ssh与sftp的端口分离的搭建方法

#ssh与sftp的端口分离的搭建方法

#sshd.service

1.#判断状态

#sftp存活依赖于ssh的是否正常启动，ssh必须先启动

[root@ecs-75912 ~]# systemctl status  sshd.service

2.#拷贝文件sftp的文件

2.1#sshd.service  内容（一部分的liunx7用的是sshd.sokcet,可以在目录下加入这个文件）

/usr/lib/systemd/system/sshd.service

Documentation=man:sshd(8) man:sshd_config(5)

After=network.target sshd-keygen.target

Wants=sshd-keygen.target

[Service]

EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config

#EnvironmentFile=-/etc/sysconfig/sshd

#ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY

ExecReload=/bin/kill -HUP $MAINPID

KillMode=process

Restart=on-failure

RestartSec=42s

[Install]

WantedBy=multi-user.target             

#拷贝建立软连接

[root@ecs-75912~]#cp /usr/lib/systemd/system/sshd.service  /etc/systemd/system/sftpd.service

[root@ecs-75912 ~]# cat /etc/systemd/system/sftpd.service

[root@ecs-75912 ~]# cp /etc/pam.d/sshd  /etc/pam.d/sftpd

[root@ecs-75912 ~]# cp /etc/ssh/sshd_config  /etc/ssh/sftpd_config

[root@ecs-75912 ~]# ln -sf  /usr/sbin/service  /usr/sbin/rcsftpd

[root@ecs-75912 ~]# ln -sf  /usr/sbin/sshd  /usr/sbin/sftpd

[root@ecs-75912 ~]# cp /etc/sysconfig/sshd  /etc/sysconfig/sftp

[root@ecs-75912 ~]# cp /var/run/sshd.pid  /var/run/sftpd.pid

3.清空/var/run/目录下的sftp.pid文件内容

#>/var/run/sftpd/pid

4.#修改好复制好的文件

vim /etc/systemd/system/sftpd.service

[Unit]

#Description=OpenSSH server daemon

#修改

Description=sftpd server daemon

#添加

Type=notify

EnvironmentFile=/etc/sysconfig/sftp

ExecStart=/usr/sbin/sftpd -f /etc/ssh/sftpd_config

5.#修改sftp.service

#添加

Port 8022

#修改

PidFile /var/run/sftp.pid

#注释掉这一行

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

#将PermitRootLogin从yes 改为no

PermitRootLogin no

#添加

PasswordAuthentication yes

UseDNS no

Subsystem sftp internal-sftp

Match User sftpuser

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

6.#专用sftp的专用账户

#useradd  jsyhsftp

#passwd jsyhsftp

# usermod -s /bin/false jsyhsftp

7.#禁用seliunx

[root@ecs-75912 ~]# setenforce  0

setenforce: SELinux is disabled

[root@ecs-75912~]#

sed -i "s/^SELINUX\=enforcing/SELINUX\=disabled/g" /etc/selinux/config

8#启动

[root@ecs-75912 ~]# systemctl daemon-reload

[root@ecs-75912 ~]# systemctl start sftpd

9#测试

[root@ecs-75912 ~]# sftp -P 8022 sftpuser@localhost

The authenticity of host '[localhost]:8022 ([::1]:8022)' can't be established.

ECDSA key fingerprint is SHA256:mM+2QZCucOtVZo+kwhTWgHvdrVeCmbZdu2mHVMmI8KA.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '[localhost]:8022' (ECDSA) to the list of known hosts.

sftpuser@localhost's password:

Connected to sftpuser@localhost.

sftp>

10#开机自动启动（需要关机重启）

[root@ecs-75912 ~]# systemctl enable sshd.service

[root@ecs-75912 ~]# systemctl enable sftpd.service