当前位置: 首页 > 图文教程 > 操作系统 > Unix/Linux > Building a Chrooted sftp Environment on Linux

Unix/Linux
Linux安全攻略 如何才能让内存不再泄漏
八大原因 让Linux远离普通用户
Linux下如何限制Root用户进行远程登陆
DenyHosts 阻止SSH暴力破解最好的方法
十一条守则 确保Linux系统安全的好办法
了解Linux系统内核安全的入侵侦察系统
斩断Linux邮件服务器上的垃圾邮件魔掌
Linux Ext3文件被删除后的恢复方法介绍
IP安全加密 IPSec安全技术全面接触
实用技巧 使用MD5加密GRUB密码操作步骤
感染Linux系统脚本程序的病毒技术介绍
使用 mailman 架设邮件列表
RedHat9.0下的DNS和虚拟主机的配置
利用IP 别名托管多个SSL 站点
嵌入式Linux在工业控制领域中的应用
用SSH客户端软件登录到服务器
Linux内核: 修改TCP/IP调优参数
实现Windows与Unix、Linux间数据交换
使用Linux脚本对无线网络进行管理
Linux下的网络HOOK实现以及使用方法

Unix/Linux 中的 Building a Chrooted sftp Environment on Linux


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-01   浏览: 143 ::
收藏到网摘: n/a

There was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin
Building a Chrooted sftp Environment - Printable ViewThere was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin.Building a chrooted sshBy design, OpenSSH does not include the capacity to be chrooted, as the developers contend such functionality belongs in the OS. Luckily, a third party patch has been developed. The patch, a pre-patched openssh tarball, and a good document about setting up the chrooted sftp are available at http://chrootssh.sourceforge.net/. Download the tarball for openssh, and the chrootssh patch. Untar the openssh sources, then apply the patch. [urbana@bubbles ssh]$ tar xzf openssh-3.6.1p2.tar.gz[urbana@bubbles ssh]$ cd openssh-3.6.1p2[urbana@bubbles openssh-3.6.1p2]$ patch -p1 < ../osshChroot-3.6.1.diffpatching file session.cNow build the chroooted OpenSSH. [urbana@bubbles openssh-3.6.1p2]$ ./configure --with-md5-password[urbana@bubbles openssh-3.6.1p2]$ makeBefore you make install, you may want to make a copy of your current ssh binaries, if they are installed in /usr/local/bin and /usr/local/sbin, which is where openssh will put them by default. The install will not overwrite your config files or host keys, though if you're paranoid like us you'll back them up anyway. [root@bubbles openssh-3.6.1p2]# make installThis goes swimmingly on my Red Hat 7.3 workstation. Now, you'll need to kill the old sshd and start the new one. In my case, I have been running sshd from a different location, /usr/sbin/sshd which is where Red Hat installs it. In order to keep the rc script working, either change the path to sshd in your sshd rc script, (/etc/rc.d/init.d/sshd or something like that) or create a link like so: [root@bubbles openssh-3.6.1p2]# mv /usr/sbin/sshd /usr/sbin/sshd.old[root@bubbles openssh-3.6.1p2]# ln -s /usr/local/sbin/sshd /usr/sbin/sshd[root@bubbles ssh]# service sshd stopStopping sshd: [ OK ][root@bubbles ssh]# service sshd startStarting sshd: [ OK ]Make sure you can ssh to your machine from another box. If sshd is working, we can proceed to my favorite part, setting up the chrooted jail. Building a Jail The chrooted environment must contain everything a user needs to copy files back and forth using sftp. This includes utilities used by sftp, libraries, a home directory, and even some device files. This will keep the user safely off the rest of the system. Before you get too excited, keep in mind that chrooted jails can be broken. But not easily. Referring to the document at chrootssh.sourceforge.net, we'll build our jail. We're going to call ours alcatraz. [root@bubbles u01]# mkdir alcatraz[root@bubbles alcatraz]# mkdir bin dev home lib usr[root@bubbles alcatraz]# cd binCopying the necessary binaries: [root@bubbles bin]# cp /