{"id":201,"date":"2013-05-14T23:10:52","date_gmt":"2013-05-14T14:10:52","guid":{"rendered":"http:\/\/darkgray.homelinux.com\/modules\/xpress\/?p=201"},"modified":"2013-05-14T23:10:52","modified_gmt":"2013-05-14T14:10:52","slug":"sftp%e3%82%92chroot%e7%92%b0%e5%a2%83%e3%81%a7%e8%a8%ad%e5%ae%9a%e3%81%99%e3%82%8b%e3%80%82","status":"publish","type":"post","link":"https:\/\/darkgray.homelinux.com\/blog\/?p=201","title":{"rendered":"sftp\u3092chroot\u74b0\u5883\u3067\u8a2d\u5b9a\u3059\u308b\u3002"},"content":{"rendered":"<p>CentOS6\u3067\u306fOpenSSH5.3\u304c\u30c7\u30d5\u30a9\u3067\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u7c21\u5358\u306bchroot\u74b0\u5883\u304c\u8a2d\u5b9a\u3067\u304d\u308b\u3002<br \/>\n<!--more--><\/p>\n<p>\u53c2\u7167URL:<a href=\"http:\/\/lab.eli-sys.jp\/2012\/07\/01\/sftp-chroot%E3%81%AE%E8%A8%AD%E5%AE%9A%EF%BC%88centos-6%EF%BC%89\/\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/lab.eli-sys.jp\/2012\/07\/01\/sftp-chroot%E3%81%AE%E8%A8%AD%E5%AE%9A%EF%BC%88centos-6%EF%BC%89\/<\/a><\/p>\n<p>\u5148\u306b<a href=\"http:\/\/darkgray.homelinux.com\/modules\/xpress\/?p=176\" target=\"_blank\" rel=\"noopener noreferrer\">ssh\u3067\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u308b\u74b0\u5883<\/a>\u3092\u6574\u3048\u305f\u4e0a\u3067\u3001\u30b7\u30b9\u30c6\u30e0\u8a2d\u5b9a\u3001\/etc\/ssh\/sshd_config\u3092\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u4fee\u6b63\u3059\u308b\u3002<br \/>\n[code]<br \/>\n# Subsystem     sftp    \/usr\/libexec\/openssh\/sftp-server\u3000\uff08\u3053\u306e\u884c\u3092\u30b3\u30e1\u30f3\u30c8\u306b\u3059\u308b\u3002\uff09<br \/>\n\u4ee5\u4e0b\u3092\u6700\u7d42\u884c\u306b\u8ffd\u52a0\u3059\u308b<br \/>\nSubsystem sftp internal-sftp<\/p>\n<p>Match Group sftponly<br \/>\nChrootDirectory \/home\/%u  \u3000#\u3000\u3053\u306e\u884c\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u6307\u5b9a\u306fchroot\u30e6\u30fc\u30b6\u30fc\u306e\u30db\u30fc\u30e0\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u6307\u5b9a\u3059\u308b\u3002<br \/>\nX11Forwarding no<br \/>\nAllowTCPForwarding no<br \/>\nForceCommand internal-sftp<br \/>\n[\/code]<br \/>\n\u4fee\u6b63\u3067\u304d\u305f\u3089ssh\u3092\u518d\u8d77\u52d5\u3059\u308b\u3002<br \/>\n[code]<br \/>\n# \/etc\/init.d\/sshd restart<br \/>\n[\/code]<\/p>\n<p>sftp\u30aa\u30f3\u30ea\u30fc\u30b0\u30eb\u30fc\u30d7\u3092\u767b\u9332\u3059\u308b\u3002<br \/>\n[code]<br \/>\n# groupadd -g 2000 sftponly<br \/>\n[\/code]<\/p>\n<p>chroot\u74b0\u5883\u3092\u69cb\u7bc9\u3057\u305f\u3044\u30e6\u30fc\u30b6\u30fc\u3092sftp\u30aa\u30f3\u30ea\u30fc\u30b0\u30eb\u30fc\u30d7\u306b\u8ffd\u52a0\u3059\u308b\u3002<br \/>\n[code]<br \/>\n# usermod -G sftponly username<br \/>\n[\/code]<\/p>\n<p>chroot\u30e6\u30fc\u30b6\u30fc\u306e\u30db\u30fc\u30e0\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092root\u306b\u5c5e\u6027\u5909\u66f4\u3059\u308b\u3002<br \/>\n[code]<br \/>\n# chown root:root \/home\/username<br \/>\n# chmod 755 \/home\/username<br \/>\n[\/code]<br \/>\nSelinux\u304c\u6709\u52b9\u306e\u5834\u5408\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u8a2d\u5b9a\u3059\u308b\u3002\uff08\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u7ba1\u7406\u8005\u30e2\u30fc\u30c9\u3067\u5b9f\u884c\u3059\u308b\u3002\uff09<br \/>\n[code]<br \/>\n# setsebool -P ssh_chroot_rw_homedirs on<br \/>\n# restorecon -R \/home\/username<br \/>\n[\/code]<\/p>\n<p>\u4ee5\u4e0a\u3067chroot\u74b0\u5883\u306e\u8a2d\u5b9a\u7d42\u4e86\u3002<\/p>\n<p>poderosa\u7b49\u306e\u7aef\u672b\u3067\u306f\u30ed\u30b0\u30a4\u30f3\u3092\u62d2\u5426\u3055\u308c\u308b\u3002<br \/>\nWinSCP\u7b49\u306esftp\u3067\u306f\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u308b\u304c\/home\/username\u304b\u3089\u4e0a\u4f4d\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306f\u30a2\u30af\u30bb\u30b9\u3067\u304d\u306a\u304f\u306a\u3063\u3066\u3044\u308c\u3070OK\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CentOS6\u3067\u306fOpenSSH5.3\u304c\u30c7\u30d5\u30a9\u3067\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u7c21\u5358\u306bchroot\u74b0\u5883\u304c\u8a2d\u5b9a\u3067\u304d\u308b\u3002<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"footnotes":""},"categories":[3,21],"tags":[58,65],"class_list":["post-201","post","type-post","status-publish","format-standard","hentry","category-centos-setup","category-selinux","tag-sftp","tag-winscp"],"_links":{"self":[{"href":"https:\/\/darkgray.homelinux.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/201","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/darkgray.homelinux.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/darkgray.homelinux.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/darkgray.homelinux.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/darkgray.homelinux.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=201"}],"version-history":[{"count":0,"href":"https:\/\/darkgray.homelinux.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/201\/revisions"}],"wp:attachment":[{"href":"https:\/\/darkgray.homelinux.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/darkgray.homelinux.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/darkgray.homelinux.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}