There have been a lot of questions on this list as of late that highlight
the following three
subjects.
1) Restricted shell access to a limited functionality
2) Automating ( i.e. passwordless access )
3) SCP bases ssh connections only.
Some of the following information is my $.02 worth.
Allowing users to cd into another directory, or execute any other function
is generally
more suited to a function of the shell. There are various paths you can
take, an
example would be that of the rsh shell or restricted shell. Under Solaris
you check
out the man page via the command "man -s 1m rsh" or under the GNU version
of bash
check out the "RESTRICTED SHELL" portion of the bash man pages.
The following procedure has been tested under Solaris 7 using the
commercial ssh v3.0.1
from ssh.com. I suspect the following procedures will migrate to other
platforms or to the
openSSH version of the software although I imagine with openSSH you will
have quite a few
more libraries to copy over and will have to modify the PK config files
somewhat. The procedures
are however sound.
90% of this can be scripted if you have the $USERHOME variable setup.
This does several things, but is desinged to lock down an ssh user. Perfect
for allowing files to be uploaded into a directory, without giving them
additional
access.
This does the following.
1) Chroot's them into their home directory
2) Places them into a restricted shell see "man -s 1M rsh"
3) They cannot cd into a different directory
4) They can only execute programs in their $USERHOME/bin directory ( but
not place new ones there )
5) Allows them to upload files into their directory, however they cannot
execute them.
6) As an option, you can limit them to scp only in the last few steps.
--------------------------------STEPS--------------------------------
1) Add the user account to the system setting the shell to be /bin/rsh
Add user(s) to ChrootUsers in /etc/ssh2/sshd2_config
2) Restart sshd2 server.
3) Setup the $USERHOME variable to make things easier, when executing the
following commands.
4) Make Directories:
mkdir $USERHOME/bin
mkdir $USERHOME/usr
mkdir $USERHOME/usr/lib
mkdir $USERHOME/dev
mkdir $USERHOME/.ssh2
5) Copy needed binaries:
cp -p /opt/ssh/bin/sftp-server2 $USERHOME/bin/sftp-server
cp -p /usr/lib/rsh $USERHOME/bin
6) Copy needed libraries:
cd $USERHOME/usr/lib
cp -p /usr/platform/`uname -m`/lib/libc_psr.so.1 .
cp -p /usr/lib/ld.so.1 .
cp -p /usr/lib/libc.so.1 .
cp -p /usr/lib/libcurses.so.1 .
cp -p /usr/lib/libdl.so.1 .
cp -p /usr/lib/libelf.so.1 .
cp -p /usr/lib/libld.so.2 .
cp -p /usr/lib/liblddbg.so.4 .
cp -p /usr/lib/libmp.so.2 .
cp -p /usr/lib/libnsl.so.1 .
cp -p /usr/lib/librtld.so.1 .
cp -p /usr/lib/libsec.so.1 .
cp -p /usr/lib/libsocket.so.1 .
cp -p /usr/lib/libgen.so.1 .
7) Run ldd $USERHOME/bin/sftp-server and check to see if all the needed
libraries are in
the $USERHOME/usr/lib if you need some, copy them into that directory.
8) Created needed devices:
mknod $USERHOME/dev/tcp c 11 42
mknod $USERHOME/dev/ticlts c 105 2
mknod $USERHOME/dev/ticotsord c 105 1
mknod $USERHOME/dev/udp c 11 41
mknod $USERHOME/dev/zero c 13 12
9) Securing their directory:
chown root $USERHOME/bin
chmod 755 $USERHOME/bin
rm $USERHOME/.profile
rm $USERHOME/.login
echo "PATH=$USERHOME/bin;export PATH" > $USERHOME/.profile
touch $USERHOME/.login
chown root $USERHOME/.profile ; chmod 755 $USERHOME/.profile
chown root $USERHOME/.login ; chmod 755 $USERHOME/.login
-----------------------DONE-Password authentication will work
now--------------------
-------------------------------------------------------------------------------------
-----------------------Optional-Setting up Key based
authentication------------------
9) Place their public-key that the user generated into the .ssh2 directory
along with an
authorization file that has an entry that looks like the following. You can
optionally
enter an Option line as shown below to limit them from coming from a
particular host.
Key keyname.pub
Options allow-from="hostname.domainname.com"
10) To prevent them from uploaded a new key and setting a password, do the
following:
chown root $USERHOME/.ssh2
chown root $USERHOME/.ssh2/sshkeyname.pub
chown root $USERHOME/.ssh2/authorization
11) Set there password to something nonsensical
That should be it.
----------------------------ADVANCED OPTIONAL ITEMS
--------------------------------------------------
12) Modify /etc/hosts.allow to only allow particular hosts (with libwrap
support)
13) Modify the users .login/.profile with the logout command, or if supporting
PK only based authentication add the following Option entry to the
authentication file
"Options command=/usr/bin/sftp-server"
This should allow only scp file transfers.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
