Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- it-wiki:linux:ssh_chrooted_jail [2021/03/10 16:36] – angelegt marko
+++ it-wiki:linux:ssh_chrooted_jail [2021/03/10 21:06] (aktuell) – [Step 7. Testing SFTP with Chroot Jail] marko
@@ Zeile 18: / Zeile 18: @@
 # ls -l /dev/{null,zero,stdin,stdout,stderr,random,tty}
 </code>
-{{ :it-wiki:linux:listing-required-files.png |}}
+{{ :it-wiki:linux:listing-required-files.png?nolink |}}
 **3.** Now, create the ''/dev'' files as follows using the **mknod command**. In the command below, the ''-m'' flag is used to specify the file permissions bits, ''c'' means character file and the two numbers are major and minor numbers that the files point to.
@@ Zeile 29: / Zeile 29: @@
 # mknod -m 666 random c 1 8
 </code>
-{{ :it-wiki:linux:create-required-files.png |}}
+{{ :it-wiki:linux:create-required-files.png?nolink |}}
 **4.** Afterwards, set the appropriate permission on the chroot jail. Note that the chroot jail and its subdirectories and subfiles must be owned by **root** user, and not writable by any normal user or group:
@@ Zeile 37: / Zeile 37: @@
 # ls -ld /home/test
 </code>
-{{ :it-wiki:linux:set-permission-on-directory.png |}}
+{{ :it-wiki:linux:set-permission-on-directory.png?nolink |}}
 ==== Step 2: Setup Interactive Shell for SSH Chroot Jail ====
+**5.** First, create the ''bin'' directory and then copy the ''/bin/bash'' files into the ''bin'' directory as follows:
+<code bash>
+# mkdir -p /home/test/bin
+# cp -v /bin/bash /home/test/bin/
+</code>
+{{ :it-wiki:linux:copy-bin-files.png?nolink |}}
+**6.** Now, identify bash required shared ''libs'', as below and copy them into the ''lib'' directory:
+<code bash>
+# ldd /bin/bash
+# mkdir -p /home/test/lib64
+# cp -v /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /home/test/lib64/
+</code>
+{{ :it-wiki:linux:copy-shared-library-files.png?nolink |}}
+==== Step 3: Create and Configure SSH User ====
+**7.** Now, create the SSH user with the useradd command and set a secure password for the user:
+<code bash>
+# useradd tuxi
+# passwd tuxi
+</code>
+**8.** Create the chroot jail general configurations directory, ''/home/test/etc'' and copy the updated account files (**/etc/passwd** and **/etc/group**) into this directory as follows:
+<code bash>
+# mkdir /home/test/etc
+# cp -vf /etc/{passwd,group} /home/test/etc/
+</code>
+{{ :it-wiki:linux:copy-password-files.png?nolink |}}
+**<color red>Note</color>**: Each time you add more SSH users to the system, you will need to copy the updated account files into the ''/home/test/etc'' directory.
+==== Step 4: Configure SSH to Use Chroot Jail ====
+**9.** Now, open the ''sshd_config'' file.
+<code bash>
+# vi /etc/ssh/sshd_config
+</code>
+and add/modify the lines below in the file.
+<code bash>
+#define username to apply chroot jail to
+Match User tecmint
+#specify chroot jail
+ChrootDirectory /home/test
+</code>
+{{ :it-wiki:linux:configure-ssh-chroot-jail.png?nolink |}}
+Save the file and exit, and restart the SSHD services:
+<code bash>
+# systemctl restart sshd
+</code>
+==== Step 5: Testing SSH with Chroot Jail ====
+**10.** At this point, test if the chroot jail setup is working as expected:
+<code bash>
+# ssh tecmint@192.168.0.10
+-bash-4.1$ ls
+-bash-4.1$ date
+-bash-4.1$ uname
+</code>
+{{ :it-wiki:linux:testing-ssh-user-chroot-jail.png?nolink |}}
+From the screenshot above, we can see that the SSH user is locked in the chrooted jail, and can’t run any external commands (ls, date, uname etc).
+The user can only execute bash and its builtin commands such as(pwd, history, echo etc) as seen below:
+<code bash>
+# ssh tecmint@192.168.0.10
+-bash-4.1$ pwd
+-bash-4.1$ echo "Tecmint - Fastest Growing Linux Site"
+-bash-4.1$ history
+</code>
+{{ :it-wiki:linux:ssh-builtin-commands.png?nolink |}}
+==== Step 6. Create SSH User’s Home Directory and Add Linux Commands ====
+**11.** From the previous step, we can notice that the user is locked in the root directory, we can create a home directory for the the SSH user like so (do this for all future users):
+<code bash>
+# mkdir -p /home/test/home/tecmint
+# chown -R tecmint:tecmint /home/test/home/tecmint
+# chmod -R 0700 /home/test/home/tecmint
+</code>
+{{ :it-wiki:linux:create-ssh-user-home-directory.png?nolink |}}
+**12.** Next, install a few user commands such as ls, date, mkdir in the ''bin'' directory:
+<code bash>
+# cp -v /bin/ls /home/test/bin/
+# cp -v /bin/date /home/test/bin/
+# cp -v /bin/mkdir /home/test/bin/
+</code>
+{{ :it-wiki:linux:add-commands-to-ssh-user.png?nolink |}}
+**13.** Next, check the shared libraries for the commands above and move them into the chrooted jail libraries directory:
+<code bash>
+# ldd /bin/ls
+# cp -v /lib64/{libselinux.so.1,libcap.so.2,libacl.so.1,libc.so.6,libpcre.so.1,libdl.so.2,ld-linux-x86-64.so.2,libattr.so.1,libpthread.so.0} /home/test/lib64/
+</code>
+{{ :it-wiki:linux:copy-shared-libraries.png?nolink |}}
+==== Step 7. Testing SFTP with Chroot Jail ====
+**14.** Do a final test using sftp; check if the commands you have just installed are working.
+Add the line below in the ''/etc/ssh/sshd_config'' file:
+<code bash>
+#Enable sftp to chrooted jail
+ForceCommand internal-sftp
+</code>
+Save the file and exit. Then restart the SSHD services:
+<code bash>
+# systemctl restart sshd
+</code>
+**15.** Now, test using SSH, you’ll get the following error:
+<code bash>
+# ssh tecmint@192.168.0.10
+</code>
+{{ :it-wiki:linux:test-ssh-chroot-jail.png?nolink |}}
+Try using SFTP as follows:
+<code>
+# sftp tecmint@192.168.0.10
+</code>
+{{ :it-wiki:linux:testing-sftp-ssh-user.png?nolink |}}