当前位置: 首页 > 图文教程 > 操作系统 > Unix/Linux > Building a Chrooted sftp Environment on Linux

Unix/Linux
第三章 在Debian上用Exim配置邮件服务器
Sendmail邮件服务器快速指南 1
Sendmail邮件服务器快速指南 2
Sendmail邮件服务器快速指南 3
使用sendmail配置企业简易邮件系统
RedHatLinux AS3中配置sendmail服务器
RedHatLinux AS3中APACHE+SendMail+OpenWebMail整合
Linux下DNS服务器架设攻略
Linux下DNS服务器架设攻略 2
Linux下DNS服务器架设攻略 3
Linux内核配置选项
域名解析 A记录 MX记录 CNAME记录 TTL
DNS轮循的一些介绍
netfilter/iptables模块编译及应用
和大家一起分享不错的iptables
构筑Linux防火墙之IPtables的概念与用法(1)
构筑Linux防火墙之IPtables的概念与用法(2)
Linux架设DNS服务器(一)
Linux架设DNS服务器(二)
邮件传输原理及相关入门知识概述

Unix/Linux 中的 Building a Chrooted sftp Environment on Linux


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-01   浏览: 48 ::
收藏到网摘: n/a

There was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin
Building a Chrooted sftp Environment - Printable ViewThere was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin.Building a chrooted sshBy design, OpenSSH does not include the capacity to be chrooted, as the developers contend such functionality belongs in the OS. Luckily, a third party patch has been developed. The patch, a pre-patched openssh tarball, and a good document about setting up the chrooted sftp are available at http://chrootssh.sourceforge.net/. Download the tarball for openssh, and the chrootssh patch. Untar the openssh sources, then apply the patch. [urbana@bubbles ssh]$ tar xzf openssh-3.6.1p2.tar.gz[urbana@bubbles ssh]$ cd openssh-3.6.1p2[urbana@bubbles openssh-3.6.1p2]$ patch -p1 < ../osshChroot-3.6.1.diffpatching file session.cNow build the chroooted OpenSSH. [urbana@bubbles openssh-3.6.1p2]$ ./configure --with-md5-password[urbana@bubbles openssh-3.6.1p2]$ makeBefore you make install, you may want to make a copy of your current ssh binaries, if they are installed in /usr/local/bin and /usr/local/sbin, which is where openssh will put them by default. The install will not overwrite your config files or host keys, though if you're paranoid like us you'll back them up anyway. [root@bubbles openssh-3.6.1p2]# make installThis goes swimmingly on my Red Hat 7.3 workstation. Now, you'll need to kill the old sshd and start the new one. In my case, I have been running sshd from a different location, /usr/sbin/sshd which is where Red Hat installs it. In order to keep the rc script working, either change the path to sshd in your sshd rc script, (/etc/rc.d/init.d/sshd or something like that) or create a link like so: [root@bubbles openssh-3.6.1p2]# mv /usr/sbin/sshd /usr/sbin/sshd.old[root@bubbles openssh-3.6.1p2]# ln -s /usr/local/sbin/sshd /usr/sbin/sshd[root@bubbles ssh]# service sshd stopStopping sshd: [ OK ][root@bubbles ssh]# service sshd startStarting sshd: [ OK ]Make sure you can ssh to your machine from another box. If sshd is working, we can proceed to my favorite part, setting up the chrooted jail. Building a Jail The chrooted environment must contain everything a user needs to copy files back and forth using sftp. This includes utilities used by sftp, libraries, a home directory, and even some device files. This will keep the user safely off the rest of the system. Before you get too excited, keep in mind that chrooted jails can be broken. But not easily. Referring to the document at chrootssh.sourceforge.net, we'll build our jail. We're going to call ours alcatraz. [root@bubbles u01]# mkdir alcatraz[root@bubbles alcatraz]# mkdir bin dev home lib usr[root@bubbles alcatraz]# cd binCopying the necessary binaries: [root@bubbles bin]# cp /