简易 SFTP 设置

此 SFTP 设置没有采用 chroot，或限制 root 连接

创建一个基本的安装作为起点。接着，加入基本安装以外的组件：rsync、man 及 openssh-clients

{{{[root@host-172-16-1-198 ~]# reset [root@host-172-16-1-198 ~]# cat sftp-setup.txt

• 5 yum install rsync man 6 yum install openssh-clients

• 11 grep sftp /etc/services 12 cd /etc/sysconfig/ 13 joe iptables 14 vi iptables 15 service iptables restart 18 passwd 19 sftp localhost 20 ssh localhost

  21 history > sftp-setup.txt

}}}

我们特意打开 sftp 端口；不清楚这是否必须的：

{{{# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport sftp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT }}}

以下是在运行中的服务：

{{{acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off snmpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off }}}

及测试可用性 —— 留意我们在此样例中没有更改 /etc/ssh/sshd_config：

{{{[roothost-172-16-1-198 ~]# sftp localhost Connecting to localhost... root@localhost's password: sftp> ls sftp-setup.txt sftp> ls -l -rw-r--r-- 1 root root 1830 Oct 15 08:31 sftp-setup.txt sftp> quit [root@host-172-16-1-198 ~]# }}}

还有以 ssh 访问：

{{{[root@host-172-16-1-198 ~]# ssh localhost root@localhost's password: Last login: Mon Oct 15 08:30:29 2012 from 10.16.1.106 [root@host-172-16-1-198 ~]# logout Connection to localhost closed. [root@host-172-16-1-198 ~]# }}}

以金钥或密码进行验证都是可行的。从远程登录时，假若金钥存在，我们便不会被要求输入密码。要是我们删掉提供金钥的功能，我们便须要输入密码：

{{{[herrold@centos-6 ~]$ # 设置 ssh 采用金钥 [herrold@centos-6 ~]$ date Mon Oct 15 12:57:07 EDT 2012 [herrold@centos-6 ~]$ sftp root@10.16.1.194 Connecting to 10.16.1.194... sftp> ls sftp-setup.txt sftp> quit [herrold@centos-6 ~]$ # 删除金钥 [herrold@centos-6 ~]$ sftp root@10.16.1.194 Connecting to 10.16.1.194... root@10.16.1.194's password: sftp> ls sftp-setup.txt sftp> quit [herrold@centos-6 ~]$ date Mon Oct 15 12:57:33 EDT 2012 [herrold@centos-6 ~]$ }}}

我们在这里未探讨包装函式或收紧 iptables 规则等加固方法，因为它们已超越此篇文章的范畴。

Translation of revision 2