[FrontPage] [TitleIndex] [WordIndex

This is a read-only archived version of wiki.centos.org

簡易 SFTP 設置

此 SFTP 設置沒有採用 chroot,或限制 root 連線

建立一個基本的安裝作為起點。接著,加入基本安裝以外的套件:rsyncmanopenssh-clients

{{{[root@host-172-16-1-198 ~]# reset [root@host-172-16-1-198 ~]# cat sftp-setup.txt

}}}

我們特意開啟 sftp 埠;不清楚這是否必須的:

{{{# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport sftp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT }}}

以下是在運行中的服務:

{{{acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off snmpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off }}}

及測試可用性 —— 留意我們在此範例中沒有更改 /etc/ssh/sshd_config

{{{[roothost-172-16-1-198 ~]# sftp localhost Connecting to localhost... root@localhost's password: sftp> ls sftp-setup.txt sftp> ls -l -rw-r--r-- 1 root root 1830 Oct 15 08:31 sftp-setup.txt sftp> quit [root@host-172-16-1-198 ~]# }}}

還有以 ssh 存取:

{{{[root@host-172-16-1-198 ~]# ssh localhost root@localhost's password: Last login: Mon Oct 15 08:30:29 2012 from 10.16.1.106 [root@host-172-16-1-198 ~]# logout Connection to localhost closed. [root@host-172-16-1-198 ~]# }}}

以金鑰或密碼進行驗證都是可行的。從遠端登入時,假若金鑰存在,我們便不會被要求輸入密碼。要是我們刪掉提供金鑰的功能,我們便須要輸入密碼:

{{{[herrold@centos-6 ~]$ # 設置 ssh 採用金鑰 [herrold@centos-6 ~]$ date Mon Oct 15 12:57:07 EDT 2012 [herrold@centos-6 ~]$ sftp root@10.16.1.194 Connecting to 10.16.1.194... sftp> ls sftp-setup.txt sftp> quit [herrold@centos-6 ~]$ # 移除金鑰 [herrold@centos-6 ~]$ sftp root@10.16.1.194 Connecting to 10.16.1.194... root@10.16.1.194's password: sftp> ls sftp-setup.txt sftp> quit [herrold@centos-6 ~]$ date Mon Oct 15 12:57:33 EDT 2012 [herrold@centos-6 ~]$ }}}

我們在這裡未探討包裝函式或收緊 iptables 規則等加固方法,因為它們已超越此篇文章的範疇。

Translation of revision 2


2023-09-11 07:23