일부 사용자가 일반 SSH를 통해 연결해야 하는 시스템이 있습니다. 나는 그들을 "특권 사용자"라고 명명했습니다. 또한 시스템은 "익명" 사용자를 위한 SFTP 서버를 제공해야 합니다(비밀번호나 인증 방법 없음).
현재 내가 가지고 있는 것은 다음과 같습니다 sshd_config.
########################################################################
# Common conofigurations for both Privileged Users and Anonymous
########################################################################
PermitRootLogin no
StrictModes yes
PrintMotd yes
AcceptEnv LANG LC_*
banner /etc/banner
AllowUsers fauve libidiloup anonymous
########################################################################
# Desired connfigurations for Privileged Users (who are not Anonymous)
########################################################################
Match User fauve, libidiloup
Protocol 2
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
Port 17129
PasswordAuthentication no
PermitEmptyPasswords no
UsePAM yes
UsePrivilegeSeparation yes
ChallengeResponseAuthentication no
PrintLastLog no
Subsystem sftp internal-sftp
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
X11Forwarding yes
########################################################################
# Configuration for Anonymous
########################################################################
Match User anonymous
PasswordAuthentication yes
PermitEmptyPasswords yes
ChrootDirectory /mnt/bibliotheque
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no
안전이 걱정될 뿐입니다. Anonymous의 블록 구성으로 충분합니까?
특히 Protocol, RhostsRSAAuthentication, HostbasedAuthentication, UsePrivilegeSeparation, UsePAM옵션의 경우.
이 구성은 익명 게스트의 기능을 권한 있는 사용자와 완전히 분리합니까?
답변1
글쎄, 나는 몇 가지 테스트를 수행했고 다음과 같은 피드백을 받았습니다.
첫째, 이것이 내가 얻는 최종 기능입니다 sshd_config.
########################################################################
# Common conofigurations for both Privileged Users and Anonymous
########################################################################
Protocol 2
PermitRootLogin no
StrictModes yes
PrintMotd yes
AcceptEnv LANG LC_*
banner /etc/banner
AllowUsers fauve anonymous
#AllowGroups sshprivileged
# The following directives could NOT be set on a Match block
UsePAM yes
ChallengeResponseAuthentication no
UsePrivilegeSeparation yes
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
PrintLastLog no
Subsystem sftp internal-sftp
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
#########################################################################
## Desired connfigurations for Privileged Users (who are not Anonymous)
#########################################################################
Match User fauve
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
X11Forwarding yes
#########################################################################
## Configuration for Anonymous
#########################################################################
Match User anonymous
PasswordAuthentication yes
PermitEmptyPasswords yes
ChrootDirectory /mnt/bibliotheque
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no
주로 첫 번째 작업에서는 불가능했던 두 가지 일이 있었습니다 sshd_config.
- "다음 지시문은 일치 블록에 설정할 수 없습니다."라는 설명 아래의 블록에는 일치 블록 내에 있을 수 없는 지시문이 포함되어 있습니다.
AllowGroups그들은 과 사이에 충돌이 있습니다AllowUsers. 첫 번째 지시문은 두 번째 지시문보다 우선합니다.