我想将公钥授权添加到我的 sftp chroot 目录,但我总是得到:
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/test/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
Couldn't read packet: Connection reset by peer
Chroot 之所以有效,是因为可以使用密码进行授权。 我在这台主机上有其他帐户,没有 chroot,它可以使用这个 key 。 我试了很多次,还是不行。
在服务器上的 auth.log 中只有: 连接被 xxx [preauth] 关闭
这是我的目录:
ls -laR /sftp/
/sftp/:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:55 .
drwxr-xr-x 23 root root 4096 May 3 14:46 ..
drwxr-xr-x 3 root root 4096 May 3 16:45 backup
/sftp/backup:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:45 .
drwxr-xr-x 3 root root 4096 May 3 16:55 ..
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 incoming
/sftp/backup/incoming:
total 12
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 .
drwxr-xr-x 3 root root 4096 May 3 16:45 ..
drwx------ 2 backup sftpusers 4096 May 3 21:06 .ssh
/sftp/backup/incoming/.ssh:
total 12
drwx------ 2 backup sftpusers 4096 May 3 21:06 .
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 ..
-rw------- 1 backup sftpusers 391 May 3 21:06 authorized_keys
我的用户:
backup:x:1002:1003::/incoming:/usr/sbin/nologin
我的 ssh 配置:
Match Group sftpusers
ChrootDirectory /sftp/%u
AuthorizedKeysFile /sftp/backup/incoming/.ssh/authorized_keys
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
请帮忙。
最佳答案
我尝试了这个解决方案(将 AuthorizedKeysFile 放入 Match block 中)并且 sshd -T 提示:
/etc/ssh/sshd_config line 153: Directive 'AuthorizedKeysFile' is not allowed within a Match block
(RHEL 6.6,openssh 5.3p1-104)
解决方案:authorized_keys 文件(和用户的 .ssh 目录)必须存在于/etc/passwd 定义的主目录位置,位于 chroot 目录的外部。
例如(使用 OP 用户名/用户标识符):
/etc/密码:
backup:x:1002:1003::/home/backup:/sbin/nologin
创建目录/home/backup,归root所有
创建目录 /home/backup/.ssh,将所有权更改为备份,chmod 700/home/backup/.ssh
将 authorized_keys 文件复制到 /home/backup/.ssh,chmod 400 authorized_keys
ls -laR /home
/home:
total 12
drwxr-xr-x 3 root root 4096 Jul 9 12:25 .
drwxr-xr-x 3 root root 4096 Sep 22 2014 ..
drwxr-xr-x 3 root root 4096 Jul 9 12:25 backup
/home/backup:
total 12
drwxr-xr-x 3 root root 4096 Jul 9 12:25 .
drwxr-xr-x 3 root root 4096 Jul 9 12:25 ..
drwx------ 3 backup sftpusers 4096 Jul 9 12:28 .ssh
/home/backup/.ssh:
total 12
drwx------ 3 backup sftpusers 4096 Jul 9 12:28 .
drwxr-xr-x 3 root root 4096 Jul 9 12:25 ..
-r-------- 3 backup sftpusers 391 Jul 9 12:29 authorized_keys
/etc/ssh/sshd_config 变为:
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
chroot目录结构是:
ls -laR /sftp/
/sftp/:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:55 .
drwxr-xr-x 23 root root 4096 May 3 14:46 ..
drwxr-xr-x 3 root root 4096 May 3 16:45 backup
/sftp/backup:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:45 .
drwxr-xr-x 3 root root 4096 May 3 16:55 ..
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 incoming
drwxr-xr-x 3 root root 4096 May 3 16:55 home
/sftp/backup/incoming:
total 12
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 .
drwxr-xr-x 3 root root 4096 May 3 16:45 ..
/sftp/backup/home:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:55 .
drwxr-xr-x 3 root root 4096 May 3 16:45 ..
drwx------ 2 backup sftpusers 4096 May 3 21:06 backup
/sftp/backup/home/backup:
total 12
drwx------ 3 backup sftpusers 4096 May 3 21:06 .
drwxr-xr-x 3 root root 4096 May 3 16:55 ..
注意:/sftp/backup/home/backup 是空的,它只是提供一个看起来像非 chroot /home/backup 的路径 - - .ssh 目录是 /home/backup/.ssh 不是 /sftp/backup/home/backup/.ssh
关于linux - sftp chroot 目录上的公钥授权,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23448900/