Restringir o acesso ssh por usuário com base nas condições

2

Existe uma maneira de restringir um usuário a usar somente o ssh para se conectar via SFTP, mas não permitir que o mesmo usuário faça login em um terminal de shell seguro? Eu só quero que o usuário tenha a capacidade de se conectar por um cliente SFTP e nada mais.

    
por ctilley79 13.05.2015 / 15:41

1 resposta

2

Sim, dê uma olhada em Como fazer no SFTP do Ubuntu :

  1. Step 1- Create a Group for the Restricted Accounts

    For the sake of this example, we’ll create a new group called ‘sftponly‘ It’s best to use the addgroup command to do this, as it takes care of allocating an un-used GID (Group Identifier) to the new group for us:

    sudo addgroup sftponly
    
  2. Step 2- Create the User Account

    For examples sake, we’ll create a user account with the username ‘bob‘ , set his home directory as ‘/home/bob‘ and give him the password ‘pass‘

    We’ll use the useradd command here as it takes care of assigning an unallocated UID to the user account for us.

    Creating the User Account:

    sudo useradd -d /home/bob -s /usr/lib/sftp-server -M -N -g sftponly bob
    

    Setting the Password:

    sudo passwd bob 
    
  3. Step 3- Setup the users home directory

    Right, lets create a home for bob and give him somewhere to put his files. Enter the commands below one by one on separate lines:

      sudo mkdir -p /home/bob/uploads /home/bob/.ssh 
      sudo chown bob:sftponly /home/bob/uploads /home/bob/.ssh 
      sudo chmod 700 /home/bob/.ssh
    

    The first line creates the ‘/home/bob‘, /home/bob/uploads‘ and ‘/home/bob/.ssh‘ directories.

    The second line sets the owner and group of the /home/bob directory to root. This is an important step as the SSH server will complain (and refuse to let our restricted user login) if the root of the users home directory is NOT owned by root.

    The third line sets the owner and group on ‘/home/bob/uploads‘ and ‘ /home/bob/.ssh‘ so these directories can be used by the restricted user. In this example, the ‘uploads‘ subdirectory will be used to store files while the ‘.ssh‘ subdirectory is used to store the users public key.

    You should be able to login to you account with a username and password when you’ve completed all the steps in this guide, but it’s recommended you use the public key method for authentication as it is considerably more secure.

    If you already have a private and public key you would like to use, then all you need to do is to upload a copy of the public key to a subdirectory named .ssh in the users home directory.

    Assuming that our public key file is named ‘bob.pub‘, we would issue the following commands to setup public key authentication for the bob user account.

    cd /home/bob/.ssh cat bob.pub >> authorized_keys 
    chmod 700 authorized_keys 
    chown bob:sftponly authorized_keys 
    rm -r bob.pub
    
  4. Step 4- Add an entry to /etc/shells

    Open the file /etc/shells as root in your favorite text-editor, and add the following line at the bottom:

    /usr/lib/sftp-server
    
  5. Step 5- Amend the SSH Server Configuration file

    Open the SSH server configuration file as root to start making changes. On a Ubuntu system, this file is usually /etc/ssh/sshd_config This may differ with other distributions, so check beforehand.

    Find the line Subsystem sftp /usr/lib/openssh/sftp-server and change it to read:

    Subsystem sftp internal-sftp
    

    Now add the following lines at the bottom of the file:

    Match group sftponly
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
    

    The line Match group sftponly tells the SSH server to apply the configuration options below it to all members of the sftponly system group.

    The line ChrootDirectory %h tells the SSH server to confine a user to their home directory only (The home directory is specified here using %h)

    The X11Forwarding no and AllowTcpForwarding no lines prevent the user from, respectively, accessing graphical applications on the server and from connecting to other systems via ours.

    The ForceCommand internal-sftp line prevents the user from executing their own commands and forces them to use the SFTP server component of the SSH server by executing the ‘internal-sftp‘ command when the user logs in.

  6. Step 6- Restart the SSH Server

    Ubuntu/Debian users can issue the following command to restart the SSH server:

    sudo /etc/init.d/ssh restart 
    

That’s it. You should be able to login using the ‘sftp‘ command with either the username and password you setup or using your private key (if you set this up in Step 2.) Using the setup outlined here, you would only have to repeat steps 1-3 to setup new accounts.

    
por 13.05.2015 / 15:45

Tags