如何在 Ubuntu 上使用公钥和密码设置 SFTP

Posted

技术标签:

【中文标题】如何在 Ubuntu 上使用公钥和密码设置 SFTP【英文标题】:How to Setup SFTP with Publickey and Password on Ubuntu 【发布时间】:2019-06-26 11:36:56 【问题描述】:

我在使用“公钥”和“密码”两因素身份验证设置“仅限 SFTP”登录时遇到困难。

我在 Ubuntu 16 上运行并使用 openssh-server。

普通用户可以使用公钥和密码成功登录。但是,我的“仅限 SFTP”用户在登录时遇到错误。

vim /etc/ssh/sshd_config

AuthenticationMethods publickey,password
PubkeyAuthentication yes
PasswordAuthentication yes

Match Group sftponly
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

其他系统命令:

addgroup --system sftponly
usermod -G sftponly username
usermod -s /bin/false username
service ssh restart

以下是我的一次“仅限 SFTP”用户登录尝试的 WinSCP 日志。

. 2019-02-01 13:45:42.060 --------------------------------------------------------------------------
. 2019-02-01 13:45:42.060 WinSCP Version 5.13.4 (Build 8731) (OS 10.0.17134 - Windows 10 Enterprise)
. 2019-02-01 13:45:42.060 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\
. 2019-02-01 13:45:42.060 Log level: Normal
. 2019-02-01 13:45:42.060 Local account: MY-PC\User
. 2019-02-01 13:45:42.060 Working directory: C:\Program Files (x86)\WinSCP
. 2019-02-01 13:45:42.060 Process ID: 8160
. 2019-02-01 13:45:42.060 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" 
. 2019-02-01 13:45:42.060 Time zone: Current: GMT-7, Standard: GMT-7 (Mountain Standard Time), DST: GMT-6 (Mountain Daylight Time), DST Start: 3/10/2019, DST End: 11/3/2019
. 2019-02-01 13:45:42.060 Login time: Friday, February 01, 2019 1:45:42 PM
. 2019-02-01 13:45:42.060 --------------------------------------------------------------------------
. 2019-02-01 13:45:42.060 Session name: SFTP Testing (Site)
. 2019-02-01 13:45:42.060 Host name: x.x.x.x (Port: 22)
. 2019-02-01 13:45:42.060 User name: username (Password: No, Key file: Yes, Passphrase: No)
. 2019-02-01 13:45:42.060 Tunnel: No
. 2019-02-01 13:45:42.060 Transfer Protocol: SFTP (SCP)
. 2019-02-01 13:45:42.060 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec
. 2019-02-01 13:45:42.060 Disable Nagle: No
. 2019-02-01 13:45:42.060 Proxy: None
. 2019-02-01 13:45:42.060 Send buffer: 262144
. 2019-02-01 13:45:42.060 SSH protocol version: 2; Compression: No
. 2019-02-01 13:45:42.060 Bypass authentication: No
. 2019-02-01 13:45:42.060 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2019-02-01 13:45:42.060 GSSAPI: Forwarding: No; Libs: gssapi32,sspi,custom; Custom: 
. 2019-02-01 13:45:42.060 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2019-02-01 13:45:42.060 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1
. 2019-02-01 13:45:42.060 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto
. 2019-02-01 13:45:42.060 Simple channel: Yes
. 2019-02-01 13:45:42.060 Return code variable: Autodetect; Lookup user groups: Auto
. 2019-02-01 13:45:42.060 Shell: default
. 2019-02-01 13:45:42.060 EOL: LF, UTF: Auto
. 2019-02-01 13:45:42.060 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No
. 2019-02-01 13:45:42.060 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2019-02-01 13:45:42.060 SFTP Bugs: Auto,Auto
. 2019-02-01 13:45:42.060 SFTP Server: default
. 2019-02-01 13:45:42.060 Local directory: default, Remote directory: /home/username, Update: Yes, Cache: Yes
. 2019-02-01 13:45:42.060 Cache directory changes: Yes, Permanent: Yes
. 2019-02-01 13:45:42.060 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2019-02-01 13:45:42.060 DST mode: Unix
. 2019-02-01 13:45:42.060 --------------------------------------------------------------------------
. 2019-02-01 13:45:42.107 Looking up host "x.x.x.x" for SSH connection
. 2019-02-01 13:45:42.107 Connecting to x.x.x.x port 22
. 2019-02-01 13:45:42.138 We claim version: SSH-2.0-WinSCP_release_5.13.4
. 2019-02-01 13:45:42.170 Server version: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4
. 2019-02-01 13:45:42.170 Using SSH protocol version 2
. 2019-02-01 13:45:42.170 Have a known host key of type ssh-ed25519
. 2019-02-01 13:45:42.185 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2019-02-01 13:45:42.670 Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
. 2019-02-01 13:45:42.670 Host key fingerprint is:
. 2019-02-01 13:45:42.670 ssh-ed25519 256 73:39:d8:0c:ed:dc:4b:ed:da:8f:a8:e8:20:ed:9e:1d 0Uaf91MV9sMQESUTp8X9a8l4nHeUKohN/XuDBAI+jG4=
. 2019-02-01 13:45:42.716 Host key matches cached key
. 2019-02-01 13:45:42.716 Initialised AES-256 SDCTR client->server encryption
. 2019-02-01 13:45:42.716 Initialised HMAC-SHA-256 client->server MAC algorithm
. 2019-02-01 13:45:42.716 Initialised AES-256 SDCTR server->client encryption
. 2019-02-01 13:45:42.716 Initialised HMAC-SHA-256 server->client MAC algorithm
. 2019-02-01 13:45:42.810 Reading key file "C:\Users\User\Documents\ssh-keys\username_private.ppk"
! 2019-02-01 13:45:42.810 Using username "username".
. 2019-02-01 13:45:42.873 Server offered these authentication methods: publickey
. 2019-02-01 13:45:42.873 Offered public key
. 2019-02-01 13:45:42.904 Offer of public key accepted
! 2019-02-01 13:45:42.904 Authenticating with public key "imported-openssh-key"
. 2019-02-01 13:45:43.029 Sent public key signature
! 2019-02-01 13:45:43.060 Further authentication required
. 2019-02-01 13:45:43.107 Further authentication required
. 2019-02-01 13:45:43.107 Server offered these authentication methods: password1ä³3pÒÂuÃ6×rwÕ½i?¢,ºk¨¯Wú^k+¾
. 2019-02-01 13:45:43.107 ¯’%VÞ>âºé
. 2019-02-01 13:45:43.107 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2019-02-01 13:45:45.967 Sent password
. 2019-02-01 13:45:45.999 Access granted
. 2019-02-01 13:45:45.999 Opening session as main channel
. 2019-02-01 13:45:46.514 Network error: Software caused connection abort
* 2019-02-01 13:45:46.530 (EFatal) Network error: Software caused connection abort
* 2019-02-01 13:45:46.530 Authentication log (see session log for details):
* 2019-02-01 13:45:46.530 Using username "username".
* 2019-02-01 13:45:46.530 Authenticating with public key "imported-openssh-key".
* 2019-02-01 13:45:46.530 Further authentication required
* 2019-02-01 13:45:46.530 
* 2019-02-01 13:45:46.530 Authentication failed.

不是“sftponly”组成员的用户可以按预期使用两因素身份验证。

有谁知道为什么“sftponly”组的成员用户无法使用双因素身份验证登录?

【问题讨论】:

【参考方案1】:

您遇到的问题是由于用户主文件夹的文件和所有者权限。

chown root:root /home/username
chmod 755 /home/username

【讨论】:

以上是关于如何在 Ubuntu 上使用公钥和密码设置 SFTP的主要内容,如果未能解决你的问题,请参考以下文章

如何在 Ubuntu上使用 Nginx 设置密码验证

如何在 Ubuntu上使用 Nginx 设置密码验证

如何在 Ubuntu上使用 Nginx 设置密码验证

如何在Ubuntu 16上搭建sock5代理服务器,如何实现用户名和密码的设置以防止被别人使用?

Ubuntu WSL Ansible - 用户@localhost 权限被拒绝(公钥,密码)

RSA怎样设置公钥和私钥?