Excerpt: https://blog.csdn.net/yanggd1987/article/details/54310686
demand
After landing ordinary users to springboard machine through ssh, then jump to the other servers within the network via ssh. Stepping stones only provides ssh, ls basic command is prohibited to prevent data transmission SCP, SFTP, local pipelines; login user needs to additionally be locked in a specific directory, to prevent a user browsing the server data.
Normally we use disk quotas to restrict the user to transfer data, but must be a disk quota for independent disk partition, is not able to file directory, so the user's home directory must be independently mounted, if placed in the root directory, configuration little disk quota effects.
The chroot ssh functionality can be a good solution to this problem. The sshd_config of the man, the functions need to be configured to achieve chroot "ChrootDirectory" this parameter.
ChrootDirectory: defined after the user is authenticated chroot directory, the directory and all subdirectories owner must be root, and the root account only those directories can be written, and any other group accounts are not writable. After the chroot, sshd sends the user's working directory to chroot directory in the user's own home directory. If there is no corresponding / home / username directory, it will go directly to the chroot / directory defined directory ChrootDirectory
Configuration
This experiment will test the user to lock in / var / chroot, only use ssh, ls command and other basic test after landing.
First, create a user
1. Create a test user (do not create the default home directory)
useradd -M test
passwd test
2. Establish chroot directory in the user's home directory
mkdir -p /var/chroot/home/test chown -R test.test /var/chroot/home/test chmod 700 /var/chroot/home/test
Second, build a basic chroot environment
Note: a basic chroot environment have at least one shell (eg sh, bash) and the necessary system device file (eg / dev / null, / dev / zero), if you want to allow users to execute some commands, you have to prepare corresponding executable commands and command dependent libraries
-p mkdir / var / CHROOT CD / var / CHROOT mkdir {bin, dev, the lib64, etc,} Home the mknod dev / null C . 1 . 3 the mknod dev / ZERO C . 1 . 5 # ssh command needs, such as the lack of reports: pRNG IS seeded Not the mknod dev / Random C . 1 . 8 the mknod dev / urandom C . 1 . 9 # ssh command needs, such as the lack of reports: the Verification failed the Host Key the mknod dev / TTY C . 5 0 # modify / var / owner and its subdirectories chroot and modify the permissions chown -R & lt root.root /var / CHROOT the chmod -R & lt 755 / var / CHROOT # devices allow a user to write these files will not write some commands given the chmod 0666 dev / { null , ZERO, TTY} # copy / etc / passwd and / etc / group file to / var / chroot / etc and delete all user accounts except yourself and root. Without these two files, with a sign in the future will be reported "the I have have NO name! " Cp -p / etc / passwd / var / chroot / etc / cp -p / etc / Group / var / chroot / etc /
cat /var/chroot/etc/group
root:x:0:
test:x:516:
cat /var/chroot/etc/passwd
root:x:0:0:root:/root:/bin/bash
test:x:516:516::/home/test:/bin/bash
三、配置ssh
vim / etc / SSH / sshd_config
# add the following line at the end, otherwise it will error
Match the User the Test
ChrootDirectory / var / chroot
# Restart SSH
Service sshd restart
four copies of the basic command
such as a shell must have available after user login, therefore use / bin / bash, there are other commands such as ls, mkdir, etc.
Note: / bin / ls command and / usr / bin / ssh command uses the library file directory is not the same, so we need to build the appropriate path (this problem has been solved by a script) before executing the script
ldd /bin/ls | awk '{ print $3 }' | grep "/lib" | sort | uniq /lib64/libacl.so.1 /lib64/libattr.so.1 /lib64/libcap.so.2 /lib64/libc.so.6 /lib64/libdl.so.2 /lib64/libpthread.so.0 /lib64/librt.so.1 /lib64/libselinux.so.1 ldd /usr/bin/ssh | awk '{ print $3 }' | grep "/lib" | sort | uniq /lib64/libcom_err.so.2 /lib64/libcrypt.so.1 /lib64/libc.so.6 /lib64/libdl.so.2 /lib64/libfipscheck.so.1 /lib64/libfreebl3.so /lib64/libgssapi_krb5.so.2 /lib64/libk5crypto.so.3 /lib64/libkeyutils.so.1 /lib64/libkrb5.so.3 /lib64/libkrb5support.so.0 /lib64/libnsl.so.1 /lib64/libnspr4.so /lib64/libplc4.so /lib64/libplds4.so /lib64/libpthread.so.0 /lib64/libresolv.so.2 /lib64/librt.so.1 /lib64/libselinux.so.1 /lib64/libutil.so.1 /lib64/libz.so.1 /usr/lib64/libcrypto.so.10 /usr/lib64/libnss3.so /usr/lib64/libnssutil3.so
Here we use a script:
! # / bin / bash #comment: ssh landing after a chroot, add commands to the user # To allow execution of the file list cmdlist = " / bin / bash / bin / LS / bin / cp / bin / mkdir / bin / mv / bin / RM / bin / rmdir / usr / bin / SSH / usr / bin / ID " # CHROOT path CHROOT_PATH = " / var / CHROOT " # Analyzing dependent libraries lib_1 =` LDD $ cmdlist for a | awk ' {Print $. 1 } ' | grep " / lib " | Sort | uniq` lib_2 = `LDD cmdlist for a $ | awk ' {}. 3 Print $ ' | grep " / lib "| The Sort | uniq` # Copy command file for I in $ cmdlist for a do IF [-! D `dirname $ {$ i` CHROOT_PATH}]; the then mkdir - P` dirname $ {} $ i` CHROOT_PATH Fi CP -a $ I $ I $} {CHROOT_PATH && echo " DONE I $ " DONE # replication relies libraries (as is the i386, it is lib, if x86_64, it is the lib64,) for J in $ lib_1 do IF [-! D` dirname $ {} $ CHROOT_PATH j`] ; the then mkdir - P `dirname $ {} $ j` CHROOT_PATH Fi CP -f J $ $ $ {J} CHROOT_PATH && echo " $ J DONE " DONE for Kin $lib_2 do if [ ! -d `dirname ${chroot_path}$k` ];then mkdir -p `dirname ${chroot_path}$k` fi cp -f $k ${chroot_path}$k && echo "$k done" done
So far, we have been able to use the test user login, and the user is locked in / var / chroot / home / test directory, you can also use commands such as ls mkdir, but this time ssh command can not be used.
ssh test@10.60.80.100 bash-4.1$ mkdir test bash-4.1$ ls a test bash-4.1$ ssh root@10.60.80.101 You don't exist, go away!
This means that the system can not report wrong (possible types / etcp / passwd, / etc / group, / etc / shadow, / etc / gshadow) by checking a user database user name is correct.
The usual solution is to copy the corresponding files to the chroot directory.
For ssh, it can be copied / lib64 / libnss_ *, copy these files to the corresponding directory under the chroot directory.
Solution:
cp /lib64/libnss_* lib64/.
In addition to the above, we can see test after user login defaults to "bash-4.1 $", which is due to environmental profile is causing, we can change the following:
cp /etc/bashrc /var/chroot/etc/ cp /home/xxx/.bashrc /var/chroot/home/test/ cp /home/xxx/.bash_profile /var/chroot/home/test/
Test
1. scp transmission of data
scp login_union.py test@10.60.80.100:/home/test test@10.10.65.100's password: /etc/bashrc: line 65: id: command not found /etc/bashrc: line 65: id: command not found bash: scp: command not found lost connection
Since we do not id command to install, thus indicating "/ etc / bashrc: line 65 : id: command not found", added the script / usr / bin / id can be
due to the stepping stones scp command is not installed, the transmission from the remote host Tip data "bash: scp: command not found ", to resolve this issue simply add "/ usr / bin / scp" command in a script can be
2. sftp transmission of data
if desired to allow the use of sftp, simply modify or less
vim /etc/ssh/sshd_config Subsystem sftp internal-sftp