论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2006-07-05 11:55 |只看该作者 |倒序浏览

我们知道sftp是一个很好的使用ssh加密的secure ftp。而要架设一个好的sftp，最重要的是要创建一个安全的chroot环境。scponly就是这样一个很好的在工具。它会生成一个叫scponlyc的shell,机器上的用户如果使用这个shell就只能运行scp / sftp等命令。它能自动为用户生成一个chroot的环境，而且它对winscp这个open source for Windows的client端支持很好，与rsync、subversion、gftp兼容。下面我就介绍一下如何用scponly来安装及配置一个chroot的sftp:
   1.服务器软件环境：
   FreeBSD6.0  OpenSSH_4.2p1  OpenSSL 0.9.7e-p1  scponly-4.6

   2.scponly-4.6的下载地址：
   http://sublimation.org/scponly/

   3.安装配置 scponly
      下载源码，进行编译安装（当然，你也可以用port安装）：

      tar -zxvf  scponly-4.6.tar
      cd scponly-4.6
      ./configure --prefix=/usr/local/scponly --enable-chrooted-binary --enable-winscp-compat --enable-sftp-logging-compat --enable-scp-compat --enable-rsync-compat --enable-passwd-compat
         make && make install
         echo /usr/local/scponly/sbin/scponlyc >> /etc/shells
         make jail

            Next we need to set the home directory for this scponly user.
            please note that the user's home directory MUST NOT be writeable
            by the scponly user. this is important so that the scponly user
            cannot subvert the .ssh configuration parameters.

            for this reason, a writeable subdirectory will be created that
            the scponly user can write into.

            -en Username to install [scponly]
                        larry
            -en home directory you wish to set for this user [/home/larry]
                        /data/larry
            -en name of the writeable subdirectory [incoming]

            creating  /data/larry/incoming directory for uploading files

            Your platform (FreeBSD) does not have a platform specific setup script.
            This install script will attempt a best guess.
            If you perform customizations, please consider sending me your changes.
            Look to the templates in build_extras/arch.
            - joe at sublimation dot org

            please set the password for larry:
            Changing local password for larry
            New Password:
            Retype New Password:
            if you experience a warning with winscp regarding groups, please install
            the provided hacked out fake groups program into your chroot, like so:
            cp groups /data/larry/bin/groups

HOHO~~,一个chroot的环境SFTP就已经完成了，你可以安装一个winscp的client端，用larry用户登录试一下，是不是chroot的。这个工具的优点就是它通过make jail 命令自动为你建立了一个chroot的环境，所以安装设置很方便。注意：只有/data/larry/incoming是可以存取文件的，而/data/larry/（也就是sftp上去后的/)下一其它目录是不可以写及删除文件的。

[ 本帖最后由 eagerlinuxer 于 2006-7-5 11:59 编辑 ]