Chinaunix首页 | 论坛 | 博客
  • 博客访问: 5375720
  • 博文数量: 1144
  • 博客积分: 11974
  • 博客等级: 上将
  • 技术积分: 12312
  • 用 户 组: 普通用户
  • 注册时间: 2005-04-13 20:06
文章存档

2017年(2)

2016年(14)

2015年(10)

2014年(28)

2013年(23)

2012年(29)

2011年(53)

2010年(86)

2009年(83)

2008年(43)

2007年(153)

2006年(575)

2005年(45)

分类: LINUX

2008-12-12 12:25:27

openssh 5.1版使用chroot sftp帐号技术

 

 

满足需求如下

 

What does this do again...?

This will majorly increase security for a multi-user server. The main things it does are:

 

Lock users to their home directory

--This blocks their eyes from the rest of your system and from files like: system binaries, other users' files, backups, configuration files

 

Disable regular ssh access

--Many users just having a web site won't need an actual command interface. Its just one more thing to be hacked.

 

--------------------------------------------------------------------------------

 

FTP already does this!!! right?

Yes, but your forgetting one thing... this is SFTP!!! It's encrypted and so it is much harder for hackers to sniff packets. Also, the user management is at the system level, so your server tells users what they can and can't do. If your FTPd runs as root or with a high permissions level and a ftp user hacks it, it means they have root or at least high permissions over the ENTIRE server? Not anymore.

 

 

The Tutorial

This tutorial uses the /opt directory to install the necessary dependences. If you wish to install them anywhere else or do not have an opt directory on your server you may do so, but make sure to change all the paths in the code below. All commands must be run as root

 

NOTE: The jailing setup for OpenSSH ver5 is much cleaner and uses less hacks then ver4. If you need to jail users, make sure to update to version 5.

 

Another NOTE: This setup is meant for installing on a fresh server. If you already have configuration files for the programs we will be installing (zlib,openssl, and openssh), they will not be overwritten, but you will have to copy them from their old paths to the paths you install with here (recommended: /opt/...).

 

You need the GNU Compiler Collection to install these programs. yum install gcc When it asks you if you want to proceed reply with a "y".

Install zlib cd /tmp

mkdir -p /opt/zlib

mkdir zlib1.23

cd zlib1.23/

wget

unzip zlib123.zip

make

make install prefix=/opt/zlib/

Now we install openssl into the opt directory as well cd /tmp

mkdir -p /opt/openssl

wget

tar xvzf openssl-0.9.8h.tar.gz

cd openssl-0.9.8h

./config --prefix=/opt/openssl --openssldir=/opt/openssl

make

make test

make install The make commands here take forever to run. If the 'make test' command returns any errors, you will need to fix them before continuing.

Next we will download openssh cd /tmp

mkdir -p /opt/openssh

wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.1p1.tar.gz

tar xvzf openssh-5.1p1.tar.gz

cd openssh-5.1p1

Now we will install openssh. To find where your xauth file is located you may need to run the "which xauth" command. If you know what you are doing you may add your own options to the configure command below. ./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl --with-xauth=/usr/X11R6/bin/xauth --with-zlib=/opt/zlib

make

make install Some of these commands make take some time to run. Go grab a coke.

REMEMBER: This tutorial is meant for setting up a server for the first time. You may need to copy your sshd_config file (or at least the directives you want to keep) from /etc/ssh to save your old settings.

To automatically run the new ssh shell, we will use init. You need to change the following lines in /etc/init.d/sshd # Some functions to make the below more readable

KEYGEN=/opt/openssh/bin/ssh-keygen

SSHD=/opt/openssh/sbin/sshd

RSA1_KEY=/opt/openssh/etc/ssh_host_key

RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key

DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key Then we will restart ssh and test to see if it is running smoothly. /etc/init.d/sshd restart

telnet localhost 22 The telnet command should return some lines looking like this: Trying 127.0.0.1...

Connected to localhost.localdomain (127.0.0.1).

Escape character is '^]'.

SSH-2.0-OpenSSH_5.0 You need to be sure that the last line includes the "OpenSSH_5.0" to confirm that it is the version we just installed.

Next you need to edit '/opt/openssh/etc/sshd_config' to enable the jail.

Replace any lines starting with 'subsystem' with this line: Subsystem       sftp    internal-sftp Also add (at the bottom of the file) the following lines Match Group sftponly

        ChrootDirectory /home/%u

        ForceCommand internal-sftp

         AllowTcpForwarding no Now, all users added to the 'sftponly' group will be jailed to their home directory.

We will need to create the 'sftponly' group so we can add our untrustworthly users to it. Also, we set up the encironment to allow jailing. groupadd sftponly

chown root:root /home

chmod 755 /home Now when you create users that need to be jailed, make sure they belong to the 'sftponly' group. For the user "mark" with the password "test", you will need to do the folling steps. useradd mark

usermod -g sftponly mark

usermod -s /bin/false mark

usermod -d /home/mark mark

passwd mark To set up the jail run the following commands chown root:root /home/mark

chmod 755 /home/mark

chown root:root /home/mark

mkdir /home/mark/public_html

chown mark:sftponly /home/mark/public_html When asked, enter 'test' as the password for mark.

Try to log in as mark through putty (or any ssh terminal). You should get some sort of error involving an abort or denied access.

Then try to log in as mark through winscp (or similar SFTP software).

Congrats! you now have a jailed user.

NOTICE: Yum will not update these programs anymore (zlib,openssl,openssh). When a new version comes out, you will have to make your own install from a tarball again. Just follow the same directions.

 

 

 

修改后的sshd启动配置文件如下:

#!/bin/bash

#

# Init file for OpenSSH server daemon

#

# chkconfig: 2345 55 25

# description: OpenSSH server daemon

#

# processname: sshd

# config: /etc/ssh/ssh_host_key

# config: /etc/ssh/ssh_host_key.pub

# config: /etc/ssh/ssh_random_seed

# config: /etc/ssh/sshd_config

# pidfile: /var/run/sshd.pid

 

# source function library

. /etc/rc.d/init.d/functions

 

# pull in sysconfig settings

[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd

 

RETVAL=0

prog="sshd"

 

# Some functions to make the below more readable

PID_FILE=/var/run/sshdd.pid

 

# Some functions to make the below more readable

KEYGEN=/opt/openssh/bin/ssh-keygen

SSHD=/opt/openssh/sbin/sshd

RSA1_KEY=/opt/openssh/etc/ssh_host_key

RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key

DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key

 

do_rsa1_keygen() {

        if [ ! -s $RSA1_KEY ]; then

                echo -n $"Generating SSH1 RSA host key: "

                if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then

                        chmod 600 $RSA1_KEY

                        chmod 644 $RSA1_KEY.pub

                        if [ -x /sbin/restorecon ]; then

                            /sbin/restorecon $RSA1_KEY.pub

                        fi

                        success $"RSA1 key generation"

                        echo

                else

                        failure $"RSA1 key generation"

                        echo

                        exit 1

                fi

        fi

}

 

do_rsa_keygen() {

        if [ ! -s $RSA_KEY ]; then

                echo -n $"Generating SSH2 RSA host key: "

                if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then

                        chmod 600 $RSA_KEY

                        chmod 644 $RSA_KEY.pub

                        if [ -x /sbin/restorecon ]; then

                            /sbin/restorecon $RSA_KEY.pub

                        fi

                        success $"RSA key generation"

                        echo

                else

                        failure $"RSA key generation"

                        echo

                        exit 1

                fi

        fi

}

 

do_dsa_keygen() {

        if [ ! -s $DSA_KEY ]; then

                echo -n $"Generating SSH2 DSA host key: "

                if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then

                        chmod 600 $DSA_KEY

                        chmod 644 $DSA_KEY.pub

                        if [ -x /sbin/restorecon ]; then

                            /sbin/restorecon $DSA_KEY.pub

                        fi

                        success $"DSA key generation"

                        echo

                else

                        failure $"DSA key generation"

                        echo

                        exit 1

                fi

        fi

}

 

do_restart_sanity_check()

{

        $SSHD -t

        RETVAL=$?

        if [ ! "$RETVAL" = 0 ]; then

                failure $"Configuration file or keys are invalid"

                echo

        fi

}

 

start()

{

        # Create keys if necessary

        do_rsa1_keygen

        do_rsa_keygen

        do_dsa_keygen

 

        echo -n $"Starting $prog:"

        initlog -c "$SSHD $OPTIONS" && success || failure

        RETVAL=$?

        [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshdd

        echo

}

 

stop()

{

        echo -n $"Stopping $prog:"

        if [ -n "`pidfileofproc $SSHD`" ] ; then

            killproc $SSHD -TERM

        else

            failure $"Stopping $prog"

        fi

        RETVAL=$?

        [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshdd

        echo

}

 

reload()

{

        echo -n $"Reloading $prog:"

        if [ -n "`pidfileofproc $SSHD`" ] ; then

            killproc $SSHD -HUP

        else

            failure $"Reloading $prog"

        fi

        RETVAL=$?

        echo

}

 

case "$1" in

        start)

                start

                ;;

        stop)

                stop

                ;;

        restart)

                stop

                start

                ;;

        reload)

                reload

                ;;

        condrestart)

                if [ -f /var/lock/subsys/sshdd ] ; then

                        do_restart_sanity_check

                        if [ "$RETVAL" = 0 ] ; then

                                stop

                                # avoid race

                                sleep 3

                                start

                        fi

                fi

                ;;

        status)

                status $SSHD

                RETVAL=$?

                ;;

        *)

                echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"

                RETVAL=1

esac

exit $RETVAL

 

 

修改后的sshd_config配置文件如下

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

 

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

 

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/openssh/bin

 

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

 

Port 22222

#AddressFamily any

ListenAddress 0.0.0.0

#ListenAddress ::

 

# Disable legacy (protocol version 1) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol 1

Protocol 2

 

# HostKey for protocol version 1

#HostKey /opt/openssh/etc/ssh_host_key

# HostKeys for protocol version 2

HostKey /opt/openssh/etc/ssh_host_rsa_key

#HostKey /opt/openssh/etc/ssh_host_dsa_key

 

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

 

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

LogLevel INFO

 

# Authentication:

 

#LoginGraceTime 2m

PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

 

RSAAuthentication yes

#PiubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

#AuthorizedKeysFile      .ssh/authorized_keys

 

 

# For this to work you will also need host keys in /opt/openssh/etc/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

 

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

#PermitEmptyPasswords no

 

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

 

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

 

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

 

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

#UsePAM yes

 

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

TCPKeepAlive yes

UseLogin yes

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

#PermitTunnel no

#ChrootDirectory none

 

# no default banner path

#Banner none

 

# override default of no subsystems

#Subsystem      sftp    /opt/openssh/libexec/sftp-server

Subsystem       sftp    internal-sftp

 

Match Group sftponly

        ChrootDirectory /home/%u

        ForceCommand internal-sftp

        AllowTcpForwarding no

 

# Example of overriding settings on a per-user basis

#Match User anoncvs

#       X11Forwarding no

#       AllowTcpForwarding no

#       ForceCommand cvs server

 

 

 

密钥生成

 

[cacti@mailgw ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/cacti/.ssh/id_rsa):

Created directory '/home/cacti/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/cacti/.ssh/id_rsa.

Your public key has been saved in /home/cacti/.ssh/id_rsa.pub.

The key fingerprint is:

3e:a6:f2:e7:da:8a:8d:f4:a6:23:d7:0f:16:d5:ac:dc cacti@mailgw

 

[cacti@mailgw .ssh]$ cp id_rsa.pub  authorized_keys

[cacti@mailgw .ssh]$  chmod 600 authorized_keys

打开id_rsa文件, copy存为本地文件.在本地打开puttYgen 把刚才copyid_rsa文件导入导出私钥即可使用

 

 

 

阅读(2269) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~