看了你的BLOG,能请教你几个OPENJMS方面的问题好么?能加我MSN好友么?不会耽误你很长时间的。谢谢了。。
Posted by fengchao at May 14, 2007 04:17 PM忘了说我的MSN了。fengchao723@hotmail.com
Posted by fenghcao at May 14, 2007 04:20 PM优化了下脚本,4.2 4.3 4.5可以在这一个脚本里面完成
#/bin/bash
#chroot user dir. by:vitter(zhangweizhi@world2.cn)2007.7
usage() {
echo "Usage: $0 username /home/username" 1>&2
exit
}
if [ $# -ne 2 ];then
usage
fi
user=$1
home=$2
SSH_PATH="/usr/local/sshd"
group="nobody"
/usr/sbin/useradd -d ${home} -g ${group} -s ${SSH_PATH}/bin/ssh-dummy-shell ${user}
#CHROOT_PATH=`grep -E $user: /etc/passwd|awk -F':' '{print $6}'`
CHROOT_PATH=$home
/bin/mkdir -p $CHROOT_PATH/$SSH_PATH/bin/
/bin/mkdir -p $CHROOT_PATH/dev
#/bin/ln $SSH_PATH/bin/sftp-server $CHROOT_PATH/$SSH_PATH/bin/sftp-server
#/bin/ln $SSH_PATH/bin/sftp-server2 $CHROOT_PATH/$SSH_PATH/bin/sftp-server2
#/bin/ln $SSH_PATH/bin/ssh-dummy-shell $CHROOT_PATH/$SSH_PATH/bin/ssh-dummy-shell
/bin/cp $SSH_PATH/bin/sftp-server $CHROOT_PATH/$SSH_PATH/bin/sftp-server
/bin/cp $SSH_PATH/bin/sftp-server2 $CHROOT_PATH/$SSH_PATH/bin/sftp-server2
/bin/cp $SSH_PATH/bin/ssh-dummy-shell $CHROOT_PATH/$SSH_PATH/bin/ssh-dummy-shell
for a in $(ldd $SSH_PATH/bin/sftp-server | awk '{print $3}')
do
[ -e $CHROOT_PATH`dirname $a` ] || mkdir -p $CHROOT_PATH`dirname $a`
/bin/cp -f $a $CHROOT_PATH$a;
done
for a in $(ldd $SSH_PATH/bin/sftp-server2 | awk '{print $3}')
do
[ -e $CHROOT_PATH`dirname $a` ] || mkdir -p $CHROOT_PATH`dirname $a`
/bin/cp -f $a $CHROOT_PATH$a;
done
for a in $(ldd $SSH_PATH/bin/ssh-dummy-shell | awk '{print $3}')
do
[ -e $CHROOT_PATH`dirname $a` ] || mkdir -p $CHROOT_PATH`dirname $a`
/bin/cp -f $a $CHROOT_PATH$a;
done
/sbin/service syslog restart
Posted by vitter at July 5, 2007 12:46 PM大侠的高招果然厉害,跟着做可以做出来了,但有个问题想请教,如果想要用key来认证,不用密码验证,怎么做呢?因为是ssh我不会,如果是openssh就比较好搞定。
Posted by yy at February 29, 2008 11:34 AM怎么都是英文啊,看不懂,我的站可以改成blog吗? www.akux.cn
Posted by 门禁考勤 at August 14, 2008 11:38 PM如果想要用key来认证,不用密码验证的话,按照下面的方法来做,很简单:
1、在sftp客户端服务器(linux的)上用ssh的ssh-keygen2生成证书,注意如果装了openssh没卸载的话,不要用成他的了,/usr/local/sshd/bin/ssh-keygen2生成如下:
[root@web-host5 ~]# /usr/local/ssh/bin/ssh-keygen2 (当然你可以加参数具体该命令帮助见:http://www.ssh.com/support/documentation/online/ssh/winhelp/40/ssh-keygen2.html)
Generating 2048-bit dsa key pair
11 o.oOo.oOoo.o
Key generated.
2048-bit dsa, root@web-host5, Tue Aug 18 2009 19:40:35 +0800
Passphrase :
Again :
Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended.
Don't do this unless you know what you're doing.
If file system protections fail (someone can access the keyfile),
or if the super-user is malicious, your key can be used without
the deciphering effort.
Private key saved to /root/.ssh2/id_dsa_2048_a
Public key saved to /root/.ssh2/id_dsa_2048_a.pub
不加参数的话,在用户的.ssh2目录下生成id_dsa_2048_a id_dsa_2048_a.pub random_seed 三个文件,默认是dsa 2048位。
如果是普通用户同理,用普通用户去生成证书:
[sftptest@web-host5 ~]$ /usr/local/ssh/bin/ssh-keygen
Generating 2048-bit dsa key pair
5 .oOo.oOo.oOo
Key generated.
2048-bit dsa, sftptest@manager, Tue Aug 18 2009 12:19:41 +0800
Passphrase :
Again :
Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended.
Don't do this unless you know what you're doing.
If file system protections fail (someone can access the keyfile),
or if the super-user is malicious, your key can be used without
the deciphering effort.
Private key saved to /export/sftptest/.ssh2/id_dsa_2048_a
Public key saved to /export/sftptest/.ssh2/id_dsa_2048_a.pub
同理在Windows的客户端机器上用ssh-keygen2.exe生成;
2、在服务器上用户上传的chroot目录下,跟dev等目录相同的父目录下创建一个.ssh2的目录;
3、把在客户端生成的用户下的.ssh2目录下的id_dsa_2048_a.pub文件scp到服务器的刚才创建的.ssh2目录下:
[root@web-host5 ~]# scp .ssh2/id_dsa_2048_a.pub sftptest@172.16.16.11:/.ssh2/
4、在服务器的.ssh2的目录下编辑一个名为authorization文件,内容如下:
Key id_dsa_2048_a.pub
这里面就是指定客户端生成的那个public key。认证就全靠这个了,可以指定多个用户多行。
[root@web-host5 ~]# ls
authorization id_dsa_2048_a.pub
5、回到客户端,在你使用的用户,也就是刚才用ssh-keygen2生成的那个用户的.ssh目录下编辑一个名为identification文件,内容如下:
IdKey id_dsa_2048_a
这里是客户端连接的时候调用的private key,没有这个我们也连不上的。
然后就可以用/usr/local/ssh/bin/sftp登录了,这里必须用ssh的不能用系统openssh默认的那个sftp,因为我们上面identification配置的就是ssh的。
[root@web-host5 ~]# /usr/local/ssh/bin/sftp -oPort=22222 sftptest@172.16.16.11
sftp> quit
成功登录,同理普通帐号的也一样
[sftptest@web-host5 ~]$ /usr/local/ssh/bin/sftp -oPort=22222 172.16.16.11
sftp> quit