How to automatically chroot jail selected ssh user logins
Rabu, 06 Februari 2013
0
komentar
http://how-to.linuxcareer.com/how-to-automatically-chroot-jail-selected-ssh-user-logins
You can see the bash's shared library dependencies by executing the ldd command:
Make sure you tune in to our RSS and Linux jobs portal to stay informed about the latest opportunities in the field. Also visit our Linux Forum if you want to share your Linux experiences with us or require additional help.
1. Introduction
In this article we will look on how to automatically chroot jail selected user ssh login based on the user group. This technique can be quite useful if you what your user to be provided with a limited system environment and at the same time keep them separate from your main system. You can also use this technique to create a simple ssh honeypot. In this tutorial you will learn how to create a basic chroot environment and how to configure your main system's sshd to automatically chroot jail selected users upon the ssh login.2. Creating basic chroot environment
First we need to create a simple chroot environment. Our chroot environment will consist of a bash shell. To do this, first, we need to create a chroot directory:# mkdir /var/chrootIn the next step, we need to copy the bash binary and its all shared library dependencies.
You can see the bash's shared library dependencies by executing the ldd command:
Now, we need to manually create all necessary directories and copy /bin/bash and all libraries to the new chroot directory into an appropriate location:
# ldd /bin/bash
linux-vdso.so.1 => (0x00007fff9a373000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f24d57af000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f24d55ab000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f24d51eb000)
/lib64/ld-linux-x86-64.so.2 (0x00007f24d59f8000)
# cd /var/chroot/At this point all is ready and we can chroot
# mkdir bin/ lib64/ lib/
# cp /lib/x86_64-linux-gnu/libtinfo.so.5 lib/
# cp /lib/x86_64-linux-gnu/libdl.so.2 lib/
# cp /lib/x86_64-linux-gnu/libc.so.6 lib/
# cp /lib64/ld-linux-x86-64.so.2 lib64/
# cp /bin/bash bin/
# chroot /vat/chrootFrom the above you can see that bash is ready but there is not much to do as not even ls command is available. Rather then manually copy all commands and required libraries I have created a simple bash script to aid with this purpose. Create a script with the following content:
bash-4.2# ls /
bash: ls: command not found
#!/bin/bashBy default the above script will create chroot in /var/chroot as defined by the $CHROOT variable. Feel free to change this variable according to your needs. When ready, make the script executable and run it with the file full path to your executables and files you wish to include. For example, if you need: ls, cat, echo, rm, bash, vi then use the which command to get a full path and supply it as an argument to the above chroot.sh script:
# This script can be used to create simple chroot environment
# Written by LinuxCareer.com
# (c) 2013 LinuxCareer under GNU GPL v3.0+
#!/bin/bash
CHROOT='/var/chroot'
mkdir $CHROOT
for i in $( ldd $* | grep -v dynamic | cut -d " " -f 3 | sed 's/://' | sort | uniq )
do
cp --parents $i $CHROOT
done
# ARCH amd64
if [ -f /lib64/ld-linux-x86-64.so.2 ]; then
cp --parents /lib64/ld-linux-x86-64.so.2 /$CHROOT
fi
# ARCH i386
if [ -f /lib/ld-linux.so.2 ]; then
cp --parents /lib/ld-linux.so.2 /$CHROOT
fi
echo "Chroot jail is ready. To access it execute: chroot $CHROOT"
# ./chroot.sh /bin/{ls,cat,echo,rm,bash} /usr/bin/vi /etc/hostsNow, you can access your new chroot jail with:
Chroot jail is ready. To access it execute: chroot /var/chroot
# chroot /var/chroot
bash-4.2# echo linuxcareer.com > file
bash-4.2# cat file
linuxcareer.com
bash-4.2# rm file
bash-4.2# vi --version
VIM - Vi IMproved 7.3 (2010 Aug 15, compiled May 4 2012 04:25:35)
3. Create chroot usergroup
A this point, we need to create a separate usergourp, which will be used by sshd to redirect all users belonging to this usergroup to the chroot jail.$ sudo groupadd chrootjailNow, add any existing users to this group. For example, to add user tester we will execute:
$ sudo adduser tester chrootjail
Adding user `tester' to group `chrootjail' ...
Adding user tester to group chrootjail
Done.
4. Configure sshd for chroot jail
All what remains is to configure sshd to automaticaly redirect all users from the chrootjail usergroup to the chroot jail at /var/chroot. This can be easily done be editing the sshd configuration file /etc/ssh/sshd_config. Add the following to /etc/ssh/sshd_config:Match group chrootjailand restarting ssh:
ChrootDirectory /var/chroot/
$ sudo service ssh restart
ssh stop/waiting
ssh start/running, process 17175
5. Login to chroot jail using ssh
At this point you can test your settings by log in to you server with configured sshd:$ ssh tester@localhostLooks familiar?
tester@localhost's password:
-bash-4.2$ ls
bin lib lib64 usr
-bash-4.2$
6. Conclusion
As you can see setting the ssh chroot jail is a fairly simple process. If a user does not have its home user directory available in a chroot jail after login s/he will end up in /. You can create and further configure your chroot by creating a user home directory, defining bash environment, etc.Make sure you tune in to our RSS and Linux jobs portal to stay informed about the latest opportunities in the field. Also visit our Linux Forum if you want to share your Linux experiences with us or require additional help.
TERIMA KASIH ATAS KUNJUNGAN SAUDARA
Judul: How to automatically chroot jail selected ssh user logins
Ditulis oleh Unknown
Rating Blog 5 dari 5
Semoga artikel ini bermanfaat bagi saudara. Jika ingin mengutip, baik itu sebagian atau keseluruhan dari isi artikel ini harap menyertakan link dofollow ke https://androidblackberries.blogspot.com/2013/02/how-to-automatically-chroot-jail.html. Terima kasih sudah singgah membaca artikel ini.Ditulis oleh Unknown
Rating Blog 5 dari 5
0 komentar:
Posting Komentar