• 限制SSH用户访问Linux中指定的目录

    限制SSH用户访问Linux中指定的目录

    http://os.51cto.com/art/201703/534895.htm#topx

    http://www.cnblogs.com/lykyl/archive/2011/03/10/1980304.html

    采用ChrootDirectory设置需要注意
    ChrootDirectory设置的目录及其所有的上级目录属主必须是root且只有属主能拥有写权限,也就是说权限最大设置只能是755。否则会报“fatal: bad ownership or modes for chroot directory”这样的错误。
    用户目录下的链接文件失去作用。






    useradd readonlyuser;echo -e "123456 123456 " |passwd  readonlyuser


    mkdir -p /ngbs/readonlyuser/dev/  
    cd /ngbs/readonlyuser/dev/
    mknod -m 666 null c 1 3
    mknod -m 666 tty c 5 0
    mknod -m 666 zero c 1 5
    mknod -m 666 random c 1 8  

    chown root:root /ngbs/readonlyuser
    chmod 0755 /ngbs/readonlyuser

    mkdir -p /ngbs/readonlyuser/bin
    cp  /bin/bash /ngbs/readonlyuser/bin/  
    mkdir -p /ngbs/readonlyuser/lib64/  
    cp  /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /ngbs/readonlyuser/lib64/  


    mkdir /ngbs/readonlyuser/etc
    cp -f /etc/{passwd,group} /ngbs/readonlyuser/etc/  
    tail -1 /ngbs/readonlyuser/etc/passwd  >/tmp/1.txt ;cat /tmp/1.txt  > /ngbs/readonlyuser/etc/passwd

    注意:每次向系统添加更多 SSH 用户时,都需要将更新的帐户文件复制到 /ngbs/readonlyuser/etc 目录中。


    vi /etc/ssh/sshd_config
    在此文件中添加或修改下面这些行。
    # override default of no subsystems
    Subsystem    ssh        /usr/bin/ssh  #这里改为ssh

    # Example of overriding settings on a per-user basis
    Match User readonlyuser  改为Match User readonlyuser
    Match User readonlyuser 下面加上这一行 ChrootDirectory /ngbs/readonlyuser

    也就是下面这样
    # override default of no subsystems
    Subsystem        ssh        /usr/bin/ssh

    # Example of overriding settings on a per-user basis
    Match User readonlyuser
    ChrootDirectory /ngbs/readonlyuser
    #       X11Forwarding no
    #       AllowTcpForwarding no




    重启 sshd 服务:
    /etc/init.d/sshd restart





    接下来,在 bin 目录中安装几个用户命令
    cp /bin/ls /ngbs/readonlyuser/bin/  
    cp /bin/cat  /ngbs/readonlyuser/bin/
    cp /bin/more  /ngbs/readonlyuser/bin/
    cp /usr/bin/less  /ngbs/readonlyuser/bin/
    cp /usr/bin/head  /ngbs/readonlyuser/bin/
    cp /usr/bin/tail  /ngbs/readonlyuser/bin/

    ldd /bin/ls
    ldd /bin/cat
    ldd /bin/more
    ldd /usr/bin/less
    ldd /usr/bin/head
    ldd /usr/bin/tail

    /bin/cp  /lib64/{libselinux.so.1,librt.so.1,libcap.so.2,libacl.so.1,libc.so.6,libdl.so.2,ld-linux-x86-64.so.2,libpthread.so.0,libattr.so.1,libtinfo.so.5,libpcre.so.0}  /ngbs/readonlyuser/lib64/




    测试 SSH 的 chroot 监狱
    ssh readonlyuser@192.168.0.10


    */1 * * * *   /usr/bin/rsync -a /ngbs/local/JmCash/log/*   /ngbs/readonlyuser/log/
    */1 * * * *  /usr/bin/rsync -a /ngbs/local/JmCash/logs/*   /ngbs/readonlyuser/logs/
    */1 * * * *   /usr/bin/rsync -a /ngbs/local/JmCash/phonelog/*   /ngbs/readonlyuser/phonelog/




    注意:如果是目录外做一个软链接到目录内是不行的,会报错 no such file  or  directory
    ln -s /data/download  /home/test


    注意:sftp



    30)外部子系统
     
    我们可以配置一个外部的子系统,仅用于SSH-V2协议,一般这里使用sftp,如下:
    Subsystem       sftp    /usr/libexec/openssh/sftp-server
    如关闭该选项,将无法使用sftp.
    我们看一下使用sftp的通讯过程,如下:
    sftp -v 192.168.27.142        /*采用sftp的方式连接ssh服务端*/
    Connecting to 192.168.27.142...
    OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.27.142 [192.168.27.142] port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/id_rsa type 1
    debug1: identity file /root/.ssh/id_dsa type 2
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.3
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host '192.168.27.142' is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased
    debug1: Next authentication method: password
    root@192.168.27.142's password: 
    debug1: Authentication succeeded (password).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = en_US.UTF-8
    debug1: Sending subsystem: sftp         /*在这里启用了sftp子系统*/
    sftp> 
     
    我们看一下服务端的进程:
    ps -ef|grep ssh
    avahi     1133     1  0 03:08 ?        00:00:00 avahi-daemon: registering [ssh-server.local]
    root      1718     1  0 03:14 ?        00:00:00 sshd: root@pts/0 
    root      2005     1  0 03:50 ?        00:00:00 /usr/sbin/sshd
    root      2023  2005  0 03:52 ?        00:00:00 sshd: root@notty 
    root      2025  2023  0 03:52 ?        00:00:00 /usr/libexec/openssh/sftp-server
    注:
    我们看到服务端启用了sftp-server为sftp客户请求服务.
     

     
  • 相关阅读:
    Redis与Memcached汇总
    那些年掉进的坑之AngularJS篇
    常见的Regex表达式(更新RFC标准的email检验)
    让IE6 IE7 IE8 IE9 IE10 IE11支持Bootstrap的解决方法
    Windows + Android + Cordova + ionic环境搭建
    less语法
    AngularJS 指令之 ng-style
    AngularJS 指令之 ng-if
    ionic之自定义 ion-tabs 图标
    AngularJS之延迟加载html template
  • 原文地址:https://www.cnblogs.com/MYSQLZOUQI/p/7131872.html
Copyright © 2020-2023  润新知