Use pam chroot to restrict logon to users through SSH

Use pam chroot to restrict logon to users through SSH

Many netizens have written a lot of articles about how to use pam chroot to restrict remote login user access. However, there are still some problems, resulting in unavailability, it helps you learn how to use the pam_chroot module in ssh.

The PAM mechanism in Linux is not described here. Only the implementation steps are given:

1. ensure that the currently installed openssh supports pam, and the -- with-pam must be included during compilation. if you do not want to enable pam after -- with-pam is compiled, modify the configuration file sshd_config and change "UsePAM no" in this file to "UsePAM yes ", when this option is enabled, restart ssh and an error is displayed: "Unsupported option UsePAM ". if it has-with-pam, you also need to install the library pam-devel; otherwise, call. /PAM cannot be found in configure. h.

2. Create a user push and set the password. You must set the password; otherwise, you cannot log on.

3. Create the/tmp/test directory as the virtual root directory of user push.

4. Copy/bin and/lib64 to/tmp/test. Note that if it is not a 64-bit system, copy the/lib directory:
Cp-a/bin/tmp/test/and cp-a/lib64/tmp/test/

5. Copy the following script to/home/test for execution.

#! /Bin/sh CHROOT_DIR = "/home/test" mkdir-p $ CHROOT_DIR/{dev, proc, dev/pts} mount proc $ CHROOT_DIR/proc-t proc # This proc file system must be created, after logging on, you can see that there are many files/subdirectories in this directory: mount devpts $ CHROOT_DIR/dev/pts-t devpts # devpts file system, the access terminal interface mknod $ CHROOT_DIR/dev/ptmx c 5 2 # is required. You must use it after logon as the master device of the Pseudo Terminal. chmod 666/dev/ptmx mkdir $ CHROOT_DIR/{home, home/push} # required, the user directory chmod ugo + rw $ CHROOT_DIR/home/push mkdir lib64cp-a/lib64/* lib64/# is required to provide the library required to run bash, and libraries required by other programs. # If these files are not found, logon is not affected, however, you cannot run the mkdir bincp-a/bin/rmdir bin/cp-a/bin/rm bin/cp-a/bin/bash bin/cp-a/bin/ mkdir bin/cp-a "/bin/pwd" bin/cp-a/bin/ls bin/cp-a/bin/bash bin/# required, after logging on, you need to query user information based on this file. if this error is not found, the error login_init_entry: Cannot find user "push" # indicates that the user Cannot be found during sshd debugging. mkdir etccp-a/etc/passwd etc/

6. Add UsePAM yes to the openssh configuration file sshd_config.

7. Open the/etc/pam. d/sshd file and change it to the following content:
Auth required pam_unix.so
Account required pam_unix.so
Session required pam_chroot.so

8. open the file/etc/security/chroot. conf and add "push/home/test"

9. Restart sshd

Use the remote logon tool to log on.