一、升级Opensshd
1、创建临时目录
#mkdir /root/tmp
#cd /root/tmp
2、过程中要用到zlib
#wget
#tar zxvf zlib-1.2.3.tar.gz
#cd zlib-1.2.3
#./configure
#make && make install
#cd ..
3、过程中要用到Openssl
#wget
#tar zxvf openssl-0.9.8j.tar.gz
#cd openssl-0.9.8j
#./config --prefix=/usr
#make && make test && make install
#echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
#ldconfig
#openssl version -a
#cd ..
4、升级前先备份
#mv /etc/ssh /etc/ssh.bak
#wget
#tar zxvf openssh-5.2p1.tar.gz
#cd openssh-5.2p1
#./configure --prefix=/usr --with-zlib --sysconfdir=/etc/ssh --with-ssl-dir=/usr --with-md5-passwords
#make && make install
#/etc/init.d/sshd restart
#sshd -v
OpenSSH_5.2p1, OpenSSL 0.9.8j 07 Jan 2009
二、创建限制组及用户,开启SSHD的Chroot功能
1、创建用户并更改用户目录属性。
#adduser -G xian test //创建test用户并附加到xian组中
#passwd test //修改test密码
#chown root /home/test //修改目录属主
#chmod 750 /home/test //修改目录属性
2、编辑/etc/ssh/sshd_config
#vim /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/sftp-server //找到此行在前面加#注释掉
添加以下几行
Subsystem sftp internal-sftp
Match Group xian //此处xian组对应你上面所附加组的名字
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
3、此后增加新限制用户的,只需上面第一步操作就可以了。
=========================
如果想只开放一个sftp服务器给用户,用openssh 5.0以上的版本很容易做到
openssh 新版自带一个自己实现的sftp server
internal-sftp
升级新版以后只需要:
Subsystem sftp internal-sftp
Match User sftpuser
ChrootDirectory /home/sftpuser
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
chown root.root /home/sftpuser
key验证可以正常放在/home/sftpuser/.ssh 里面即可。
这样就可以实现chroot和只允许sftp。
如果只是要chroot的话,要使用户可以登录,必须在/home/sftpuser/下面准备一些文件:
The ChrootDirectory must contain the necessary files and directories to support the users’ session. For an interactive session this
requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and
tty(4) devices. For file transfer sessions using “sftp”, no additional configuration of the environment is necessary if the in-process sftp
server is used (see Subsystem for details).
centos增加SFTP的Chroot用户脚本
|
#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
if [ $(whoami) != "root" ]; then
echo "***********************************************************************"
echo "Error: You must be root to run this script, please use root to run"
echo " **********************************************************************"
exit 1
fi
GROUPNAME="sftpchroot"
echo "***********************************************************************"
echo "The GroupName will chrootsftp into : [$GROUPNAME]. You can change it"
echo "***********************************************************************"
if [ "$GROUPNAME" = `cat /etc/group | grep "$GROUPNAME" | awk -F: '{print $1}'` ]; then
echo "******************************************"
echo "The GroupName: $GROUPNAME exist already!"
echo "******************************************"
echo "The next will add user into $GROUPNAME!"
echo "******************************************"
else
groupadd $GROUPNAME
echo "**********************************************"
echo "This group [ $GROUPNAME ] add successfully!"
echo "**********************************************"
sed -i 's/Subsystem\tsftp\t\/usr\/libexec\/sftp-server/Subsystem\tsftp\tinternal-sftp/g' /etc/ssh/sshd_config
echo "Match Group $GROUPNAME" >> /etc/ssh/sshd_config
echo "ChrootDirectory %h" >> /etc/ssh/sshd_config
echo "ForceCommand internal-sftp" >> /etc/ssh/sshd_config
/etc/init.d/sshd condrestart
fi
read -p "(Please input the UserName which into $GROUPNAME to be chrooted):" user
if [ "$user" = "" ]; then
echo "*****************************************************************"
echo "You must input UserName which will into $GROUPNAME to be chrooted!"
echo "*****************************************************************"
exit 2
fi
if [ ! -e /home/$user ]; then
echo "***************************"
echo "username=$user"
echo "***************************"
useradd -G $GROUPNAME $user
chown root:$user /home/$user
chmod 755 /home/$user
mkdir /home/$user/.ssh
chown $user:$user /home/$user/.ssh
chmod 700 /home/$user/.ssh
touch /home/$user/.ssh/authorized_keys
chown $user:$user /home/$user/.ssh/authorized_keys
chmod 600 /home/$user/.ssh/authorized_keys
echo "***************************"
echo Please set passwd for $
echo "***************************"
passwd $user
else
echo "***************************"
echo "$user is exist already!"
echo "***************************"
read -p "Are you sure to chroot $user to $GROUPNAME ? [y or n]" y_or_n
if [ "$y_or_n" == 'y' ]; then
usermod -G $GROUPNAME $user
chown root:$user /home/$user
chmod 755 /home/$user
if [ ! -e /home/$user/.ssh ]; then
mkdir /home/$user/.ssh
fi
chown $user:$user /home/$user/.ssh
chmod 700 /home/$user/.ssh
if [ ! -f /home/$user/.ssh/authorized_keys ]; then
touch /home/$user/.ssh/authorized_keys
fi
chown $user:$user /home/$user/.ssh/authorized_keys
chmod 600 /home/$user/.ssh/authorized_keys
fi
fi
|
Centos升级SSH到最新版本脚本
|
#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
if [ $(whoami) != "root" ]; then
echo "Error: You must be root to run this script, please use root to update!"
exit 1
fi
wd="/usr/local/src"
read -p "Please input workdirectory, default is: [$wd] " tmp
if [ "$tmp" != "" ]; then
wd=$tmp
fi
echo your workdirectory is "$wd"
[ ! -e "$wd" ] && mkdir -p $wd
yum -y update
yum -y install gcc
yum -y install make
cd $wd
if [ -s zlib-1.2.5.tar.gz ]; then
echo "zlib-1.2.5.tar.gz [found]"
else
echo "zlib-1.2.5.tar.gz not found!!!download now......"
wget -c http://www.zlib.net/zlib-1.2.5.tar.gz
echo "zlib-1.2.5.tar.gz download finished!"
fi
tar zxvf zlib-1.2.5.tar.gz
cd zlib-1.2.5
./configure
make && make install
cd $wd
if [ -s openssl-1.0.0d.tar.gz ]; then
echo "openssl-1.0.0d.tar.gz [found]"
else
echo "openssl-1.0.0d.tar.gz not found!!!download now......"
wget -c http://www.openssl.org/source/openssl-1.0.0d.tar.gz
echo "openssl-1.0.0d.tar.gz download finished!"
fi
tar zxvf openssl-1.0.0d.tar.gz
cd openssl-1.0.0d
./config --prefix=/usr
make && make test && make install
mv /etc/ssh /etc/ssh_bak4.3
cd $wd
if [ -s openssh-5.8p1.tar.gz ]; then
echo "openssh-5.8p1.tar.gz [found]"
else
echo "openssh-5.8p1.tar.gz not found!!!download now......"
wget -c http://openbsd.noc.jgm.gov.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.8p1.tar.gz
echo "openssh-5.8p1.tar.gz download finished!"
fi
tar zxvf openssh-5.8p1.tar.gz
cd openssh-5.8p1
./configure --prefix=/usr --with-zlib --sysconfdir=/etc/ssh --with-ssl-dir=/usr --with-md5-passwords
make && make install
sed -i 's/#Port 22/Port 123456/g' /etc/ssh/sshd_config
sed -i 's/#Protocol 2/Protocol 2/g' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config
echo 'Allowuser user1 user2' >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
|
阅读(5097) | 评论(2) | 转发(0) |
