Advanced linux Security ssh restrict the use of PAM

Problem Background:

To enhance the security of linux servers, it is required that the specified user can only work in the specified directory after logging on from ssh and can only run the specified command or script

Solution:

Modify the ssh logon authentication method

[Root @ localhost ~] # Vi/etc/pam. d/sshd

# % PAM-1.0

Auth include system-auth

Account required pam_nologin.so

Account include system-auth

Password include system-auth

Session include system-auth

Session required pam_loginuid.so

Session required pam_chroot.so (this is the line we manually add)

Set User directory

[Root @ localhost ~] # Mkdir/virtual_root/chroot/lib-p

[Root @ localhost ~] # Mkdir/virtual_root/chroot/etc-p

[Root @ localhost ~] # Mkdir/virtual_root/chroot/bin-p

[Root @ localhost ~] # Mkdir/virtual_root/chroot/home/ziyang-p

(Your/etc/passwd should have a user named ziyang)

[Root @ localhost ~] # Chown ziyang. ziyang/virtual_root/chroot/home/ziyang

Modify the chroot configuration file

[Root @ localhost ~] # Vi/etc/security/chroot. conf

Ziyang/virtual_root/chroot (manually add this row, ziyang can only be restricted to the/virtual_root/chroot directory.

Note: It is a user logging on through ssh, and the user logging on to the local console is invalid. But there are methods to implement it)

Set User Permissions and available commands

[Root @ localhost ~] # Cp/lib/ld-linux.so.2/lib/libc. so.6/lib/libdl. so.2/lib/libtermcap. so.2/virtual_root/chroot/lib

[Root @ localhost ~] # Cp/bin/bash/virtual_root/chroot/bin

[Root @ localhost ~] # Grep ziyang </etc/passwd>/virtual_root/chroot/etc/passwd

Application Testing

Use ssh to log on to your linux server from another host. You will find that ziyang is restricted to the/virtual_root/chroot directory after logon, and there is no shell command available.

This article is from the "history_xcy" blog, please be sure to keep this http://historys.blog.51cto.com/7903899/1295255