Use rssh to create a secure file server

Source: Internet
Author: User
Tags rsync

Use rssh to create a secure file server


At present, the company needs a Linux server as a file server, but based on security considerations, I do not want to use ftp or samba, but must allow users to upload files. What should we do?

Because it is a Linux server, you can use SSH to log on to the server and then use the SFTP function to upload and download files.

This solves the above problems, but brings about a new problem.

OpenSSH requires that you have an available shell to log on to this Linux server.
It is necessary to give each user a shell. With a shell user, you can access the file system of your server!

How can this problem be solved? The answer is rssh-a restricted shell

Rssh is a restricted shell used with OpenSSH. This shell can only perform the following operations:
* SCP
* SFTP
* CVS
* Rsync
* Rdist
All operations except the preceding operations are forbidden.

Install rssh

Centos/Fedora/RHEL Linux

You can directly download the rssh installation package from the Dag source.
# Cd/tmp
# Wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm
# Rpm-IVH rssh-2.3.2-1.2.el5.rf.i386.rpm

Debian/Ubuntu Linux

Use the apt-GET command to install:
$ Sudo apt-Get install rssh

FreeBSD
# Cd/usr/ports/shells/rssh
# Make install clean

The rssh configuration file is as follows:

* Default configuration file/etc/rssh. conf (FreeBSD-/usr/local/etc/rssh. conf)
* Default rssh Executable File Location/usr/bin/rssh (FreeBSD-/usr/local/bin/rssh)
* No Default port (openssh uses port 22-rssh is only a Secure Shell)

Configure the user account to use rssh as the shell

The configuration is very simple. The new user uses the-S parameter to directly specify rssh as the User Shell.
# Useradd-m-D/home/Didi-S/usr/bin/rssh new_user
# Passwd new_user

If an existing user exists, you can use the CHSH command or The usermod command to modify the User Shell.
# Usermod-S/usr/bin/rssh old_user
Or
# CHSH-S/usr/bin/rssh old_user

By default, rssh prohibits users from accessing all resources. We must specify the operations that can be performed by users.

Open the/etc/rssh. conf file and add available configuration items. The available options are as follows.
* Allowscp: Allow SCP execution.
* Allowsftp: allows the execution of SFTP.
* Allowcvs: allows execution of CVS.
* Allowrdist: Allows rdist execution.
* Allowrsync: Allows rsync execution.

Create chroot "prison"

Create all required directories:
# Mkdir-P/users/{Dev, etc, Lib, USR, Bin}
# Mkdir-P/users/usr/bin
# Mkdir-P/users/libexec/OpenSSH

Create a null file/users/dev/null:
# Mknod-M 666/users/dev/null C 1 3

Copy the required files in/etc to/users/etc:
# Cd/users/etc
# Cp/etc/lD. So. cache.
# Cp-avr/etc/lD. So. cache. d /.
# Cp/etc/lD. So. conf.
# Cp/etc/nsswitch. conf.
# Cp/etc/passwd.
# Cp/etc/group.
# Cp/etc/hosts.
# Cp/etc/resolv. conf.
Edit the/usres/group and/users/passwd files to delete the root user and all other users.

Copy the required executable file to/users/bin and other corresponding locations:
# Cd/users/usr/bin
# Cp/usr/bin/SCP.
# Cp/usr/bin/rssh.
# Cp/usr/bin/SFTP.
# Cd/users/usr/libexec/OpenSSH/
# Cp/usr/libexec/OpenSSH/SFTP-server. Or CP/usr/lib/OpenSSH/SFTP-server.
# Cd/users/usr/libexec/
# Cp/usr/libexec/rssh_chroot_helper or CP/usr/lib/rssh/rssh_chroot_helper
# Cd/users/bin/
# Cp/bin/sh. Or CP/bin/bash.

Copy all required shared library files

For example, use the LDD command to view the shared library files required by SFTP:

# LDD/usr/bin/SFTP
Linux-gate.so.1 => (0x00456000)
Libresolv. so.2 =>/lib/libresolv. so.2 (0x0050e000)
Libcrypto. so.6 =>/lib/libcrypto. so.6 (0x0013e000)
Libutil. so.1 =>/lib/libutil. so.1 (0x008ba000)
Libz. so.1 =>/usr/lib/libz. so.1 (0x00110000)
Libnsl. so.1 =>/lib/libnsl. so.1 (0x0080e000)
Libcrypt. so.1 =>/lib/libcrypt. so.1 (0x00a8c000)
Libgssapi_krb5.so.2 =>/usr/lib/libgssapi_krb5.so.2 (0x00656000)
Libkrb5.so. 3 =>/usr/lib/libkrb5.so. 3 (0x00271000)
Libk5crypto. so.3 =>/usr/lib/libk5crypto. so.3 (0x00304000)
Libcom_err.so.2 =>/lib/libcom_err.so.2 (0x00777000)
Libdl. so.2 =>/lib/libdl. so.2 (0x00123000)
Libnss3.so =>/usr/lib/libnss3.so (0x00569000)
Libc. so.6 =>/lib/libc. so.6 (0x00b6c000)
Libkrb5support. so.0 =>/usr/lib/libkrb5support. so.0 (0x00127000)
Libkeyutils. so.1 =>/lib/libkeyutils. so.1 (0x00130000)
/Lib/ld-linux.so.2 (0x00525000)
Libplc4.so =>/usr/lib/libplc4.so (0x008c9000)
Libplds4.so =>/usr/lib/libplds4.so (0x00133000)
Libnspr4.so =>/usr/lib/libnspr4.so (0x00d04000)
Libpthread. so.0 =>/lib/libpthread. so.0 (0x0032a000)
Libselinux. so.1 =>/lib/libselinux. so.1 (0x00341000)
Libsepol. so.1 =>/lib/libsepol. so.1 (0x00964000)

Then you must copy the shared library files in the output to the corresponding directory in "prison.

Modify the syslogd configuration file

Syslog writes data to a FIFO file such as/dev/log to work.
The-a parameter indicates that syslog must listen to an additional socket.
This is required if you want to run some daemon in the chroot environment.
By default, up to 19 additional sockets can be used. If you really need more, you can modify the maxfunix in syslogd source code syslogd. C.

Edit the/etc/sysconfig/syslog file
# Vi/etc/sysconfig/syslog

Find the following line
Syslogd_options = "-M 0"

Append/users/dev/log to the end
Syslogd_options = "-M 0-A/users/dev/log"

Save the configuration file and restart Syslog
#/Etc/init. d/syslog restart

Modify rssh. conf and configure the chroot path.

# Vi/etc/rssh. conf

Add the following line:
Chrootpath =/users

Then Restart sshd.
#/Etc/init. d/sshd restart

Put users into "prison"

Similar to modifying the User Shell mentioned above, you can use the-D parameter to specify the new user's home directory to our new "prison.
# Useradd-m-D/users/home/newuser-S/usr/bin/rssh newuser
# Passwd newuser

Then we use the newuser account to log on to the system.

SFTP [email protected]
[Email protected]'s password:
SFTP> ls
SFTP> pwd
Remote working directory:/home/newuser
SFTP> Cd/tmp
Couldn't canonicalise: no such file or directory

We can see that users cannot access the/tmp directory, because we have not created this directory in "prison", and users are completely restricted in prison.

Per-User Configuration
The above configuration is for all users. If we have different configuration requirements for different users, we can use the USER command in the configuration file.
The USER command can overwrite all other configurations with the highest priority.

For example, if the USER command line in the configuration file sets the operations that user Foo can perform, the configuration of user Foo will not change regardless of the configurations of other lines.

The USER command uses the colon (:) to separate command keywords, in the order of username: umask: Path

* Username: the user name for which permissions are set
* Umask: divided into two parts,
The first part is in octal mode, specifying shell access permissions.
The second part is five binary bits. Each bit defines an executable operation. 1 is allowed, and 0 is forbidden.
* Path: the name of the user's chroot directory (if the directory name contains spaces, it must be enclosed in double quotation marks ).

For example, user Foo can only perform the CVS operation:

 

The five bit executable operations are as follows:

You can familiarize yourself with the following examples:
User = Jhon: 011: 00100: # CVs, with no chroot
User = KATE: 011: 01000: # rdist, with no chroot
User = RUDY: 011: 10000: # rsync, with no chroot
User= RUDY: 011: 00001: "/usr/local/My chroot" # SCP with chroot

This article references the following documents:
How to: restrict users to SCP and sftp and block SSH shell access with rssh
How to: Configure user account to use a restricted shell (rssh)
Linux configure rssh chroot jail to lock users to their home directories only
Rssh: per user configuration options for chroot jail

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.