如何在Amazon Linux中使用scp chroot帐户？

我需要安装一个scp服务器。供应商将通过scp（而不是sftp）将file upload到该服务器。虽然configuration容易SFTP，我真的很难与SCP。网上有其他操作系统的一些说明和操作方法。我试图按照这些，但我总是收到一个错误消息：

scp phpinfo.php [email protected]:/subdir/ /home/abc/bin/bash: Permission denied lost connection

…在日志中没有进一步的提示：

 Oct 3 23:16:13 ip-10-2-4-121 sshd[30945]: Accepted password for abc from 1.2.3.4 port 57248 ssh2 Oct 3 23:16:13 ip-10-2-4-121 sshd[30945]: pam_unix(sshd:session): session opened for user abc by (uid=0) Oct 3 23:16:13 ip-10-2-4-121 sshd[30945]: Received disconnect from 1.2.3.4 port 57248:11: disconnected by user [postauth] Oct 3 23:16:13 ip-10-2-4-121 sshd[30945]: Disconnected from 1.2.3.4 port 57248 [postauth] Oct 3 23:16:13 ip-10-2-4-121 sshd[30945]: pam_unix(sshd:session): session closed for user abc

我的/etc/ssh/sshd_config已被修改如下：

 #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp Match Group sftp ChrootDirectory %h # ForceCommand internal-sftp AllowTcpForwarding no

…我认为ForceCommand是没有必要的，如果我想允许scp访问。

/home目录中的权限：

 [root@ip-10-2-4-121 abc]# ls -al /home total 16 drwxr-xr-x 4 root root 4096 Oct 3 21:42 . dr-xr-xr-x 25 root root 4096 Oct 3 20:08 .. drwx------ 9 root root 4096 Oct 3 23:12 abc drwx------ 4 ec2-user ec2-user 4096 Oct 3 21:43 ec2-user

我也试图复制一些依赖，但我不知道如何找出哪些文件必须复制。 https://www.wilderssecurity.com/threads/how-to-copy-only-needed-libraries-to-a-chroot.329486/给了我一个提示，我已经试过了：

 cp --parents `ldd /bin/bash | cut -d " " -f 3` /home/abc cp --parents `ldd /usr/bin/scp | cut -d " " -f 3` /home/abc cp --parents `ldd /usr/libexec/openssh/sftp-server | cut -d " " -f 3` /home/abc

我在/home/abc下的目录结构：

 . ├── bin │  └── bash ├── dev │  ├── null │  ├── random │  ├── tty │  └── zero ├── etc │  ├── group │  ├── ld.so.cache │  ├── ld.so.conf │  ├── ld.so.conf.d │  │  └── kernel-4.9.51-10.52.amzn1.x86_64.conf │  └── passwd ├── lib ├── lib64 │  ├── ld-linux-x86-64.so.2 │  ├── libcrypto.so.10 │  ├── libcrypt.so.1 │  ├── libc.so.6 │  ├── libdl.so.2 │  ├── libfreebl3.so │  ├── liblber-2.4.so.2 │  ├── libldap-2.4.so.2 │  ├── libnspr4.so │  ├── libnss3.so │  ├── libnssutil3.so │  ├── libplc4.so │  ├── libplds4.so │  ├── libpthread.so.0 │  ├── libresolv.so.2 │  ├── librt.so.1 │  ├── libsasl2.so.2 │  ├── libsmime3.so │  ├── libssl3.so │  ├── libtic.so.5 │  ├── libtinfo.so.5 │  ├── libutil.so.1 │  └── libz.so.1 ├── subdir └── usr ├── bin │  └── scp ├── lib ├── lib64 │  ├── libnss3.so │  ├── libnssutil3.so │  ├── libsasl2.so.2 │  ├── libsmime3.so │  └── libssl3.so └── libexec └── openssh └── sftp-server

我进一步修改了/etc/passwd ：

 ... abc:x:501:501::/home/abc:/home/abc/bin/bash

任何帮助是极大的赞赏。

我错过了一些进一步的依赖和权限。这是，如何从空白亚马逊linux ec2实例创build一个chroot，ssh和scp启用用户：

 #!/bin/bash # # This script creates a chrooted user, scp enabled, on an Amazon Linux aws instance # # 2017-10-05 # # change username and password here: username="abc" password="123456" # create groups groupadd sftp # create chrooted user useradd -m $username -G sftp echo $username:$password | chpasswd # enable password authentication in sshd cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before_chroot cat /etc/ssh/sshd_config | sed -e "s/PasswordAuthentication no/PasswordAuthentication yes/" > /etc/ssh/temp_sshd_config mv -f /etc/ssh/temp_sshd_config /etc/ssh/sshd_config # disable default sftp subsystem configuration in sshd sed -e '/Subsystem sftp/ s/^#*/#/' -i /etc/ssh/sshd_config # add sftp subsystem configuration to sshd echo "Subsystem sftp internal-sftp" >> /etc/ssh/sshd_config echo "Match Group sftp" >> /etc/ssh/sshd_config echo " ChrootDirectory %h" >> /etc/ssh/sshd_config echo " AllowTcpForwarding no" >> /etc/ssh/sshd_config # restart ssh service /etc/init.d/sshd restart # create the chrooted directory structure mkdir /home/$username/bin mkdir /home/$username/dir mkdir /home/$username/usr mkdir /home/$username/usr/bin mkdir /home/$username/usr/libexec mkdir /home/$username/usr/libexec/openssh mkdir /home/$username/lib/ mkdir /home/$username/etc mkdir /home/$username/dev mkdir /home/$username/dev/pts # copy all dependencies cp --parents `ldd /bin/bash | cut -d " " -f 3` /home/$username cp --parents `ldd /usr/bin/scp | cut -d " " -f 3` /home/$username cp --parents `ldd /usr/libexec/openssh/sftp-server | cut -d " " -f 3` /home/$username cp --parents `ldd /bin/ls | cut -d " " -f 3` /home/$username/ cp /usr/lib64/libnss3.so /home/$username/lib64/ cp /usr/lib64/libtic.so.5 /home/$username/lib64/ cp /lib64/ld-linux-x86-64.so.2 /home/$username/lib64/ cp /usr/lib64/libssl3.so /home/$username/lib64/ cp /bin/bash /home/$username/bin/ cp /usr/bin/scp /home/$username/usr/bin/scp cp /usr/libexec/openssh/sftp-server /home/$username/usr/libexec/openssh/ cp /bin/ls /home/$username/bin/ cp /lib64/libnss* /home/$username/lib64/ cp /usr/lib64/libnss* /home/$username/usr/lib64/ cp --parents `find . -type f -exec ldd '{}' \; | awk '{print $3}' | sort | uniq | grep -v '('` /home/$username/ cp -vf /etc/{passwd,group} /home/$username/etc/ cp -r /etc/ld.so* /home/$username/etc/ # create non-files mknod -m 666 /home/$username/dev/null c 1 3 mknod -m 666 /home/$username/dev/tty c 5 0 mknod -m 666 /home/$username/dev/zero c 1 5 mknod -m 666 /home/$username/dev/random c 1 8 mount --bind /dev/pts /home/$username/dev/pts # get the directory permissions right chown $username.$username /home/$username/. -R chmod 0755 /home/$username/bin chmod 0666 /home/$username/.bashrc chown root.root /home/$username chmod 0755 /home/$username

https://gist.github.com/kmddevdani/b7687a74dacb250eda7b8e2f65f1c906