Enabling SSH's powerful chroot capabilities
In previous versions of OpenSSH 4.8P1, to support Chroot, third-party modifications must be used. But since OpenSSH 4.8P1, the chroot functionality has been built-in, and can be set up directly on the server system (CentOS 5.5).
1, in order to ensure that the remote upgrade failed to connect to the server, temporarily open Telnet access standby before upgrading.
Installing the Telnet service
# yum-y Install Telnet-server
Check if Telnet is booting up
# chkconfig--level--list|grep telnet
# vim/etc/xinetd.d/telnet
Disable = no
#/etc/init.d/xinetd Start
# Netstat-anp|grep 23
TCP 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 1594/xinetd
$ telnet 192.168.0.200
Telnet cannot be logged on directly with root. After logging in as a normal user, then SU switches root. After the SSH upgrade is successful, remember to turn off the Telnet service.
2, upgrade OpenSSH server to the current latest version OPENSSH-6.1P1
# ssh-v
OPENSSH_4.3P2, OpenSSL 0.9.8e-fips-rhel5 Jul 2008
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.1p1.tar.gz
A. Upgrade in a parallel way
Tar xzvf openssh-6.1p1.tar.gz
CD OPENSSH-6.1P1
Ssh-v
./configure
Make
Make install
#This'll install the OpenSSH binaries In/usr/local/bin, configuration files
IN/USR/LOCAL/ETC, the server in/usr/local/sbin, etc. To specify a different
Installation prefix, use the--prefix option to configure:
/usr/local/sbin/sshd-t-f/usr/local/etc/sshd_config
B. Install in a covered manner
Tar xzvf openssh-6.1p1.tar.gz
CD OPENSSH-6.1P1
./configure--PREFIX=/USR--sysconfdir=/etc/ssh
Make
Make install
The above method overwrites the original version of the file, and the make install overwrites the configuration file under/etc/ssh and may error. Then delete the original configuration file under/etc/ssh, and make the install once.
/etc/ssh/ssh_config already exists, install would not overwrite
/etc/ssh/sshd_config already exists, install would not overwrite
/etc/ssh/moduli already exists, install would not overwrite
/etc/ssh/ssh_host_key already exists, skipping.
/etc/ssh/ssh_host_dsa_key already exists, skipping.
/etc/ssh/ssh_host_rsa_key already exists, skipping.
/usr/sbin/sshd-t-f/etc/ssh/sshd_config
/etc/ssh/sshd_config line 74:unsupported Option gssapiauthentication
/etc/ssh/sshd_config line 76:unsupported Option gssapicleanupcredentials
/etc/ssh/sshd_config line 87:unsupported Option Usepam
# ssh-v
OPENSSH_6.1P1, OpenSSL 0.9.8e-fips-rhel5 Jul 2008
#/etc/init.d/sshd Restart
stopping sshd: [OK]
Starting sshd:/etc/ssh/sshd_config line 74:unsupported option gssapiauthentication
/etc/ssh/sshd_config line 76:unsupported Option gssapicleanupcredentials
/etc/ssh/sshd_config line 87:unsupported Option Usepam
Comment out the/etc/ssh/sshd_config in 74, 76, 87 lines.
3, Chroot ordinary users home directory, the user space to isolate
Building a chroot environment
# ADDUSER-M Test
# passwd Test
# Mkdir/home/chroot_test
# More/etc/ssh/sshd_config
# # #chroot Normal user ' s operator dir
Match User Test
Chrootdirectory/home/chroot_test
#/etc/init.d/sshd Restart
or for a group
#usermod-G sftp dingyongming
# More/etc/ssh/sshd_config
Match Group SFTP
# chrootdirectory%h
Chrootdirectory/home/chroot_test
A basic chroot environment has at least one shell (for example, Sh,bash) and some necessary system device files (such as/dev/null,/dev/zero), and if you want to allow users to execute some commands, prepare the corresponding command executables and library files that the commands depend on.
Chrootdirectory
Specifies the pathname of a directory to Chroot (2) to after authentication. All components of the pathname must is root-owned
Directories that is not writable by any other user or group. After the chroot, sshd (8) changes the working directory to the
User ' s home directory.
The pathname contain the following tokens that is expanded at runtime once the connecting user have been authenticated : Percent is
Replaced by a literal '% ',%h are replaced by the home directory of the user being authenticated, and%u are replaced by the user-
Name of that user.
The chrootdirectory must contain the necessary files and directories to the user ' s session. For an interactive session
This requires at least a shell, typically sh (1), and BASIC/DEV nodes such as null (4), zero (4), stdin (4), stdout (4), Stder R (4),
Arandom (4) and TTY (4) devices. For file transfer sessions using ' SFTP ', no additional configuration of the environment is neces-
Sary if the in-process sftp server is used, though sessions which use logging do require/dev/log inside the chroot Direct Ory
(See Sftp-server (8) for details).
Mkdir/home/chroot_test
Cd/home/chroot_test
mkdir {Bin,dev,lib,lib64,etc,home}
Mknod dev/null C 1 3
Mknod Dev/zero C 1 5
#可选, these two files SSH commands need to be reported as missing: PRNG is not seeded
Mknod dev/random C 1 8
Mknod dev/urandom C 1 9
#可选, the SSH command is required, as is missing the report: Host Key Verification failed
Mknod Dev/tty C 5 0
#修改 the owner of/home/chroot_test and its subdirectories and modify permissions
Chown-r Root.root/home/chroot_test
Chmod-r 755/home/chroot_test
#允许用户写这些设备文件, no writing, some command error.
chmod 0666 Dev/{null,zero,tty}
You then copy the executable files and dependent library files that you want to allow the user to execute to the appropriate location. For example, you must give the user an available shell, we generally use/bin/bash, then execute the LDD command to see the relevant information:
# Ldd/bin/bash
libtermcap.so.2 =/lib64/libtermcap.so.2 (0x0000003627800000)
libdl.so.2 =/lib64/libdl.so.2 (0x0000003627400000)
libc.so.6 =/lib64/libc.so.6 (0x0000003627000000)
/lib64/ld-linux-x86-64.so.2 (0x0000003626c00000)
Description/bin/bash to execute correctly, depending on the following files:
/lib64/libtermcap.so.2
/lib64/libdl.so.2
/lib64/libc.so.6
/lib64//lib64/ld-linux-x86-64.so.2
Then we have to copy the/bin/bash and the corresponding library files to the corresponding location.
Cp-p/bin/bash/home/chroot_test/bin
Cp-p/lib64/libtermcap.so.2/home/chroot_test/lib64
Cp-p/lib64/libdl.so.2/home/chroot_test/lib64
Cp-p/lib64/libc.so.6/home/chroot_test/lib64
Cp-p/lib64/ld-linux-x86-64.so.2/home/chroot_test/lib64
Similar to the above, this is true for each file that you want to allow the user to execute.
4. Create a user home directory in the chroot directory
Mkdir/home/chroot_test/home/test
Chown-r Test/home/chroot_test/home/test
chmod 700/home/chroot_test/home/test
OK, after the above configuration, you can now test. Using the test account SSH login to the system, see AIT is limited to its own host directory/home/test. The test executes some commands and finds that only the commands that have just been copied can be executed, and none of the others can.
# ssh-p 6120 test@210.4.1.2
test@210.4.1.2 ' s Password:
Last Login:mon 17:40:41-210.4.1.3
-bash-3.2$ ls
-bash-3.2$
-bash-3.2$
-bash-3.2$ pwd
/home/test
-bash-3.2$ SSH root@192.168.0.1
You don ' t exist, go away!
Copy the/etc/passwd and/etc/group files to/home/chroot_test/etc, and delete all accounts other than the user and root. If you do not have these two files, user login will be reported "I have no name!"
Cp-p/etc/passwd/home/chroot_test/etc/
Cp-p/etc/group/home/chroot_test/etc/
4, Chroot ordinary users, restrict SSH login user directory and command, to achieve the specified user from SSH login can only work in the specified directory and can only run the specified command or script.
Security maximization, the ordinary user logged on to this springboard server can only execute Ssh,ls and other limited basic commands.
5. Chroot SFTP
6. Turn off Telnet service
#/etc/init.d/xinetd Stop
7, chroot user access to the directory outside the chroot (soft connection, hard link is not possible)
Mount--bind/var/log//home/chroot_test/test_mount_bind/
Add mount to boot boot
# vim/etc/rc.local
# # #mount bind for Chroot or FTP
#mount--bind/var/log//home/chroot_test/test_mount_bind/
Or
# Vim/etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass>
/var/log//home/chroot_test/test_mount_bind/none rw,bind 0 0
