|
| 發表者 |
討論內容 |
冷日
(冷日) |
發表時間:2012/6/21 10:04 |
- Webmaster
- 註冊日: 2008/2/19
- 來自:
- 發表數: 15773
|
- [轉貼]把 SFTP 關起來 (CHROOTED)
- 把 SFTP 關起來 (CHROOTED)
前言
為了提供少量的檔案共享但又不願意特地去設定 FTP 服務的話,通常第一個想到的會是附屬在 SSH 服務下的 SFTP 傳輸模式,事實上 SFTP 這個服務雖然因為加密的關係會導致傳輸時間略長,但卻一直是格揆我作為檔案傳輸的唯一方式。但這方式雖方便卻有個大問題:登入的使用者可以看到所有的檔案目錄甚至直接下載檔案內容。這在多人使用的環境下顯然會有資安上面的困擾,有沒有辦法把 SFTP 服務關在某個指定的目錄下呢?
格揆經由 Google 大神的協助並多方測試後終於實作出可行方案,就... 再貢獻回給大神吧... XD
設定步驟
※ 本文以 OpenSSH 5.2_p1-r3 為設定環境!
選定封鎖目錄:如果對像是單一個人時即為該用戶登入 SFTP 時的根目錄;如果對像是一個群組時則該目錄為這群使用者目錄的根目錄。
在 /etc/ssh/sshd_config 中啟用 sftp subsystem:特別注意要啟用的是 internal-sftp 這個 Subsystem。
# override default of no subsystems
#Subsystem sftp /usr/lib64/misc/sftp-server # 系統中原來的設定
Subsystem sftp internal-sftp # 改用 internal-sftp
一樣在 sshd_config 中指定需要被關起來的使用者資訊及要關到什麼地方去,請在前述修改處之後加上以下設定:
Match User ada # 要被關起來的使用者,如果是群組的話則將 User 改為 Group 再接群組名稱
# 例如: Match Group rootedSFTP
ChrootDirectory /chroot # 要關在什麼地方,如果對像是個群組且群組內的每個人有個別目錄設定時,
# 可以加上 PATTERNS (man ssh_config) 做區隔,如 /chroot/%u ,
# /chroot 為這群使用者目錄的根目錄。
ForceCommand internal-sftp # 一樣要使用 internal-sftp 這個 Subsystem
設定 Chroot 目錄權限:錯誤的目錄權限設定會導致在 log 中出現 "fatal: bad ownership or modes for chroot directory XXXXXX" 的訊息。
根據 openssh 5.1 chrootdirectory permissions issue 這篇文章的資訊顯示,目錄的權限設定有兩個要點:
由 ChrootDirectory 指定的目錄開始一直往上到系統根目錄為止的目錄擁有者都只能是 root
由 ChrootDirectory 指定的目錄開始一直往上到系統根目錄為止都不可以具有群組寫入權限
重新載入 sshd 後即可透過 FileZilla 等支援 SFTP 的軟體測試有無被關起來了...
原文出處:Ada Hsu 的胡思亂想: 把 SFTP 關起來 (CHROOTED)
|
|
|
冷日
(冷日) |
發表時間:2012/6/21 10:06 |
- Webmaster
- 註冊日: 2008/2/19
- 來自:
- 發表數: 15773
|
- [轉貼]OpenSSH SFTP chroot() with ChrootDirectory
- OpenSSH SFTP chroot() with ChrootDirectory
Posted by niol on Tue 1 Apr 2008 at 10:49
Tags: ftp, openssh, sftp
The upcoming version of OpenSSH (4.8p1 for the GNU/Linux port) features a new configuration option : ChrootDirectory. This has been made possible by a new SFTP subsystem statically linked to sshd.
This makes it easy to replace a basic FTP service without the hassle of configuring encryption and/or bothering with FTP passive and active modes when operating through a NAT router. This is also simpler than packages such as rssh, scponly or other patches because it does not require setting up and maintaining (i.e. security updates) a chroot environment.
To enable it, you obviously need the new version 4.8p1. I personaly use the cvs version and the debian/ directory of the sid package to build a well integrated Debian package 4.8p1~cvs-1.
In /etc/ssh/sshd_config :
You need to configure OpenSSH to use its internal SFTP subsystem.
Subsystem sftp internal-sftp
[code]
Then, I configured chroot()ing in a match rule.
[code]
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
The directory in which to chroot() must be owned by root. After the call to chroot(), sshd changes directory to the home directory relative to the new root directory. That is why I use / as home directory.
# chown root.root /home/user
# usermod -d / user
# adduser user sftponly
This seems to work as expected :
$ sftp user@host
Connecting to host...
user@host's password:
sftp> ls
build cowbuildinall incoming johnbuilderclean
sftp> pwd
Remote working directory: /
sftp> cd ..
sftp> ls
build cowbuildinall incoming johnbuilderclean
The only thing I miss is file transfers logging, but I did not investigate this at all. More on this whenever I find some time to do so.
References :
原文出處:OpenSSH SFTP chroot() with ChrootDirectory
|
|
|
冷日
(冷日) |
發表時間:2012/6/21 10:08 |
- Webmaster
- 註冊日: 2008/2/19
- 來自:
- 發表數: 15773
|
- [轉貼] 在CentOS 6上設定SFTP Chroot Jail
- 自RHEL 6/CentOS 6開始,套件包含OpenSSH 5.3版本,可以不用重新編譯程式只要透過設定就可以限制SSH/SFTP連入的帳號存取的目錄。
1.建立sftponly群組
2.新建帳號test
useradd -s /bin/false -G sftponly test
passwd test
chown root /home/test
3.修改/etc/ssh/sshd_config設定(檔案尾端)
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Match Group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp
4.重啟SSHd服務
5.測試
使用FileZila Client連進去看看,確認可以登入,上傳/下載檔案。
參考資料:
http://www.thisisnotsupported.com/sftp-chrootjail-on-centos6/
原文出處:在CentOS 6上設定SFTP Chroot Jail
|
|
|
冷日
(冷日) |
發表時間:2012/6/21 10:13 |
- Webmaster
- 註冊日: 2008/2/19
- 來自:
- 發表數: 15773
|
- [轉貼]How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)
- How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)
by RAMESH NATARAJAN on MARCH 28, 2012
If you want to setup an account on your system that will be used only to transfer files (and not to ssh to the system), you should setup SFTP Chroot Jail as explained in this article.
In a typical sftp scenario (when chroot sftp is not setup), if you use sftp, you can see root’s file as shown below.
If you want to give sftp access on your system to outside vendors to transfer files, you should not use standard sftp. Instead, you should setup Chroot SFTP Jail as explained below.
Non-Chroot SFTP Environment
In the following example (a typical sftp environment), john can sftp to the system, and view /etc folder and download the files from there.
# sftp john@thegeekstuff.com
john@thegeekstuff's password:
sftp> pwd
Remote working directory: /home/john
sftp> ls
projects john.txt documents
sftp> cd /etc
sftp> ls -l passwd
-rw-r--r-- 0 0 0 3750 Dec 29 23:09 passwd
sftp> get passwd
Fetching /etc/passwd to passwd
/etc/passwd 100% 3750 3.7KB/s 00:00
Chroot SFTP Environment
In the following example, john can sftp to the system, and view only the directory that you’ve designated for john to perform sftp (i.e /incoming).
When john tries to perform ‘cd /etc’, it will give an error message. Since SFTP is setup in an chroot environment, john cannot view any other files in the system.
# sftp john@thegeekstuff.com
john@thegeekstuff's password:
sftp> pwd
Remote working directory: /home/john
sftp> ls
sftp> cd /etc
Couldn't canonicalise: No such file or directory
Now that you know what Chroot SFTP environment is, let us see how to set this up.
1. Create a New Group
Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.
2. Create Users (or Modify Existing User)
Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.
The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).
# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
# passwd guestuser
Verify that the user got created properly.
# grep guestuser /etc/passwd
guestuser:x:500:500::/incoming:/sbin/nologin
If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:
# usermod -g sftpusers -d /incoming -s /sbin/nologin john
On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list.
3. Setup sftp-server Subsystem in sshd_config
You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).
Modify the the /etc/ssh/sshd_config file and comment out the following line:
#Subsystem sftp /usr/libexec/openssh/sftp-server
Next, add the following line to the /etc/ssh/sshd_config file
Subsystem sftp internal-sftp
# grep sftp /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
4. Specify Chroot Directory for a Group
You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config
# tail /etc/ssh/sshd_config
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
In the above:
Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john.
ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.
5. Create sftp Home Directory
Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).
Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.
So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.
So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.
# mkdir /sftp/guestuser/incoming
6. Setup Appropriate Permission
For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.
Set the owenership to the user, and group to the sftpusers group as shown below.
# chown guestuser:sftpusers /sftp/guestuser/incoming
The permission will look like the following for the incoming directory.
# ls -ld /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming
The permission will look like the following for the /sftp/guestuser directory
# ls -ld /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser
# ls -ld /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp
7. Restart sshd and Test Chroot SFTP
Restart sshd:
Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory.
# sftp guestuser@thegeekstuff.com
guestuser@thegeekstuff's password:
sftp> pwd
Remote working directory: /incoming
sftp> cd /
sftp> ls
incoming
When guestuser transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/guestuser/incoming directory on the system.
原文出處:How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)
|
|
|
|
|
冷日
(冷日) |
發表時間:2012/6/21 10:18 |
- Webmaster
- 註冊日: 2008/2/19
- 來自:
- 發表數: 15773
|
- [分享]SSH(SFTP) Chroot Version
- 補充一下,如果上述的 ssh chroot 碰到類似如下的問題:
Starting sshd:/etc/ssh/sshd_config: line 119: Bad configuration option: xSubsystem
/etc/ssh/sshd_config: line 122: Bad configuration option: Match
/etc/ssh/sshd_config: line 123: Bad configuration option: ChrootDirectory
/etc/ssh/sshd_config: line 124: Bad configuration option: XllForwarding
/etc/ssh/sshd_config: line 126: Bad configuration option: ForceCommand
/etc/ssh/sshd_config: terminating, 5 bad configuration options
[FAILED]
[root@hkhkgls1089 ssh]#
或是:
Starting sshd:/etc/ssh/sshd_config: line 123: Bad configuration option: Match
/etc/ssh/sshd_config: line 124: Bad configuration option: ChrootDirectory
/etc/ssh/sshd_config: line 125: Bad configuration option: XllForwarding
/etc/ssh/sshd_config: line 127: Bad configuration option: ForceCommand
/etc/ssh/sshd_config: terminating, 4 bad configuration options
[FAILED]
那應該是 ssh 的版本過舊導致
目前得知訊息,ChrootDirectory 好像是要 4 之後才支援(目前確認 openssh 4.3p2 可行)
檢查方法如下:
所以,如果是 CentOS4 的話,就是只有更新 ssh 一途可行。
偏偏 yum 更新現在又不支援 CentOS4 了,所以只能自己想辦法囉。
註:或是更新到 CentOS5 以上應該就 OK 囉!
另外有一個重點必須說一下,以免大家和冷日一樣在這問題上花費多餘的時間:
設定 Chroot 目錄權限:錯誤的目錄權限設定會導致在 log 中出現 "fatal: bad ownership or modes for chroot directory XXXXXX" 的訊息。
根據 openssh 5.1 chrootdirectory permissions issue 這篇文章的資訊顯示,目錄的權限設定有兩個要點:
由 ChrootDirectory 指定的目錄開始一直往上到系統根目錄為止的目錄擁有者都只能是 root
由 ChrootDirectory 指定的目錄開始一直往上到系統根目錄為止都不可以具有群組寫入權限
|
|
|
|
|
|
