What’s new in OpenBSD 4.3 之:Chroot in OpenSSH.
原文: http://openbsd.maroufi.net/sshchroot.shtml
译文:
From OpenBSD 4.3 OpenSSH has the new function ChrootDirectory. This is one of many (including me) long desired function, which up a new environment for SSH considerably simplified. Previously was a chroot SSH very complicated to configure. How does this new feature?Only SFTP access
If you want to for its users only SFTP access is the creation of even more simple.
In / etc / ssh / sshd_config, the parameters in subsystem sftp on internal-sftp converted:
Subsystem SFTP internal-SFTP
Then you can users or user groups to assign chroot directory. This is the best match with the directive of sshd:
Match Group sftpuser
ChrootDirectory /home
ForceCommand internal-sftp
AllowTCPForwarding no
In this case, of course, only the group sftpuser exist. Then, each user group sftpuser the directory / home as his / directory. The ChrootDirectory must always be a directory, the root, and not write for normal users. That is typically not the home directory of a user to ChrootDirectory, but also a directory
In addition, you can still order the path to the home directory can be a symbolic link set:
cd /home
ln -s . home
Shell-User
If users are not only sftp can use, but also directly on the shell can work, is something additional configuration needed. The Force Command internal-sftp from above, however, must be removed so that other commands work.
For a shell can be used to be such a course within the ChrootDirectory exist. In addition, even a few device files under / dev. Therefore, within the ChrootDirectory the directories dev and I can be:
cd /home
mkdir bin dev
Now the necessary equipment files. It should also ChrootDirectory not in a directory that complies with the option nodev mounted. An device files are arandom, zero, zero, stdin, stderr, stdout and tty requires:
Device files on the partition activate:
mount -u -o dev /home
This change permanent (remove the nodev option in the / etc / fstab):
vi /etc/fstab
Next on the shell:
cd /home/dev
mknod -m 644 arandom c 45 4
mknod -m 666 null c 2 2
mknod -m 666 zero c 2 12
mknod -m 666 stderr c 22 2
mknod -m 666 stdin c 22 0
mknod -m 666 stdout c 22 1
mknod -m 666 tty c 1 0
Now you just have the shell and other needed programs / bin ChrootDirectory to copy. It must be under no dependencies OpenBSD take due account of all software in / bin are under OpenBSD statically compiled:
cd /home/bin
cp -p /bin/ksh .
cp -p /bin/cp .
cp -p /bin/ls .
cp -p /bin/mkdir .
cp -p /bin/mv .
cp -p /bin/rm .
cp -p /bin/rmdir .
cp -p /bin/sleep .
cp -p /bin/test .
cp -p /bin/tar .
ln tar cpio
ln tar pax
ln ksh sh
ln ksh rksh
ln test [
As with most of this low not require basic equipment will be more programs from / usr / bin. These can dependencies to libraries from / usr / lib, the man with the utility ldd can examine and then must be copied. It is also possible that some programs other directories and / or files need such as / usr / share or directories under / var or tmp directory. This must be on an individual basis. This is a first simple example:
cd /home
mkdir -p usr/bin
mkdir usr/lib
mkdir usr/libexec
ldd /usr/bin/env
cp -p /usr/bin/env usr/bin
cp -p /usr/lib/libc.so.43.0 usr/lib
cp -p /usr/libexec/ld.so usr/libexec
ldd /usr/bin/grep
cp -p /usr/bin/grep usr/bin
cp -p /usr/lib/libz.so.4.1 usr/lib
cd usr/bin
ln grep egrep
ln grep fgrep
ln grep zgrep
ln grep zegrep
ln grep zfgrep
Something complicate the vi editor. It needs more temporary directories and the terminal database / etc / termcap:
cd /home
ldd /usr/bin/vi
cp -p /usr/bin/vi usr/bin
cp -p /usr/lib/libcurses.so.10.0 usr/lib
cd usr/bin
ln vi ex
ln vi view
cd ../..
mkdir etc var
cp -p /etc/termcap etc
mkdir -m 1777 tmp
mkdir -m 1777 var/tmp
Who also would like the ls command with the correct user name and groups can be displayed even the two files / etc / group and / etc / pwd.db into ChrootDirectory copy. They contain no passwords:
cd /home
cp -p /etc/group etc
cp -p /etc/pwd.db etc
If the SSH User not mutually into your home directories can look to still have the rights to the home directories even corrected:
cd /home
chmod 700 username
On a Web could also look like (if / var / www / users instead of the previously described / home was used):
cd /var/www/users
chgrp www username
chmod 710 username
