Chinaunix首页 | 论坛 | 博客
  • 博客访问: 484143
  • 博文数量: 67
  • 博客积分: 2952
  • 博客等级: 少校
  • 技术积分: 679
  • 用 户 组: 普通用户
  • 注册时间: 2006-01-24 10:50
文章分类

全部博文(67)

文章存档

2011年(9)

2010年(36)

2009年(8)

2008年(5)

2007年(5)

2006年(4)

我的朋友

分类: LINUX

2006-07-14 16:45:42

The steps of building ssh with chroot
 
作者:管怀剑(James Guan)
更新日期:2006/05/26
 
Require:
zlib-devel
pam-devel
gcc
ssl
openssh-4.2p1-chroot.tar.gz (download from )
 

Building:
LDFLAGS=-ldl ./configure --with-zlib=/usr/local/lib --with-pam --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl
make clean
make
make install
add user sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
cd /usr/bin
mv ssh ssh.orig
mv scp scp.orig
mv ssh-add ssh-add.orig
mv ssh-agent ssh-agent.orig
mv ssh-keygen ssh-keygen.orig
mv ssh-keyscan ssh-keyscan.orig
ln -sf /usr/local/bin/ssh ssh
ln -sf /usr/local/bin/scp scp
ln -sf /usr/local/bin/ssh-add ssh-add
ln -sf /usr/local/bin/ssh-agent ssh-agent
ln -sf /usr/local/bin/ssh-keygen ssh-keygen
ln -sf /usr/local/bin/ssh-keyscan ssh-keyscan
cd /usr/sbin
mv sshd sshd.orig
ln -sf /usr/local/sbin/sshd sshd
cd /usr/libexec/openssh
mv sftp-server sftp-server
ln -sf /usr/local/libexec/sftp-server sftp-server
ln -sf /usr/local/libexec/ssh-keysign sshkeysign
/etc/init.d/sshd restart
 
Create sftp chroot:
[root@localhost openssh-chroot]# cat create-sftp-chroot.sh
#!/bin/sh
# This script about to chroot specific user($1),two thing will be done by this script:
# 1, set specific use's home directory as its / directory,then create needful commands and related LIBRARY files.
# 2, change specific use's default shell to /usr/libexec/sftp-server.
# EDITOR: Taylor Lee < >
# Date: 2006-04-18
 
echo "INFO: username checking..."
if [ x$1 == "x" ];then
echo "No argument/username specified,exiting..."
echo "Usage: create-chroot.sh username"
exit 1
else
id $1 > /dev/null 2>&1
   if [ $? == 0 ];then
    break
    else
    echo "ERROR:specified user $1 don't exist, exiting with value 2..."
    exit 2
   fi
fi
 
echo "INFO: creating chroot for user $1..."
CHROOT_DIR=`grep ^$1: /etc/passwd | awk -F: '{print $6}'`
REQUIRED_CHROOT_FILES="/usr/local/libexec/sftp-server"
 
# Create CHROOT_DIR
[ ! -d $CHROOT_DIR ] && mkdir $CHROOT_DIR
cd $CHROOT_DIR
 
# Copy REQUIRED_CHROOT_FILES and shared library dependencies
# to chroot environment
 
for FILE in $REQUIRED_CHROOT_FILES
do
   DIR=`dirname $FILE | cut -c2-`
   [ ! -d $DIR ] && mkdir -p $DIR
   cp $FILE `echo $FILE | cut -c2-`
   for SHARED_LIBRARY in `ldd $FILE | awk '{print $3}'`
   do
      DIR=`dirname $SHARED_LIBRARY | cut -c2-`
      [ ! -d $DIR ] && mkdir -p $DIR
      [ ! -s "`echo $SHARED_LIBRARY | cut -c2-`" ] && cp $SHARED_LIBRARY `echo $SHARED_LIBRARY | cut -c2-`
   done
done
 
# Change user's default shell to /usr/local/libexec/sftp-server
echo $CHROOT_DIR | grep "\/.\/$" > /dev/null 2>&1
if [ $? == 0 ];then
usermod -s /usr/local/libexec/sftp-server $1 && echo "INFO: user $1 had been chrooted,please check below $1 user entry in /etc/passwd"
grep ^$1: /etc/passwd
exit 0
else
usermod -d $CHROOT_DIR/./ -s /usr/local/libexec/sftp-server $1 && echo "INFO: user $1 had been chrooted,please check below $1 user entry in /etc/passwd"
grep ^$1: /etc/passwd
fi
 
#adduser test
#passwd test
#./create-sftp-chroot.sh test
[root@CentOS42-VM chroottest]# ./create-sftp-chroot.sh test
INFO: username checking...
INFO: creating chroot for user test...
INFO: user test had been chrooted,please check below test user entry in /etc/passwd
test:x:501:502::/home/test/./:/usr/local/libexec/sftp-server
 

Verification:
 
To verify if is sftp chrooted, run sftp command to check it:
(For example, to verify if test user is sftp chrooted)
 
[root@CentOS42-VM chroottest]# sftp
Connecting to localhost...
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 5b:41:e2:e7:c7:27:bc:c1:8b:e6:2d:3b:56:85:03:cb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
password:
sftp> ls
lib  usr 
sftp> pwd
Remote working directory: /
sftp> quit
 
Make sure you got “Remote working directory: / “ message as above, it mean chroot successful.
 
 
阅读(1025) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~