当前位置: 首页 > 图文教程 > 操作系统 > Unix/Linux > Building a Chrooted sftp Environment on Linux

Unix/Linux
Linux操作系统中使用Windows分区
红旗Linux与Windows双系统中开机时自动进入windows
红旗Linux 简介
红旗Linux桌面版5.0下载
重装Windows后重新恢复进入红旗Linux
红旗Linux6.0SP1 一些问题
红旗6.0一步一步搞定cdma无线网卡
红旗6.0如何挂载ntfs分区
红旗6.0下安装VirtualBox
从root用户切换到其他用户
红旗5中使用SAPGUI中遇到的问题及解决办法
红旗linux下GPRS无线上网拨号
RedFlag6 Vmware Tools安装和配置
红旗Linux桌面版 6.0 sp1下载地址
开启红旗LINUX6.0 SSH
红旗Linux5.0桌面正式版光盘安装图解
重装WINDOWS后引导红旗linux
红旗6.0sp1 分辨率没法调整解决方案
红旗Linux 6.0桌面版安装图解
红旗Linux4.1下安装配置Apahce+Tomcat+PHP+mySQL+vsFTPd

Unix/Linux 中的 Building a Chrooted sftp Environment on Linux


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-01   浏览: 115 ::
收藏到网摘: n/a

There was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin
Building a Chrooted sftp Environment - Printable ViewThere was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin.Building a chrooted sshBy design, OpenSSH does not include the capacity to be chrooted, as the developers contend such functionality belongs in the OS. Luckily, a third party patch has been developed. The patch, a pre-patched openssh tarball, and a good document about setting up the chrooted sftp are available at http://chrootssh.sourceforge.net/. Download the tarball for openssh, and the chrootssh patch. Untar the openssh sources, then apply the patch. [urbana@bubbles ssh]$ tar xzf openssh-3.6.1p2.tar.gz[urbana@bubbles ssh]$ cd openssh-3.6.1p2[urbana@bubbles openssh-3.6.1p2]$ patch -p1 < ../osshChroot-3.6.1.diffpatching file session.cNow build the chroooted OpenSSH. [urbana@bubbles openssh-3.6.1p2]$ ./configure --with-md5-password[urbana@bubbles openssh-3.6.1p2]$ makeBefore you make install, you may want to make a copy of your current ssh binaries, if they are installed in /usr/local/bin and /usr/local/sbin, which is where openssh will put them by default. The install will not overwrite your config files or host keys, though if you're paranoid like us you'll back them up anyway. [root@bubbles openssh-3.6.1p2]# make installThis goes swimmingly on my Red Hat 7.3 workstation. Now, you'll need to kill the old sshd and start the new one. In my case, I have been running sshd from a different location, /usr/sbin/sshd which is where Red Hat installs it. In order to keep the rc script working, either change the path to sshd in your sshd rc script, (/etc/rc.d/init.d/sshd or something like that) or create a link like so: [root@bubbles openssh-3.6.1p2]# mv /usr/sbin/sshd /usr/sbin/sshd.old[root@bubbles openssh-3.6.1p2]# ln -s /usr/local/sbin/sshd /usr/sbin/sshd[root@bubbles ssh]# service sshd stopStopping sshd: [ OK ][root@bubbles ssh]# service sshd startStarting sshd: [ OK ]Make sure you can ssh to your machine from another box. If sshd is working, we can proceed to my favorite part, setting up the chrooted jail. Building a Jail The chrooted environment must contain everything a user needs to copy files back and forth using sftp. This includes utilities used by sftp, libraries, a home directory, and even some device files. This will keep the user safely off the rest of the system. Before you get too excited, keep in mind that chrooted jails can be broken. But not easily. Referring to the document at chrootssh.sourceforge.net, we'll build our jail. We're going to call ours alcatraz. [root@bubbles u01]# mkdir alcatraz[root@bubbles alcatraz]# mkdir bin dev home lib usr[root@bubbles alcatraz]# cd binCopying the necessary binaries: [root@bubbles bin]# cp /