注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

红烧鱼

linux & windows management

 
 
 

日志

 
 
关于我
mac

专注IT基础架构设计与运维。 欢迎给我留言,或邮件沟通zjwsk@163.com

网易考拉推荐

openssh chroot sftp install script  

2013-03-12 16:10:53|  分类: Linux |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
#1. for init os config.
mkdir /root/.ssh
chmod 600 -R /root/.ssh
wget --directory-prefix=/root/.ssh http://10.245.254.171/linux/ks/authorized_keys
wget --directory-prefix=/etc/yum.repos.d http://10.245.254.171/linux/ks/mac.repo
wget --directory-prefix=/root http://10.245.254.171/linux/ks/openssh-6.1p1.tar.gz
wget --directory-prefix=/root http://10.245.254.171/linux/ks/openssl-1.0.1e.tar.gz
yum install -y gcc zlib-devel.x86_64 pam-devel.x86_64


#2. install openssl & openssh
tar zxpvf /root/openssl-1.0.1e.tar.gz -C /root
cd /root/openssl-1.0.1e
./config && make && make install

tar zxpvf /root/openssh-6.1p1.tar.gz -C /root
cd /root/openssh-6.1p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-privsep-path=/sftproot --with-ssl-dir=/usr/local/ssl
make && make install


#3. configuration for sftp.
sed '/'Subsystem'/s/^\|^#/#/' /root/openssh-6.1p1/sshd_config > /etc/ssh/sshd_config
#perl -pi -e 's/^(\s*Subsystem\s+sftp\s+)/#$1/i' /etc/ssh/sshd_config
#sed -i '/'Subsystem'/s/^\|^#/#/' /etc/ssh/sshd_config

cat <<EOF>>/etc/ssh/sshd_config
Subsystem sftp internal-sftp
DenyGroups sftpxxx # this one must behand option match .
Match group sftponly
    ChrootDirectory /sftproot/%u
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp -l INFO -f LOCAL5
EOF
service sshd restart
# /usr/local/sbin/sshd -f /usr/local/etc/sshd_config

#4. create user.
groupadd -g 521 sftponly
echo "/bin/false" >> /etc/shells

useradd -M -g sftponly -s /bin/false sftpu1
echo "yoxconn123" | passwd sftpu1 --stdin > /dev/null 2>&1
mkdir /sftproot/sftpu1/data -p
mkdir /sftproot/sftpu1/dev -p
chmod o-rx /sftproot/sftpu1/data
chown sftpu1:sftponly /sftproot/sftpu1/data


#5. config chroot sftp logging,
yum install rsyslog5 -y

#5.1 for rsyslog version 5.8.10 and openssh-server-6.1p1
cat <<EOF>/etc/rsyslog.d/sftp.conf
\$AddUnixListenSocket /sftproot/sftpu1/dev/log
:programname, isequal, "internal-sftp" -/var/log/sftp.nofilter.log
:msg, contains, "opendir"  ~
:msg, contains, "closedir"  ~
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~
EOF

chkconfig syslog off
service syslog stop
chkconfig rsyslog on
service rsyslog start

#5.2 when you use the default verison in RHEL6.X, the package openssh verion is 5.3p1, you must replace "internal-sftp" to "sshd" in rsyslog.d/sftp.conf .

#5.3 for rsyslog 3.22 in RHEL5.X
#config file /etc/rsyslog.conf:
#    $AddUnixListenSocket /sftproot/sftpu1/dev/log
#    *.info;mail.none;authpriv.none;cron.none;local5.none                /var/log/messages
#    local5.*         /sftproot/sftpu1/dev/sftp.log

#6. Log rotation for the new log file in /etc/logrotate.d :

cat <<EOF> /etc/logrotate.d/sftp
/var/log/sftp.log {
        weekly
        missingok
        rotate 52
        compress
        delaycompress
        postrotate
        invoke-rc.d rsyslog reload > /dev/null
        endscript
}
EOF


#7. for os reinstall.
cat <<EOF>>/boot/grub/grub.conf
title Reinstall
kernel /reinstall/vmlinuz text ks=http://10.245.254.171/linux/KS/ks-rhel58-v2.txt ksdevice=eth0
initrd /reinstall/initrd.img
EOF
mkdir /boot/reinstall
wget --directory-prefix=/boot/reinstall http://10.245.254.171/linux/5server/x86_64/images/pxeboot/initrd.img
wget --directory-prefix=/boot/reinstall http://10.245.254.171/linux/5server/x86_64/images/pxeboot/vmlinuz

sed -i '/'default\=0'/s/0/1'/ /boot/grub/grub.conf
reboot


BTW, detail rsyslog for chroot sftp config ,  see this url: http://zjwsk.blog.163.com/blog/static/598306132013212400791/
安装最新版本的openssh with openssl , 参见博文 http://zjwsk.blog.163.com/blog/static/598306132014313112351/

  评论这张
 
阅读(779)| 评论(2)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017