# MaxReadFilesForUser 10 #limit user to x download on same time
DefaultRights 0644 0755 #Set default rights for new file and new directory
# MinimumRights 0400 0700 #Set minimum rights for files and dirs
ShowLinksAsLinks false #show links as their destinations
# ConnectionMaxLife 1d #limits connection lifetime to 1 day
# Charset "ISO-8859-15" #set charset of computer
</Default>
#Rules only for group ftp
#<Group ftp>
# Download 25 k/s
# LogFile /var/log/sftp-server_ftp.log #Change logfile
# ExpireDate "2007-02-28 18:31:01"
#</Group>
#<Group sftp_administrator>
# IsAdmin true #can admin the server
# VirtualChroot false #you must disable chroot to have a full support of admin
# StayAtHome true
# IdleTimeOut 0
#</Group>
#<Group old_client>
# SftpProtocol 3 #force protocol SFTP
# DisableAccount true #disable account
#</Group>
#Rules only for group ftpnolimit
#<Group ftpnolimit>
# Download 0 #0 = unlimited
# IdleTimeOut 0 #no timeout
# DirFakeUser false #show real user on file/directory
# DirFakeGroup false #show real group on file/directory
# DirFakeMode 0 #show real rights on file/directory
# MaxReadFilesForUser 0 #0 = unlimited but still have the restriction MaxOpenFilesForUser
#</Group>
#<IpRange 192.168.0.1-192.168.0.5>
# ByPassGlobalDownload true #bypass GlobalDownload restriction
# ByPassGlobalUpload true #bypass GlobalUpload restriction
# Download 0
# DisableAccount false #enable account
# IdleTimeOut 0 #disable timeout
# LimitConnectionByIP 0 #no limit
#</IpRange>
#<Group trusted_users>
# Shell /bin/tcsh #give a shell access to TRUSTED clients !!!
#</Group>
#<VirtualHost *:22>
# DirFakeUser false #show real user on file/directory
# DirFakeGroup false #show real group on file/directory
# DirFakeMode 0 #show real rights on file/directory
# HideNoAccess false
# IgnoreHidden false
#</VirtualHost>
#Include /etc/my_sftp_config_file #include this valid configuration file
配置都有详细的介绍,都不解释了,可以参考官方文档: https://mysecureshell.readthedocs.org/en/latest/
3. 管理
1) 使用sftp-state启动和停止:
[root@ftp-lan sftpserver]# sftp-state help
Usage:
------
sftp-state {options} {states}
Options:
-yes : assume yes to all questions
States:
- active : wake up server
- start : same as 'active'
- shutdown : shutdown the server (but don't kill current connections)
- stop : same as 'shutdown'
- fullstop : shutdown the server (kill all connections and clean memory)
[root@ftp-lan sftpserver]# sftp-state
Server is up
[root@ftp-lan sftpserver]# sftp-state stop
Shutdown server for new connection (active connection are keeped)
Do you want to kill all users ? [YES/no] yes
[root@ftp-lan sftpserver]# sftp-state start
Server is now online.
[root@ftp-lan sftpserver]#
2) 创建与删除用户
[root@ftp-lan sftpserver]# sftp-user create test
Enter password:
[root@ftp-lan sftpserver]# sftp-user delete test
4. 测试
从其它机器上测试
[root@fft-vm-newapp-2 ~]# sftp test@172.22.2.2
Connecting to 172.22.2.2...
test@172.22.2.2's password:
sftp> ls
sftp> ls /
sftp> mkdir aaa
sftp> exit
[root@fft-vm-newapp-2 ~]# ssh test@172.22.2.2
test@172.22.2.2's password:
Shell access is disabled !Connection to 172.22.2.2 closed.
可以看到sftp连上后有chroot,并而对这个用户关闭了shell.
另外openssh本身也是可以实现chroot的,只是功能稍为差一些,MySecureShell有限制流量,并发等好多功能。可以参考: http://www.mike.org.cn/articles/centos-sftp-chroot/
