器量大者,福泽必厚
全部博文(587)
分类: LINUX
2015-03-08 09:48:54
Starting sshd: /etc/ssh/sshd_config: line 122:
Bad configuration option: Match
/etc/ssh/sshd_config: line 126: Bad
configuration option: ForceCommand
/etc/ssh/sshd_config: terminating, 2 bad
configuration options
[FAILED]
后来在网上找到老外的一个解决方法,亲测有效,记录下:
You can run a second OpenSSH daemon, on a different port, and chroot everyone who connects to it. Here's one way to do that.
1:
Create the sftp init script
Let's call it /etc/init.d/sftpod. Just because. Make sure it is root owned, with octal mode 0755. Its contents follow.
Code:
#!/bin/bash
#
# chkconfig: 35 60 25
# description: OpenSSH chrooted sftp only daemon
#
# Note that /usr/sbin/sftpod is simply a symlink to /usr/sbin/sshd;
# You are going to need to CREATE that symlink before using this script.
#
pidfile='/var/run/sftpod.pid'
case "${1}" in
start ) exec -a /usr/sbin/sftpod /usr/sbin/sshd -f /etc/ssh/sftpod_config
;;
stop ) kill -9 $(cat ${pidfile})
;;
restart) ${0} stop
sleep 3
${0} start
;;
* ) echo "Usage: ${0} (start|stop|restart)"
;;
esac
exit 0
2. Add it to chkconfig(8) consciousness and set up a symlink you'll need later.
Code:
# chkconfig --add sftpfoo
# ln -s /usr/sbin/sshd /usr/sbin/sftpfoo
3:Create the sftp config file
Let's use the naming referred to in the init script, /etc/ssh/sftpod_config. Contents:
Code:
Port 9022
Protocol 2
AddressFamily inet
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
UsePAM no
PidFile /var/run/sftpod.pid
ChrootDirectory /home/chrooted
Subsystem sftp internal-sftp
4. Create your first sftp-only user
Code:
# useradd -d /nowhere -M -s /sbin/nologin baruser
#passwd baruser ###需要这一步,否则用户无法登陆
输入密码
登录的时候,需要输入密码,就是这个密码
5. Create the chroot directory
Code:
# mkdir -p /home/chrooted && chmod 755 /home/chrooted
##这个权限应该为755,所有者为root
6. Start the sftp service
Code:
# service sftpfoo start
然后通过winscp 来测试,
先配置密钥登陆,这个其实很简单的(但这里浪费了我蛮久的时间,因为上面测试密码登录的时候,创建用户时可以不创建用户的home目录,结果我测试的时候,同样没创建用户的家目录,所以密钥登陆一直失败,其实密钥登录很容易配置的,只是好久没弄过了,忘记了),后来密钥登陆成功后,又遇到几个问题:
1: User sftpuser1 not allowed because shell /bin/nologin does not exist
原因:我 将用户的/bin/bash修改为/bin/nologin
2: User sftpuser1 not allowed because account is locked
我仅仅创建了一个带家目录的用户,没有使用passwd设置密码,导致问题,使用passwd
3: Authentication refused: bad ownership or modes for file /home/sftpuser1/.ssh/authorized_keys
权限有问题,应该为644
然后和密码认证一样,添加如下4句即可,
Subsystem sftp internal-sftp
Match user sftpuser1
ForceCommand internal-sftp
ChrootDirectory /data/logs ##该目录的所有者必须为root,而且权限必须为755:
4:我测试的时候时候的时候使用的是winscp软件,它支持的ppk格式的私钥,所以需要将id_rsa转换为ppk格式的文件,使用PuTTYgen转换即可!
Openssl升级时编译仅仅使用了—prefix=/usr/local/openssh结果导致在启动时有报错,
service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
,添加--with-kerberos5=/usr/lib64/libkrb5.so 参数编译,不然会出现上面的问题
--with-pam 加入即可解决掉不支持UsePam yes的问题!