欢迎各位兄弟 发布技术文章

这里的技术是共享的

You are here

使用 ProFTPD 和 Rails 的 SFTP 虚拟用户:第 1 部分 有大用

我最近参与了一个 Rails 3.2 项目,该项目使用PLupload JavaScript/Flash 上传工具将文件上传到 Web 应用程序。为了让用户更轻松地将大型和/或远程文件上传到应用程序,我们还想让他们通过 SFTP 上传。问题是,我们的用户在我们的服务器上没有 SFTP 帐户,我们不想参与创建和管理 SFTP 帐户的业务。输入:ProFTPD和虚拟用户。

ProFTPD 的虚拟用户概念允许您将 ProFTPD 指向 SQL 数据库以进行用户和组身份验证。这意味着 SFTP 登录不需要实际的系统登录(尽管您可以根据需要混合搭配)。当然,这非常适合动态创建和销毁 SFTP 帐户。让您的 Web 应用程序能够创建一次性 SFTP 凭据并在用户使用完它们后自动清理,并且您拥有一个自我维护的系统。

从里到外开始,您需要配置 ProFTPD 以启用虚拟用户。以下是我们的 proftpd.conf 中的相关部分:

##
# Begin proftpd.conf excerpt. For explanation of individual config directives, see the 
# great ProFTPD docs at http://www.proftpd.org/docs/directives/configuration_full.html
##
DefaultServer off
Umask 002
AllowOverwrite on

# Don't reference /etc/ftpusers
UseFtpUsers off

<ifmodule mod_sftp.c="">

# Enable SFTP
SFTPEngine on

# Enable SQL based authentication
SQLAuthenticate on

# From http://www.proftpd.org/docs/howto/CreateHome.html
# Note that the CreateHome params are kind of touchy and easy to break.
CreateHome on 770 dirmode 770 uid ~ gid ~

# chroot them to their home directory
DefaultRoot ~

# Defines the expected format of the passwd database field contents. Hint: An
# encrypted password will look something like: {sha1}IRYEEXBUxvtZSx3j8n7hJmYR7vg=
SQLAuthTypes OpenSSL

# That '*' makes that module authoritative and prevents proftpd from
# falling through to system logins, etc
AuthOrder mod_sql.c*

# sftp_users and sftp_groups are the database tables that must be defined with
# the proceeding column names. You can have other columns in these tables and
# ProFTPD will leave them alone. The sftp_groups table can be empty, but it must exist.
SQLUserInfo sftp_users username passwd uid sftp_group_id homedir shell
SQLGroupInfo sftp_groups name id members

SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

SFTPCompression delayed
SFTPAuthMethods password
RequireValidShell no

# SQLLogFile is very verbose, but helpful for debugging while you're getting this working
SQLLogFile /var/log/proftpd_sql.sql

## Customize these for production
SQLConnectInfo database@localhost:5432 dbuser dbpassword

# The UID and GID values here are set to match the user that runs our web app because our
# web app needs to read and delete files uploaded via SFTP. Naturally, that is outside
# the requirements of a basic virtual user setup. But in our case, our web app user needs
# to be able to cd into a virtual user's homedir, and run a `ls` in there. Also, note that
# setting these two IDs here (instead of in our sftp_users table) *only* makes sense if
# you are using the DefaultRoot directive to chroot virtual users.
SQLDefaultUID  510
SQLDefaultGID  500

</ifmodule>

CreateHome 部分是最棘手的部分,要恰好适合我们的用例。但这有两个原因;我们需要我们的网络应用程序能够读取/删除上传的文件,并且我们想让 ProFTPD 自己创建这些主目录。(并且它只会在用户通过 SFTP 成功登录后创建该主目录。这意味着您可以在 UI 中更加自由地生成可能永远不会被使用的凭据,而不必担心大量的空主目录。)

这就是本文介绍性的“第 1 部分”。在第 2 部分中,我将展示我们如何生成凭据、显示这些凭据背后的工作流程以及处理这一切的 SftpUser ActiveRecord 模型。在第 3 部分中,我将通过运行我们的 Web 应用程序访问这些文件的确切方式以及它在完成后如何清理来结束。


来自  https://www.endpointdev.com/blog/2012/12/sftp-virtual-users-with-proftpd-and/


普通分类: