Oooo. Nice work.
One question though. Instead of copying the libraries could you not do a sybolic link instead? That would save disk space and make it easier to handle updates. Todd M. Wilkinson wrote: > > There have been a lot of questions on this list as of late that > highlight the following three > subjects. > > 1) Restricted shell access to a limited functionality > 2) Automating ( i.e. passwordless access ) > 3) SCP bases ssh connections only. > > Some of the following information is my $.02 worth. > > > > Allowing users to cd into another directory, or execute any other > function is generally > more suited to a function of the shell. There are various paths you > can take, an > example would be that of the rsh shell or restricted shell. Under > Solaris you check > out the man page via the command "man -s 1m rsh" or under the GNU > version of bash > check out the "RESTRICTED SHELL" portion of the bash man pages. > > > The following procedure has been tested under Solaris 7 using the > commercial ssh v3.0.1 > from ssh.com. I suspect the following procedures will migrate to > other platforms or to the > openSSH version of the software although I imagine with openSSH you > will have quite a few > more libraries to copy over and will have to modify the PK config > files somewhat. The procedures > are however sound. > > 90% of this can be scripted if you have the $USERHOME variable setup. > This does several things, but is desinged to lock down an ssh user. > Perfect > for allowing files to be uploaded into a directory, without giving > them additional > access. > > This does the following. > > 1) Chroot's them into their home directory > 2) Places them into a restricted shell see "man -s 1M rsh" > 3) They cannot cd into a different directory > 4) They can only execute programs in their $USERHOME/bin > directory ( but not place new ones there ) > 5) Allows them to upload files into their directory, however > they cannot execute them. > 6) As an option, you can limit them to scp only in the last few > steps. > > --------------------------------STEPS-------------------------------- > > 1) Add the user account to the system setting the shell to be /bin/rsh > Add user(s) to ChrootUsers in /etc/ssh2/sshd2_config > > 2) Restart sshd2 server. > > 3) Setup the $USERHOME variable to make things easier, when > executing the > following commands. > > > 4) Make Directories: > > mkdir $USERHOME/bin > mkdir $USERHOME/usr > mkdir $USERHOME/usr/lib > mkdir $USERHOME/dev > mkdir $USERHOME/.ssh2 > > 5) Copy needed binaries: > > cp -p /opt/ssh/bin/sftp-server2 $USERHOME/bin/sftp-server > cp -p /usr/lib/rsh $USERHOME/bin > > > 6) Copy needed libraries: > > cd $USERHOME/usr/lib > cp -p /usr/platform/`uname -m`/lib/libc_psr.so.1 . > cp -p /usr/lib/ld.so.1 . > cp -p /usr/lib/libc.so.1 . > cp -p /usr/lib/libcurses.so.1 . > cp -p /usr/lib/libdl.so.1 . > cp -p /usr/lib/libelf.so.1 . > cp -p /usr/lib/libld.so.2 . > cp -p /usr/lib/liblddbg.so.4 . > cp -p /usr/lib/libmp.so.2 . > cp -p /usr/lib/libnsl.so.1 . > cp -p /usr/lib/librtld.so.1 . > cp -p /usr/lib/libsec.so.1 . > cp -p /usr/lib/libsocket.so.1 . > cp -p /usr/lib/libgen.so.1 . > > 7) Run ldd $USERHOME/bin/sftp-server and check to see if all the > needed libraries are in > the $USERHOME/usr/lib if you need some, copy them into that > directory. > > 8) Created needed devices: > > mknod $USERHOME/dev/tcp c 11 42 > mknod $USERHOME/dev/ticlts c 105 2 > mknod $USERHOME/dev/ticotsord c 105 1 > mknod $USERHOME/dev/udp c 11 41 > mknod $USERHOME/dev/zero c 13 12 > > 9) Securing their directory: > > chown root $USERHOME/bin > chmod 755 $USERHOME/bin > rm $USERHOME/.profile > rm $USERHOME/.login > echo "PATH=$USERHOME/bin;export PATH" > $USERHOME/.profile > touch $USERHOME/.login > chown root $USERHOME/.profile ; chmod 755 $USERHOME/.profile > chown root $USERHOME/.login ; chmod 755 $USERHOME/.login > > -----------------------DONE-Password authentication will work > now-------------------- > >------------------------------------------------------------------------------------- > > -----------------------Optional-Setting up Key based > authentication------------------ > > 9) Place their public-key that the user generated into the .ssh2 > directory along with an > authorization file that has an entry that looks like the following. > You can optionally > enter an Option line as shown below to limit them from coming from a > particular host. > > > Key keyname.pub > Options allow-from="hostname.domainname.com" > > > 10) To prevent them from uploaded a new key and setting a password, do > the following: > > chown root $USERHOME/.ssh2 > chown root $USERHOME/.ssh2/sshkeyname.pub > chown root $USERHOME/.ssh2/authorization > > 11) Set there password to something nonsensical > > > That should be it. > > > > ----------------------------ADVANCED OPTIONAL ITEMS > -------------------------------------------------- > > 12) Modify /etc/hosts.allow to only allow particular hosts (with > libwrap support) > 13) Modify the users .login/.profile with the logout command, or if > supporting > PK only based authentication add the following Option entry to the > authentication file > > "Options command=/usr/bin/sftp-server" > This should allow only scp file transfers. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- Regards Frank S. Bernhardt b.c.s.i. 14 Halton Court Markham, ON. L3P 6R3 905-471-1691 Voice 905-471-3016 FAX [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
