限制SSH用戶訪問Linux中指定的目錄

限制SSH用戶訪問Linux中指定的目錄

 

http://os.51cto.com/art/201703/534895.htm#topx

http://www.cnblogs.com/lykyl/archive/2011/03/10/1980304.html

采用ChrootDirectory設置需要注意
ChrootDirectory設置的目錄及其所有的上級目錄屬主必須是root且只有屬主能擁有寫權限，也就是說權限最大設置只能是755。否則會報“fatal: bad ownership or modes for chroot directory”這樣的錯誤。
用戶目錄下的鏈接文件失去作用。

 

useradd readonlyuser;echo -e "123456\n123456\n" |passwd  readonlyuser


mkdir -p /ngbs/readonlyuser/dev/  
cd /ngbs/readonlyuser/dev/
mknod -m 666 null c 1 3
mknod -m 666 tty c 5 0
mknod -m 666 zero c 1 5
mknod -m 666 random c 1 8  

chown root:root /ngbs/readonlyuser
chmod 0755 /ngbs/readonlyuser

mkdir -p /ngbs/readonlyuser/bin
cp  /bin/bash /ngbs/readonlyuser/bin/  
mkdir -p /ngbs/readonlyuser/lib64/  
cp  /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /ngbs/readonlyuser/lib64/  


mkdir /ngbs/readonlyuser/etc
cp -f /etc/{passwd,group} /ngbs/readonlyuser/etc/  
tail -1 /ngbs/readonlyuser/etc/passwd  >/tmp/1.txt ;cat /tmp/1.txt  > /ngbs/readonlyuser/etc/passwd

注意：每次向系統添加更多 SSH 用戶時，都需要將更新的帳戶文件復制到 /ngbs/readonlyuser/etc 目錄中。


vi /etc/ssh/sshd_config
在此文件中添加或修改下面這些行。
# override default of no subsystems
Subsystem    ssh        /usr/bin/ssh  #這里改為ssh

# Example of overriding settings on a per-user basis
Match User readonlyuser  改為Match User readonlyuser
Match User readonlyuser 下面加上這一行 ChrootDirectory /ngbs/readonlyuser

也就是下面這樣
# override default of no subsystems
Subsystem        ssh        /usr/bin/ssh

# Example of overriding settings on a per-user basis
Match User readonlyuser
ChrootDirectory /ngbs/readonlyuser
#       X11Forwarding no
#       AllowTcpForwarding no




重啟 sshd 服務：
/etc/init.d/sshd restart





接下來，在 bin 目錄中安裝幾個用戶命令
cp /bin/ls /ngbs/readonlyuser/bin/  
cp /bin/cat  /ngbs/readonlyuser/bin/
cp /bin/more  /ngbs/readonlyuser/bin/
cp /usr/bin/less  /ngbs/readonlyuser/bin/
cp /usr/bin/head  /ngbs/readonlyuser/bin/
cp /usr/bin/tail  /ngbs/readonlyuser/bin/

ldd /bin/ls
ldd /bin/cat
ldd /bin/more
ldd /usr/bin/less
ldd /usr/bin/head
ldd /usr/bin/tail

/bin/cp  /lib64/{libselinux.so.1,librt.so.1,libcap.so.2,libacl.so.1,libc.so.6,libdl.so.2,ld-linux-x86-64.so.2,libpthread.so.0,libattr.so.1,libtinfo.so.5,libpcre.so.0}  /ngbs/readonlyuser/lib64/




測試 SSH 的 chroot 監獄
ssh readonlyuser@192.168.0.10


*/1 * * * *   /usr/bin/rsync -a /ngbs/local/JmCash/log/*   /ngbs/readonlyuser/log/
*/1 * * * *  /usr/bin/rsync -a /ngbs/local/JmCash/logs/*   /ngbs/readonlyuser/logs/
*/1 * * * *   /usr/bin/rsync -a /ngbs/local/JmCash/phonelog/*   /ngbs/readonlyuser/phonelog/




注意：如果是目錄外做一個軟鏈接到目錄內是不行的，會報錯 no such file  or  directory
ln -s /data/download  /home/test

---

注意：sftp

30)外部子系統

 

我們可以配置一個外部的子系統,僅用於SSH-V2協議,一般這里使用sftp,如下:

Subsystem       sftp    /usr/libexec/openssh/sftp-server

如關閉該選項,將無法使用sftp.

我們看一下使用sftp的通訊過程,如下:

sftp -v 192.168.27.142        /*采用sftp的方式連接ssh服務端*/

Connecting to 192.168.27.142...

OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to 192.168.27.142 [192.168.27.142] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/id_rsa type 1

debug1: identity file /root/.ssh/id_dsa type 2

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3

debug1: match: OpenSSH_5.3 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '192.168.27.142' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:1

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased

debug1: Next authentication method: password

root@192.168.27.142's password: 

debug1: Authentication succeeded (password).

debug1: channel 0: new [client-session]

debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

debug1: Sending subsystem: sftp         /*在這里啟用了sftp子系統*/

sftp> 

 

我們看一下服務端的進程:

ps -ef|grep ssh

avahi     1133     1  0 03:08 ?        00:00:00 avahi-daemon: registering [ssh-server.local]

root      1718     1  0 03:14 ?        00:00:00 sshd: root@pts/0 

root      2005     1  0 03:50 ?        00:00:00 /usr/sbin/sshd

root      2023  2005  0 03:52 ?        00:00:00 sshd: root@notty 

root      2025  2023  0 03:52 ?        00:00:00 /usr/libexec/openssh/sftp-server

注:

我們看到服務端啟用了sftp-server為sftp客戶請求服務.