Linux安装sftp服务

处理步骤：

1.关闭防火墙和selinux

[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl disable firewalld
[root@localhost ~]# vi /etc/sysconfig/selinux
# 把文件中的SELINUX=enforcing 改为SELINUX=disabled
[root@localhost ~]# setenforce 0
setenforce: SELinux is disabled

2.查看ssh是否已安装并启动

[root@localhost ~]# ssh -V
OpenSSH_8.2p1, OpenSSL 1.1.1f  31 Mar 2020
[root@localhost ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2022-12-01 11:50:01 CST; 4h 26min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1393 (sshd)
    Tasks: 1
   Memory: 1.8M
   CGroup: /system.slice/sshd.service
           └─1393 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

3.新建用户组、用户和sftp目录

1.新建目录

[root@localhost ~]# mkdir -p /data/sftp/sftpuser
[root@localhost ~]# chown root:root /data/sftp/sftpuser
[root@localhost ~]# chmod 755 /data/sftp/sftpuser

2.新建用户组

[root@localhost ~]# groupadd sftp

3.新建用户

[root@localhost ~]# useradd -g sftp -d /data/sftp/sftpuser -M -s /sbin/nologin sftpuser
-g指定用户组、-d指定家目录、-s nologin 不能登录系统、-M不创建家目录
[root@localhost ~]# echo 'xxxxx'|passwd --stdin sftpuser

4.新建sftp可写目录

[root@localhost ~]# mkdir -p /data/sftp/sftpuser/upload
[root@localhost ~]# chown -R sftpuser:sftp /data/sftp/sftpuser/upload
[root@localhost ~]# chmod -R 777 /data/sftp/sftpuser/upload

4.配置SSH和SFTP 服务器

1.备份sshd_config配置文件并查看文件中的有效配置

[root@localhost ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
[root@localhost ~]# egrep -v '^$|^#' /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem   sftp    /usr/libexec/openssh/sftp-server

2.修改sshd_config配置文件

注释掉：
Subsystem   sftp    /usr/libexec/openssh/sftp-server
新增：
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /data/sftp/%u
ForceCommand internal-sftp
# 下面两项是与安全有关
AllowTcpForwarding no
X11Forwarding no #设置不允许SSH的X转发
​
[root@localhost upload]# egrep -v '^$|^#' /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile  .ssh/authorized_keys
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /data/sftp/%u
ForceCommand internal-sftp
AllowTcpForwarding no

5.重启ssh服务

[root@localhost ~]# systemctl restart sshd

6.新建测试文件并授权

[root@localhost upload]# echo 111 > 1.txt
[root@localhost upload]# ll
总用量 4.0K
-rw------- 1 root root 4 12月  1 17:43 1.txt
新建的文件权限默认为600，需要手动授权777
[root@localhost upload]# chmod 777 1.txt 
[root@localhost upload]# ll
总用量 4.0K
-rwxrwxrwx 1 root root 4 12月  1 17:43 1.txt

7.从另一台机器测试sftp可用性

[root@centos-01 data]# sftp sftpuser@192.168.137.16
sftpuser@192.168.137.16's password: 
Connected to 192.168.137.16.
sftp> ls -l
drwxrwxrwx    2 1002     1002         4096 Dec  1 09:38 upload
sftp> cd upload/
sftp> ls -l
-rwxrwxrwx    1 root     root            4 Dec  1 09:36 1.txt
sftp> get 1.txt 
Fetching /upload/1.txt to 1.txt
/upload/1.txt                                                                                                         100%    4     7.4KB/s   00:00    
sftp> exit
[root@centos-01 ~]# ll
-rwxr-xr-x 1 root root     4 Dec  1 17:44 1.txt

OK!