我正在尝试使用RSSh严格监禁用户/ home / user / public_html dirctories.
我让它在一个帐户可以在测试服务器上成功进入系统的工作,但是一旦我作为该帐户登录,我注意到我可以将目录更改为我想要的任何地方并查看文件的内容.我可能无法编辑或转移到那些目录,但我认为能够监禁他们的全部目的是为了防止这样的事情?
原文链接:https://www.f2er.com/bash/385659.html我让它在一个帐户可以在测试服务器上成功进入系统的工作,但是一旦我作为该帐户登录,我注意到我可以将目录更改为我想要的任何地方并查看文件的内容.我可能无法编辑或转移到那些目录,但我认为能够监禁他们的全部目的是为了防止这样的事情?
SSHD使用Subsystem sftp internal-sftp进行设置
RSSH将用户指定为只能使用scp和sftp
用户的帐户正在使用/usr/bin/RSSh作为shell和/ home / user / public_html
用户的主目录是root:用户所有者:组
我注意到,他们可以查看他们可以查看的内容和目录的唯一文件都是世界可读的,这是有道理的,但为什么他们允许他们离开他们的目录呢?请不要说我只是回答了我自己的问题.目的是找到防止这种情况的最佳实践解决方案.
期望的结果是它们被限制为cd到任何不属于它们的目录的能力.
我在这里错过了什么吗?
logfacility = LOG_USER allowscp allowsftp #allowcvs #allowrdist #allowrsync #allowsvnserve # set the default umask umask = 022 user=wwwtest1:077:110000:/home/wwwtest1/public_html
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports,IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords,change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* #Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp # Set this to 'yes' to enable PAM authentication,account processing,# and session processing. If this is enabled,PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication,then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
