我想将公钥授权添加到我的sftp chroot目录,但我总是得到:
debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/test/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet,wait for reply debug1: Authentications that can continue: publickey debug2: we did not send a packet,disable method debug1: No more authentication methods to try. Permission denied (publickey). Couldn't read packet: Connection reset by peer
Chroot有效,因为可以使用密码进行授权.
我在没有chroot的主机上有其他帐户,它可以使用此密钥.
我尝试了很多次,但它仍然不起作用.
在auth.log中的服务器上只有:
连接由xxx关闭[preauth]
这是我的目录:
ls -laR /sftp/ /sftp/: total 12 drwxr-xr-x 3 root root 4096 May 3 16:55 . drwxr-xr-x 23 root root 4096 May 3 14:46 .. drwxr-xr-x 3 root root 4096 May 3 16:45 backup /sftp/backup: total 12 drwxr-xr-x 3 root root 4096 May 3 16:45 . drwxr-xr-x 3 root root 4096 May 3 16:55 .. drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 incoming /sftp/backup/incoming: total 12 drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 . drwxr-xr-x 3 root root 4096 May 3 16:45 .. drwx------ 2 backup sftpusers 4096 May 3 21:06 .ssh /sftp/backup/incoming/.ssh: total 12 drwx------ 2 backup sftpusers 4096 May 3 21:06 . drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 .. -rw------- 1 backup sftpusers 391 May 3 21:06 authorized_keys
我的用户:
backup:x:1002:1003::/incoming:/usr/sbin/nologin
我的ssh配置:
Match Group sftpusers ChrootDirectory /sftp/%u AuthorizedKeysFile /sftp/backup/incoming/.ssh/authorized_keys ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
请帮忙.
解决方法
我尝试了这个解决方案(将AuthorizedKeysFile放入Match块)和sshd -T抱怨:
/etc/ssh/sshd_config line 153: Directive 'AuthorizedKeysFile' is not allowed within a Match block
(RHEL 6.6,openssh 5.3p1-104)
SOLUTION:authorized_keys文件(和用户的.ssh目录)必须存在于/ etc / passwd定义的主目录位置,在chroot目录之外.
例如(使用OP用户名/ uids):
/ etc / passwd中:
backup:x:1002:1003::/home/backup:/sbin/nologin
创建由root拥有的目录/ home / backup
创建目录/home/backup/.ssh,将所有权更改为备份,chmod 700 /home/backup/.ssh
将authorized_keys文件复制到/home/backup/.ssh,chmod 400 authorized_keys
ls -laR /home /home: total 12 drwxr-xr-x 3 root root 4096 Jul 9 12:25 . drwxr-xr-x 3 root root 4096 Sep 22 2014 .. drwxr-xr-x 3 root root 4096 Jul 9 12:25 backup /home/backup: total 12 drwxr-xr-x 3 root root 4096 Jul 9 12:25 . drwxr-xr-x 3 root root 4096 Jul 9 12:25 .. drwx------ 3 backup sftpusers 4096 Jul 9 12:28 .ssh /home/backup/.ssh: total 12 drwx------ 3 backup sftpusers 4096 Jul 9 12:28 . drwxr-xr-x 3 root root 4096 Jul 9 12:25 .. -r-------- 3 backup sftpusers 391 Jul 9 12:29 authorized_keys
/ etc / ssh / sshd_config变为:
Match Group sftpusers ChrootDirectory /sftp/%u ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
chroot目录结构是:
ls -laR /sftp/ /sftp/: total 12 drwxr-xr-x 3 root root 4096 May 3 16:55 . drwxr-xr-x 23 root root 4096 May 3 14:46 .. drwxr-xr-x 3 root root 4096 May 3 16:45 backup /sftp/backup: total 12 drwxr-xr-x 3 root root 4096 May 3 16:45 . drwxr-xr-x 3 root root 4096 May 3 16:55 .. drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 incoming drwxr-xr-x 3 root root 4096 May 3 16:55 home /sftp/backup/incoming: total 12 drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 . drwxr-xr-x 3 root root 4096 May 3 16:45 .. /sftp/backup/home: total 12 drwxr-xr-x 3 root root 4096 May 3 16:55 . drwxr-xr-x 3 root root 4096 May 3 16:45 .. drwx------ 2 backup sftpusers 4096 May 3 21:06 backup /sftp/backup/home/backup: total 12 drwx------ 3 backup sftpusers 4096 May 3 21:06 . drwxr-xr-x 3 root root 4096 May 3 16:55 ..
注意:/ sftp / backup / home / backup是空的,它只提供一个看起来像非chroot / home / backup的路径 – .ssh目录是/home/backup/.ssh not / sftp /备份/家庭/备份/的.ssh
