scponly 限定用戶不能SSH登陸，能夠SFTP SCP傳文件到指定目錄

公司基於安全考慮，要求給用戶SFTP，SCP權限能夠上傳相關文件到指定目錄，但不能SSH登陸，考慮到RSSH也是個解決方案，但有點麻煩，最後找到了SCPONLY

直接說下配置過程，

若是你的系統是CENTOS，那直接用這個配置

1.wget -c http://nchc.dl.sourceforge.net/s … nly/scponly-4.8.tgz #scponly 支持的軟件有scp、sfp、rsync、subversion、gftp等客戶端
2. ./configure –prefix=/usr/local/scponly –enable-chrooted-binary –enable-sftp-logging-compat –enable-scp-compat –enable-passwd-compat
3. make && make install #安裝配置
4.echo /usr/local/scponly/sbin/scponlyc >> /etc/shells
5.make jail #創建chroot用戶、目錄及上傳文件夾, 根據提示輸入
而後咱們要寫一個腳本

#vi limit_scp.sh
#!/bin/bash
cp /lib64/ld-linux-x86-64.so.* in /home/$1/lib64/
cp /lib64/libnss_files.so.2 /home/$1/usr/lib64/
ldconfig -r /home/$1/
cp /etc/group /home/$1/etc/
mkdir /home/$1/dev
mknod /home/$1/dev/null c 1 3
chmod 666 /home/$1/dev/null
cat > /etc/sysconfig/selinux << EOF
SELINUX=disabled
SELINUXTYPE=targeted
EOF
exit 0
6.#sh +x limit_scp.sh username       #username 是jail時 咱們設置的
通過以上步驟就完成了對SCP/SFTP上傳目錄作出了限制。
好了，能夠直接到咱們的測試環節了

若是你的系統是UBUNTU，那就要注意版本了，個人是Ubuntu 12.04.1 LTS 

#wget http://ncu.dl.sourceforge.net/project/scponly/scponly/scponly-4.8/scponly-4.8.tgz
#tar -zxvf scponly-4.8.tgz
#./configure -prefix=/usr/local/scponly -enable-chrooted-binary -enable-sftp-logging-compat - enable-scp-compat -enable-passwd-compat
# make

gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/scponly/etc/scponly/debuglevel"' 

-o scponly.o -c scponly.c
scponly.c: In function ‘main’:
scponly.c:226:9: warning: ignoring return value of ‘fscanf’, declared with attribute 

warn_unused_result [-Wunused-result]
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/scponly/etc/scponly/debuglevel"' 

-o helper.o -c helper.c
helper.c: In function ‘check_dangerous_args’:
helper.c:233:6: error: #elif with no expression
make: *** [helper.o] Error 1

root@ubuntu:/tmp/scponly-4.8#vi helper.c

把第 233 行
#elif
改爲
#else

再從新make

root@ubuntu:/tmp/scponly-4.8#make && make install
root@ubuntu:/tmp/scponly-4.8#echo /usr/local/scponly/sbin/scponlyc >> /etc/shells
root@ubuntu:/tmp/scponly-4.8#ln -s /lib64/ld-linux-x86-64.so.2 /lib/ld.so
root@ubuntu:/tmp/scponly-4.8#make jail #創建chroot用戶、目錄及上傳文件夾, 根據提示輸入

-en Username to install [scponly]

mytest      #要建的用戶

-en home directory you wish to set for this user [/home/usertest]

          #用戶的目錄

-en name of the writeable subdirectory [incoming]

www      #用戶上傳的目錄

Your platform (Linux) does not have a platform specific setup script.

This install script will attempt a best guess.

If you perform customizations, please consider sending me your changes.

Look to the templates in build_extras/arch.

 - joe at sublimation dot org

please set the password for usertest:

Enter new UNIX password:

root@ubuntu:/tmp/scponly-4.8#mkdir /home/usertest/dev
root@ubuntu:/tmp/scponly-4.8#cp -rp /dev/null /home/usertest/dev
root@ubuntu:/tmp/scponly-4.8#mkdir /home/usertest/lib64/
root@ubuntu:/tmp/scponly-4.8#cp /lib64/ld-linux-x86-64.so.2 /home/usertest/lib64/
root@ubuntu:/tmp/scponly-4.8#cp /lib/x86_64-linux-gnu/libnss_* -av /home/usertest/lib

注意：若是沒有拷貝lib，就報錯，相似：

scponly unknown user 1005  lost connection

好了，咱們測試下

SSH

root@ubuntu:/home/mygod# ssh usertest@18.92.185.2 
The authenticity of host '18.92.185.2 (18.92.185.2)' can't be established.
ECDSA key fingerprint is c1:c2:6a:7a:68:c8:e5:a6:87:f4:9b:95:d5:fd:ff:09.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '18.92.185.2' (ECDSA) to the list of known hosts.
usertest@18.92.185.2's password: 

Welcome to aliyun Elastic Compute Service!


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Tue May  5 16:57:18 2015 from 183.11.156.185
Connection to 18.92.185.2 closed.

SFTP

root@ubuntu:/home/mygod# sftp usertest@18.92.185.2
usertest@18.92.185.2's password: 
Connected to 18.92.185.2.
sftp> ls
bin    dev    etc    lib    lib64  usr    www    
sftp> cd /
sftp> ls
bin    dev    etc    lib    lib64  usr    www    
sftp> cd /root
Couldn't canonicalise: No such file or directory
sftp>

SCP

root@ubuntu:/tmp# scp a.txt  usertest@18.92.185.2:www
usertest@18.92.185.2's password: 
a.txt                                         100%    4     0.0KB/s   00:00

驗證下目錄鎖定

root@ubuntu:/tmp# scp usertest@18.92.185.2:/etc/group ./
usertest@18.92.185.2's password: 
scp: /etc/group: No such file or directory