Configure and use FTP and SFTP in Linux
1. SFTP configuration
1. Create a dedicated FTP user group
Create FTP user group
groupadd sftp
Copy the code2. Create a directory
Groupadd SFTP # The owner of this directory and its superior directory must be root and the permission is not greater than 755. The best group for this directory is SFTP
mkdir /home/testftp
chmod -R 755 /home/01-FTP/testftp/
Copy the code3. Modify sshd_config configuration
Back up the original SSHD configuration file and edit it
mkdir /etc/ssh/bak
cp /etc/ssh/sshd_config /etc/ssh/bak/sshd_config_bak
vim /etc/ssh/sshd_config
Copy the codeComment out the following line in the sshd_config configuration file, preceded by #
Subsystem sftp /usr/libexec/openssh/sftp-server
Copy the codeAdd the following information to the end of the sshd_config configuration file. Save the configuration and exit.
Subsystem sftp internal-sftp
# Method 1 Limited group (recommended)
Match Group sftp
# Limit users
#Match User clftp
Method 1: automatically restrict to user directories
#ChrootDirectory /home/01-FTP/%u
# Limit to the specified directory (recommended)
ChrootDirectory /home/01-FTP/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
The following configuration is recommendedVim /etc/ssh/sshd_config Port 35021 Subsystem SFTP internal-sftp Match Group sftpadmins sftpusers ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no# note 1: ChrootDirectory %h indicates that the user switches the root directory to its own home directory after logging in via SFTP
# Note 2: The above is a modified configuration
# SFTP - oPort = 35021 [email protected]
Enter a password to log in
Copy the codewww.cnblogs.com/regit/p/848…
4. Create a dedicated directory
(Create conlinsftp home directory: 01-FTP directory owner must be root, permissions no higher than 755)
Create a dedicated directory for uploads and downloads
mkdir /home/01-FTP/testftp/
# change owner
chown root:sftp /home/01-FTP/testftp
# change permission
chmod 755 /home/01-FTP/testftp The owner can read/write execution, group users and other users can only read, only need to download the configuration, directory configure this permission
chmod 775 /home/01-FTP/testftp Owner and group users can read and write, other users can only read, group users need to upload and download, directory configure this permission
Create user, specify group SFTP, specify directory.
useradd -g sftp -d /home/01-FTP/testftp -s /sbin/nologin clftp
Copy the code5. Configure by account (select as required)
-s/sbin/nologin Disables user logins from the command line (# method 1 automatically limits user logins to the user directory #ChrootDirectory /home/01-ftp /%u)
mkdir /home/01-FTP/clftp
chown root:sftp /home/01-FTP/clftp
chmod 0755 /home/01-FTP/clftp Only the owner of the directory can read and write
chmod 0775 /home/01-FTP/clftp Only directory owners and owning groups can read and write the directory
# create user
useradd -g sftp -d /home/01-FTP/clftp -s /sbin/nologin clftp01
You can also create a separate upload and download directory
mkdir /home/01-FTP/clftp/upload
chown -R clftp:sftp /home/01-FTP/clftp/upload
Copy the code/VSFT
Copy the code6. Restart the service for the configuration to take effect
Run the following command to run the systemctl service
service sshd restart
Run the following command for the new version
systemctl restart sshd.service
Copy the codeVSFTPD (FTP configuration)
After the configuration, FTP login can be restricted, but SFTP login is not restricted
1. Install Vsftpd
It is generally installed by default. If the compact version does not have it, install it.
Yum install VSFTPD and start the program
# installation
yum install vsftpd
# open
systemctl start vsftpd
Copy the code2. Configuration details
The VSFTPD configuration file is vsftpd.conf in the /etc/vsftp/ directory.
| attribute | Attribute values | meaning |
|---|---|---|
| anonymous_enable | YES/NO | Whether to allow anonymous users to log in to FTP. If this setting is commented, it is allowed by default |
| local_enable | YES/NO | Whether to allow local system users to log in |
| write_enable | YES/NO | Whether to enable any form of FTP write command to upload files |
| local_umask | xxx | The umask setting for the local user, which defaults to 077 if commented, is generally set to 022 |
| anon_upload_enable | YES/NO | Whether to allow anonymous users to upload files. To enable the write_enable function, you must enable write_enable first. In addition, you must have the write permission on the corresponding directory |
| anon_mkdir_write_enable | YES/NO | Whether to allow anonymous users to create new directories |
| dirmessage_enable | YES/NO | Sends a message to the remote user when entering a directory |
| xferlog_enable | YES/NO | Whether to enable upload/download logging |
| connect_from_port_20 | YES/NO | Whether to use port 20 to connect to FTP |
| chown_uploads | YES/NO | Check whether a specified user chown_username owns the files uploaded anonymously |
| chown_username | Valid username | Files uploaded anonymously are owned by the set user |
| xferlog_file | Effective path | Set the location for saving log files. The default location is /var/log/xferlog |
| xferlog_std_format | YES/NO | Whether to use the standard FTPD xferlog log format, which is saved in /var/log/xferlog by default |
| idle_session_timeout | The numerical | Set the timeout period of an idle connection, in seconds |
| data_connection_timeout | The numerical | Set the maximum time to wait for data transfer, in seconds. (DatA_CONNECtion_TIMEOUT and IDLE_SESSION_TIMEOUT are both valid at the same time.) |
| nopriv_user | Valid username | Specify an unprivileged user to run VSFTPD |
| async_abor_enable | YES/NO | Whether asynchronous ABOR requests are supported |
| ascii_upload_enable | YES/NO | Whether to enable the ASCII mode for uploading files |
| ascii_download_enable | YES/NO | Whether to enable the ASCII mode for file downloading |
| ftpd_banner | … | Custom login banner |
| deny_email_enable | YES/NO | For anonymous logins, email addresses are required. If you don’t want some email addresses to have login privileges, you can turn this on and write the corresponding email addresses to the file specified by banned_email_file |
| banned_email_file | The effective documents | When deny_email_enable is enabled, you need to specify a file to save invalid login emails |
| chroot_local_user | YES/NO | Whether to restrict all users to the home directory. When NO is set, FTP users can switch to other directories |
| chroot_list_enable | YES/NO | Whether to enable the restricted user list |
| chroot_list_file | The effective documents | The user list is related to the combination of chroot_local_user and chroot_local_user. For details, see the following table |
| allow_writeable_chroot | YES/NO | Whether to allow the user to have the write permission on the FTP root directory. If the write permission is set to deny, an error occurs when the directory actually has the write permission |
| ls_recurse_enable | YES/NO | Whether to allow the ls-R command to recursively query, recursive query is expensive |
| listen | YES/NO | If YES, VSFTPD runs in standalone mode and listens for IPv4 sockets to process connection requests (this command cannot be used with listen_ipv6) |
| listen_ipv6 | YES/NO | Whether listening on IPv6 sockets is allowed |
| pam_service_name | … | Set the configuration file name of the authentication service provided by the PAM plug-in module, that is, the /etc/pam.d/ VSFTPD file. In this file, file= /etc/vsftp/ftpusers. PAM can block account content from the /etc/vsftp/ftpusers file |
| userlist_enable | YES/NO | Whether to enable the user_list file to control user logins |
| userlist_deny | YES/NO | Whether to deny login to users in user_List. This attribute is valid only when userlist_enable = YES |
| tcp_wrappers | YES/NO | Whether to use tcp_wrappers as host access control |
| max_clients | The numerical | Maximum number of connections allowed at one time |
| max_per_ip | The numerical | Maximum number of connections to an IP client |
| local_root | Effective directory | Root directory of the system user after login |
| anon_root | Effective directory | Root directory of the anonymous user after login |
| user_config_dir | Effective directory | The file name of the user in the directory is the corresponding user name |
`
The combined functions of chroot_local_user and chroot_local_user are as follows:
| chroot_local_user=YES | chroot_local_user=NO | |
|---|---|---|
| chroot_list_enable=YES | 1. All users are restricted to their home directories. 2chroot_list_fileA list of specified users/etc/vsftpd/chroot_list, these users as “exceptions”, not restricted |
1. All users are not restricted to their home directories. 2chroot_list_fileA list of specified users/etc/vsftpd/chroot_listThese users are restricted as “exceptions” |
| chroot_list_enable=NO | 1. All users are restricted to their home directories. 2chroot_list_fileA list of specified users/etc/vsftpd/chroot_list, without any “exception” users |
1. All users are not restricted to their home directories. 2chroot_list_fileA list of specified users/etc/vsftpd/chroot_list, without any “exception” users |
3. Configure an FTP root directory for each system user
Add the following command to the end of /etc/vsftp/vsftpd. conf:
# Root directory of the system user after login
local_root=/home/01-FTP/conlinftp/
# Root directory of the anonymous user after login
anon_root=/home/01-FTP/conlinftp/
Set the directory for saving the user's independent profile
user_config_dir=/etc/vsftpd/userconfig/
Copy the codeIn addition, set chroot_local_user to YES so that FTP users are locked directly to their root directory after logging in. Through the above Settings, both system users and anonymous users will regard /var/test/ as the root directory and be locked in this directory after login. However, the above Settings are for all system users and anonymous users. If you want to specify a root directory for each FTP user, you can create a configuration file for each user. Specific operations are as follows:
- According to the
user_config_dirThe setup, we first in/etc/vsftpd/Create a directory nameduserconfigThe directory where the - The hypothesis is given to the user
clftpSpecify a separate FTP root directory/home/01-FTP/conlinftp/We need accessuserconfigDirectory to create a directory namedclftpConfiguration file, edit fileclftp, the configuration is as follows:
local_root=/home/01-FTP/conlinftp/
Copy the code4,After VSFTPD logs in to centos, files cannot be seen and folders cannot be created
Centos VSFTPD cannot display files and create files and folders due to selinux
Run the following command to check:
getsebool -a|grep ftp
# display:Allow_ftpd_anon_write --> on allow_ftPD_full_access --> on // create files and folders allow_ftPD_use_cifs --> off allow_ftPD_use_nfs --> Off ftP_home_dir --> on ftPD_connect_DB --> off ftPD_use_passive_mode --> off httpd_enable_ftP_server --> off tftp_anon_write --> onSet the above information to ON with the following command
setsebool allow_ftpd_full_access=1
# permanent
setsebool -P allow_ftpd_full_access on
Copy the code5. Login failed
1, first check the account password and other Settings, if they are correct then
530 Login incorrect.Login failed.
# 2. Please check baidu to see if the first three problems can be solved. This is the fourth one, because I did not find any of my problems on Baidu.
# 3. Run the cat /etc/passwd command to check whether the home directory of your login account is the same as that of your login shell
# User name: password: User ID: Group ID: Comment description: Home directory: login Shell
# 4. Check whether cat /etc/shells have your home directory and login shell.
vim /etc/shells
# 5 add /sbin/nologin, save and exit
cat /etc/shells
# The result is as follows
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/bin/tcsh
/bin/csh
/bin/ksh
/bin/rksh
/sbin/nologin
#6. The easiest way to do this is simply to execute the following command
echo -e "\n/sbin/nologin" >> /etc/shells
Copy the code6. User/user group operations
Removing a group: For example, user ABC belongs to the BCD and check groups, and needs to be removed from the BCD group:
usermod -G check abc
Copy the codeTo add a user to a user group, do not use:
usermod -G groupA
Copy the codeDoing so will cause you to leave other user groups and become only a member of groupA. Instead, add the -a option:
usermod -a -G groupA user
Copy the codeThe user to delete
userdel -r clftp02
Copy the code3. Virtual user configuration
This configuration enables multiple users to operate the same directory, for example, admifTP user directory 01-ftp all permissions, CLFTP can only download read
Four, connection and use
1. Command line
Use the CMD /bash command line
- Common SFTP Commands
ls View the files in the current directory
help Check which commands are supported by SFTP
cd # specify directory
pwd # Check the current directory
get xxx.txt # Download the XXX file
put xxx.txt # upload file XXX
quit / bye / exit # exit SFTP
sftp xxx.xxx.xxx.xxx Log in to the root user
sftp [email protected] Log in to the zygf user
Copy the code-
SFTP Cli login s Process
(1) SFTP xxx.XXX.xxx. XXX login (the default user is root). If you specify user SFTP [email protected], zygf is the user name.
② After successful login, the system prompts you to enter the password
③ Then, you can enter the directory and view the contents in the directory
4 CD Switch directories, get obtain files, and put upload files
⑤ quit/bye/exit Exit SFTP
2. Tool connection
To create a connection, select SFTP connection and enter the account password
5. Thin provisioning
groupadd test360
mkdir -p /home/01-FTP/conlinftp/files
useradd -g testftp -d /home/01-FTP/testftp -s /sbin/nologin test360
chown test360:testftp /home/01-FTP/testftp/files
chmod 766 /home/01-FTP/ctestftp/files
passwd test360 You can also set your own password for configuring login
setsebool allow_ftpd_full_access=1
echo -e "\n/sbin/nologin" >> /etc/shells
systemctl restart vsftpd
You can login and verify
Copy the code