我正在尝试设置SSHFTP服务器,并且在通过apache @ localhost连接时,我立即断开连接“Write Failed:Broken Pipe”错误消息。我可以与jack@localhost
进行良好关联,但不能与用户apache
建立联系。
这些是我添加到sshd_config的唯一设置(我希望在工作时只允许apache):
Match User apache
ChrootDirectory /apache
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/lib/openssh/sftp-server
Match
#AllowUsers apache
这就是我添加到ssh_config中的内容:
ServerAliveInterval 120
TCPKeepAlive no
我确保用户apache对/ apache文件夹具有完全权限,并且我可以以此用户身份登录并修改终端中的项目。该文件夹只有2个文件:index.html和test.php
我也去了网络上的另一台计算机,并使用FileZilla作为用户jack
登录。它运作得很好。
这是我尝试连接时终端的日志。
jack@JacksServer:~$ ssh -v apache@localhost
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/jack/.ssh/id_rsa type -1
debug1: identity file /home/jack/.ssh/id_rsa-cert type -1
debug1: identity file /home/jack/.ssh/id_dsa type -1
debug1: identity file /home/jack/.ssh/id_dsa-cert type -1
debug1: identity file /home/jack/.ssh/id_ecdsa type -1
debug1: identity file /home/jack/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA bb:f3:74:9d:97:80:89:dc:d9:68:53:5c:f7:25:19:4e
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/jack/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/jack/.ssh/id_rsa
debug1: Trying private key: /home/jack/.ssh/id_dsa
debug1: Trying private key: /home/jack/.ssh/id_ecdsa
debug1: Next authentication method: password
apache@localhost's password:
debug1: Authentication succeeded (password).
Authenticated to localhost ([127.0.0.1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Write failed: Broken pipe
jack@JacksServer:~$
Ubuntu版本信息:
Distributor ID: Ubuntu
Description: Ubuntu 12.04.2 LTS
Release: 12.04
Codename: precise
编辑:
我运行了命令sudo grep -ir ssh /var/log/*
并得到了这个:
/var/log/auth.log~:Aug 13 16:08:15 JacksServer sshd[32292]: fatal: bad ownership or modes for chroot directory "/apache"
/var/log/auth.log~:Aug 13 16:08:15 JacksServer sshd[32156]: pam_unix(sshd:session): session closed for user apache
我试图像某些网站建议的那样chmod 755 /apache
并改变所有权,但我仍然遇到此错误。该文件夹目前由用户apache
拥有。
有关apache用户的更多信息:
root@JacksServer:/apache# ls -la /apache
total 24
drwxr-xr-x 4 apache root 4096 Aug 13 15:49 .
drwxr-xr-x 29 root root 4096 Aug 13 03:06 ..
drwxr-xr-x 2 apache nogroup 4096 Aug 13 13:57 .cache
-rw-r--r-- 1 apache root 5 Aug 13 03:56 index.html
-rw-r--r-- 1 apache root 0 Aug 13 03:56 index.html~
drwxr-xr-x 8 apache root 4096 Aug 13 15:51 .ssh
-rw-r--r-- 1 apache root 20 Aug 13 03:59 test.php
-rw-r--r-- 1 apache root 0 Aug 13 03:59 test.php~
root@JacksServer:/apache# ls -la /apache/.ssh
total 92
drwxr-xr-x 8 apache root 4096 Aug 13 15:51 .
drwxr-xr-x 4 apache root 4096 Aug 13 15:49 ..
-rw-r--r-- 1 apache jack 220 Jun 6 20:08 .bash_logout
drwxr-xr-x 19 apache jack 4096 Aug 13 15:04 .cache
drwxr-xr-x 3 apache jack 4096 Jun 6 20:49 .compiz-1
drwxr-xr-x 3 apache jack 4096 Jun 6 20:22 .dbus
drwxr-xr-x 5 apache jack 4096 Aug 13 05:37 .gconf
-rw-r----- 1 apache jack 0 Aug 13 15:47 .gksu.lock
drwxr-xr-x 3 apache jack 4096 Jun 6 20:22 .local
-rw-r--r-- 1 apache jack 675 Jun 6 20:08 .profile
-rw------- 1 apache jack 256 Jun 6 20:22 .pulse-cookie
drwxr-xr-x 2 apache jack 4096 Aug 13 14:20 .ssh
-rw------- 1 apache jack 56 Aug 13 04:45 .Xauthority
-rw------- 1 apache jack 44215 Aug 13 13:54 .xsession-errors
答案 0 :(得分:25)
两者的答案都在这个帖子中:https://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes
“基本上chroot目录必须由root拥有,不能是任何组写访问。”
这意味着您需要确保您的ChrootDirectory
(/apache
)归root所有,并且不能被任何组/其他人写入。这是由于一些模糊的与setuid相关的安全风险outlined here。
另外,要回答有关/bin/false: No such file or directory
的问题:请尝试使用/sbin/nologin
。
答案 1 :(得分:2)
我在Mac OS X中解决了我的问题,我已经改变了
#ClientAliveInterval 0
到
ClientAliveInterval 300
在this之后的/ etc / sshd_config中,然后重新启动计算机。
答案 2 :(得分:1)
由于篇幅太长而作为另一个答案发布:
在我的发现中,ChrootDirectory的这个要求使它变得毫无用处。为什么某人的主目录对该用户不可写?瘸。在Chroot Dirs中也无法访问符号链接。
然而 - 我找到了一个漂亮的解决方法。我创建了一个/home/chroot/outsource
目录,在其中使用mount --bind
将系统/var/www/clients/theclient
中的另一个目录挂载到/home/chroot/outsource/theclient
。
由于mount --bind
只是暂时重启,我在/etc/fstab
添加了这一行:
/var/www/clients/theclient /home/chroot/outsource/theclient none bind,auto,user,noexec 0 0