Deployment background: a customer recently asked us to deploy a login stepping stone server in the company's IDC so that users can log on to the server in the IDC first, and then ssh to other servers. Specific requirements: 1) to maximize security, ordinary users can only execute ssh, ls, and other limited basic commands after logging on to the stepping stone server. 2) lock normal users to a specific directory, so that even if the user is hack, other users will not be affected.
Requirement analysis:
According to the customer's requirements, an openssh server must be built and implemented using the ssh + chroot function. For versions earlier than openssh 4.8p1, to support chroot, a third-party modification is required. However, since openssh 4.8p1, the chroot function has been built in. Therefore, it can be directly built on the server system (CentOS 5.5.
System platform:
CentOS 5.5 i386
Openssh 5.6p1
Zlib-1.2.5
Openssl-1.0.0c
| In CentOS 5.5, the self-contained openssh version is 4.3p2. after upgrading to 4.8p1, I choose to upgrade to the current maximum version 5.6p1. For details about how to upgrade to openssh 5.6p1, refer to my article: upgrading OpenSSH-4.3p2 to 5.6p1 under CentOS 5.5
According to man in sshd_config, to implement the chroot function, you need to configure the "ChrootDirectory" parameter.
ChrootDirectory: defines the chroot directory after the user passes authentication. The owner of this directory and all its subdirectories must be root and only the root account can perform write operations on these directories, no other group or account can be written. After chroot, sshd transfers the user's working directory to the user's home directory in the chroot directory. If the directory defined by ChrootDirectory does not have the corresponding/home/username directory, it is directly transferred to the/directory of chroot. |
The detailed configuration process is as follows:
|
1
. NewUser ait (do not create its default home directory)
[Root @ server ~] # Useradd-M ait
[Root @ server ~] # Passwd ait |
2. modify the/etc/ssh/sshd_config file
[Root @ server ~] # Vi/etc/ssh/sshd_config # add the following content
Match User ait
ChrootDirectory/var/chroot |
Note: the chroot directory is/var/chroot.
| [Root @ server ~] #/Etc/init. d/sshd restart # restart the SSH service |
3. build a basic chroot environment
Tips:
A basic chroot environment has at least one shell (such as sh and bash) and some necessary system device files (such as/dev/null,/dev/zero ), if you want to allow users to execute some commands, you also need to prepare the executable files and library files on which the commands depend. |
[Root @ server ~] # Mkdir/var/chroot
[Root @ server ~] # Cd/var/chroot
[Root @ server chroot] # mkdir {bin, dev, lib, lib64, etc, home}
[Root @ server chroot] # mknod dev/null c 1 3
[Root @ server chroot] # mknod dev/zero c 1 5
# Optional. The ssh commands for these two files are required. if the files are missing, the report is: PRNG is not seeded.
[Root @ server chroot] # mknod dev/random c 1 8
[Root @ server chroot] # mknod dev/urandom c 1 9
# Optional. required for the ssh command. if the command is missing, the Host key verification failed will be reported.
[Root @ server chroot] # mknod dev/tty c 5 0
# Modify the owner of/var/chroot and its sub-directories, and modify the permissions
[Root @ server chroot] # chown-R root. root/var/chroot
[Root @ server chroot] # chmod-R 755/var/chroot
# Allow users to write these device files. if you cannot write these files, some commands may report errors.
[Root @ server chroot] # chmod 0666 dev/{null, zero, tty}
The executable files and dependent library files that will be executed by the user will be copied to the corresponding location. For example, if you have to give the user an available shell, we usually use/bin/bash, then run the ldd command to view the relevant information:
[Root @ server chroot] # ldd/bin/bash
Linux-gate.so.1 => (0x00572000)
Libtermcap. so.2 =>/lib/libtermcap. so.2 (0x0388b000)
Libdl. so.2 =>/lib/libdl. so.2 (0x00839000)
Libc. so.6 =>/lib/libc. so.6 (0x006b3000)
/Lib/ld-linux.so.2 (0x0068f000)
Description/bin/bash must be correctly executed, depending on the following files:
/Lib/libtermcap. so.2
/Lib/libdl. so.2
/Lib/libc. so.6
/Lib/ld-linux.so.2
Then we must copy/bin/bash and the corresponding library file to the corresponding location.
[Root @ server chroot] # cp-p/bin/bash/var/chroot/bin
[Root @ server chroot] # cp-p/lib/libtermcap. so.2/var/chroot/lib
[Root @ server chroot] # cp-p/lib/libdl. so.2/var/chroot/lib
[Root @ server chroot] # cp-p/lib/libc. so.6/var/chroot/lib
[Root @ server chroot] # cp-p/lib/ld-linux.so.2/var/chroot/lib
Similar to the above, you can perform this operation on each file that you want to allow the user to execute.
This is just to illustrate the specific process. you must use the script to execute the actual application. I copied a script from a website (named shell. sh here) and added the following content:
#/Bin/bash
# List of files to be allowed
Cmdlist = "/bin/bash/bin/ls/bin/cp/bin/mkdir/bin/mv/bin/rm/bin/rmdir"
# Chroot path
Chroot_path = "/var/chroot" # Identify dependent library files
Lib_1 = 'ldd $ cmdlist | awk '{print $1}' | grep "/lib" | sort | uniq'
Lib_2 = 'ldd $ cmdlist | awk '{print $3}' | grep "/lib" | sort | uniq' # Copying command files
For I in $ cmdlist
Do
Cp-a $ I $ chroot_path/bin/& echo "$ I done"
Done # Copy the dependent Library File (because it is i386, it is lib. if it is x86_64, it is lib64 ,)
For j in $ lib_1
Do
Cp-f $ j $ chroot_path/lib/& echo "$ j done"
Done For k in $ lib_2
Do
Cp-f $ k $ chroot_path/lib/& echo "$ k done"
Done |
[Root @ server chroot] # ll
Total 28
Drwxr-xr-x 2 root 4096 02-25 05:47 bin
Drwxr-xr-x 2 root 4096 02-25 05:36 dev
Drwxr-xr-x 2 root 4096 02-25 05:35 etc
Drwxr-xr-x 2 root 4096 02-25 05:35 home
Drwxr-xr-x 2 root 4096 02-25 05:51 lib
Drwxr-xr-x 2 root 4096 02-25 05:35 lib64
-Rw-r -- 1 root 665 02-25 06:50 shell. sh
[Root @ server chroot] # chmod 755 shell. sh
[Root @ server chroot] #./shell. sh
/Bin/bash done
/Bin/ls done
/Bin/cp done
/Bin/mkdir done
/Bin/mv done
/Bin/rm done
/Bin/rmdir done
/Lib/ld-linux.so.2 done
/Lib/libacl. so.1 done
/Lib/libattr. so.1 done
/Lib/libc. so.6 done
/Lib/libdl. so.2 done
/Lib/libpthread. so.0 done
/Lib/librt. so.1 done
/Lib/libselinux. so.1 done
/Lib/libsepol. so.1 done
/Lib/libtermcap. so.2 done
Copy the/etc/passwd and/etc/group files to/var/chroot/etc, and delete all accounts other than the user and root. If you do not have these two files, the user will report "I have no name!" after logon !"
[Root @ server chroot] # cp-p/etc/passwd/var/chroot/etc/
[Root @ server chroot] # cp-p/etc/group/var/chroot/etc/
|
4. create the user main directory in the chroot Directory
[Root @ server chroot] # mkdir/var/chroot/home/ait
[Root @ server chroot] # chown-R ait/var/chroot/home/ait
[Root @ server chroot] # chmod 700/var/chroot/home/ait |
OK. Now you can test the configuration. Log on to the system using the ait account ssh, and you can see that the ait is restricted to your home directory/home/ait. Test and execute some commands. it is found that only the copied commands can be executed, and none of the other commands can be executed.
-Bash-3.2 $ pwd
/Home/ait
-Bash-3.2 $ ls
-Bash-3.2 $ mkdir ait_test
-Bash-3.2 $ ls
Ait_test
-Bash-3.2 $ ll
-Bash: ll: command not found |
