簡易 SFTP 設置
此 SFTP 設置沒有採用 chroot,或限制 root 連線
建立一個基本的安裝作為起點。接著,加入基本安裝以外的套件:rsync、man 及 openssh-clients
{{{[root@host-172-16-1-198 ~]# reset [root@host-172-16-1-198 ~]# cat sftp-setup.txt
- 5 yum install rsync man 6 yum install openssh-clients
- 11 grep sftp /etc/services 12 cd /etc/sysconfig/ 13 joe iptables 14 vi iptables 15 service iptables restart 18 passwd 19 sftp localhost 20 ssh localhost
21 history > sftp-setup.txt
}}}
我們特意開啟 sftp 埠;不清楚這是否必須的:
{{{# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport sftp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT }}}
以下是在運行中的服務:
{{{acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off snmpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off }}}
及測試可用性 —— 留意我們在此範例中沒有更改 /etc/ssh/sshd_config:
{{{[roothost-172-16-1-198 ~]# sftp localhost Connecting to localhost... root@localhost's password: sftp> ls sftp-setup.txt sftp> ls -l -rw-r--r-- 1 root root 1830 Oct 15 08:31 sftp-setup.txt sftp> quit [root@host-172-16-1-198 ~]# }}}
還有以 ssh 存取:
{{{[root@host-172-16-1-198 ~]# ssh localhost root@localhost's password: Last login: Mon Oct 15 08:30:29 2012 from 10.16.1.106 [root@host-172-16-1-198 ~]# logout Connection to localhost closed. [root@host-172-16-1-198 ~]# }}}
以金鑰或密碼進行驗證都是可行的。從遠端登入時,假若金鑰存在,我們便不會被要求輸入密碼。要是我們刪掉提供金鑰的功能,我們便須要輸入密碼:
{{{[herrold@centos-6 ~]$ # 設置 ssh 採用金鑰 [herrold@centos-6 ~]$ date Mon Oct 15 12:57:07 EDT 2012 [herrold@centos-6 ~]$ sftp root@10.16.1.194 Connecting to 10.16.1.194... sftp> ls sftp-setup.txt sftp> quit [herrold@centos-6 ~]$ # 移除金鑰 [herrold@centos-6 ~]$ sftp root@10.16.1.194 Connecting to 10.16.1.194... root@10.16.1.194's password: sftp> ls sftp-setup.txt sftp> quit [herrold@centos-6 ~]$ date Mon Oct 15 12:57:33 EDT 2012 [herrold@centos-6 ~]$ }}}
我們在這裡未探討包裝函式或收緊 iptables 規則等加固方法,因為它們已超越此篇文章的範疇。
Translation of revision 2