我已经按照ArchWiki和GeekStuff上的这个说明设置了一个用户,他只能通过SFTP(SSH)访问服务器,但是在他家目录的chroot环境中没有Shell( /bin/false )。
没有什么更特别的,但它根本无法正常工作,当我尝试login时,我不断得到access denied消息。这是我迄今为止所尝试的:
用户(在这里: user )是组sftp成员。 主目录是/srv/sftp/user 。 Shell通过/bin/false被禁用
用户input:
0 ✓ root@host ~ $ grep -i user /etc/passwd user:x:1002:1000::/srv/sftp/user:/bin/false
小组条目:
0 ✓ root@host ~ $ grep -i sftp /etc/group sftp:x:1000:user
用户组:
0 ✓ root@host ~ $ groups user users sftp
主目录和上面的所有目录都由root拥有:
0 ✓ root@host ~ $ ls -lsha /srv total 20K 4,0K drwxr-xr-x 6 root root 4,0K 4. Apr 17:00 ./ 4,0K drwxr-xr-x 17 root root 4,0K 4. Apr 15:08 ../ 4,0K dr-xr-xr-x 2 root ftp 4,0K 30. Sep 2015 ftp/ 4,0K drwxr-xr-x 4 root root 4,0K 4. Apr 19:30 http/ 4,0K drwxr-xr-x 5 root root 4,0K 4. Apr 17:00 sftp/ 0 ✓ root@host ~ $ ls -lsha /srv/sftp total 12K 4,0K drwxr-xr-x 5 root root 4,0K 4. Apr 17:00 ./ 4,0K drwxr-xr-x 6 root root 4,0K 4. Apr 17:00 ../ 4,0K drwxr-xr-x 5 root root 4,0K 4. Apr 19:34 user/ 0 ✓ root@host ~ $ ls -lsha /srv/sftp/user total 16K 4,0K drwxr-xr-x 5 root root 4,0K 4. Apr 19:34 ./ 4,0K drwxr-xr-x 5 root root 4,0K 4. Apr 17:00 ../ 4,0K drwxrwxr-x 6 user sftp 4,0K 4. Apr 20:28 files/ 4,0K drwxrwxr-x 2 user sftp 4,0K 4. Apr 19:33 log/
SSHDconfiguration的结尾:
0 ✓ root@host ~ $ tail -n16 /etc/ssh/sshd_config # override default of no subsystems ### Subsystem sftp /usr/lib/ssh/sftp-server Subsystem sftp internal-sftp ### This section must be placed at the very end of sshd_config # This means that all users in the 'sftp' group will be chroot'd # to their home directory, where they only will be able to run # internal SFTP processes. Match Group sftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no PasswordAuthentication yes
SSHD状态:
0 ✓ root@host ~ $ systemctl status sshd ● sshd.service - OpenSSH Daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled) Active: active (running) since Mo 2016-04-04 23:48:58 CEST; 1 day 15h ago Main PID: 9272 (sshd) Tasks: 3 (limit: 512) CGroup: /system.slice/sshd.service ├─ 9272 /usr/bin/sshd -D ├─17597 sshd: user [priv] └─17598 sshd: user [net] [...] Apr 06 15:05:24 host sshd[17597]: Failed password for user from 93.***.***.136 port 45516 ssh2
OpenSSH版本:
0 ✓ root@host ~ $ pacman -Q openssh openssh 7.2p2-1
内核版本:
0 ✓ root@host ~ $ uname -a Linux host 4.4.5-1-ARCH #1 SMP PREEMPT Thu Mar 10 07:38:19 CET 2016 x86_64 GNU/Linux
为了确保密码确实正确,我将其更改为1234 :
0 ✓ root@host ~ $ passwd user Enter new UNIX password: 1234 Retype new UNIX password: 1234 passwd: password updated successfully
现在用sftptesting:
1 ✗ me@client ~ $ sftp -P12345 user@host user@host's password: 1234 Permission denied, please try again. user@host's password: 1234 Permission denied, please try again. user@host's password: 1234 Permission denied (publickey,password). Couldn't read packet: Connection reset by peer
这是在日志中,根本没有什么帮助:
0 ✓ root@host ~ $ journalctl -n5 Apr 06 15:34:38 host passwd[25269]: pam_unix(passwd:chauthtok): password changed for user Apr 06 15:35:26 host sshd[25853]: Failed password for user from 93.***.***.136 port 45834 ssh2 Apr 06 15:35:30 host sshd[25853]: Failed password for user from 93.***.***.136 port 45834 ssh2 Apr 06 15:35:33 host sshd[25853]: Failed password for user from 93.***.***.136 port 45834 ssh2 Apr 06 15:35:34 host sshd[25853]: Connection closed by 93.***.***.136 port 45834 [preauth]
我究竟做错了什么? 我错过了什么? 如何在没有shell访问的Archlinux服务器上创buildchroot'ed SFTP访问?
好吧,我错过的一点与壳有关。 我试图用许多手册中描述的/bin/falselogin。 但是这没有用。
正如@Jakuje指出的那样,为了testing的目的而将其改为/bin/sh允许我通过sftplogin。 欢呼! 而有趣的事实,我也不知道: internal-sftp已经阻止sshlogin。
但是,谁还想要/bin/false或/bin/nologin作为shell,最后我想到了这里。 看看/etc/shells的shell是否可用:
0 ✓ root@host ~ $ cat /etc/shells # # /etc/shells # /bin/sh /bin/bash # End of file
难怪没有工作! false和nologin没有定义! 手动添加他们为我工作:
0 ✓ root@host ~ $ cat /etc/shells # # /etc/shells # /bin/sh /bin/bash /bin/false /bin/nologin # End of file
现在,只需更改shell,用chsh :
0 ✓ root@host ~ $ chsh -s /bin/false user Changing shell for user. Shell changed.
现在, sftp在一个基于更改的环境中工作,不需要shell访问。