当前位置: 首页 > 图文教程 > 操作系统 > Unix/Linux > Building a Chrooted sftp Environment on Linux

Unix/Linux
看到一个进程完整的命令行
our days
为firefox注册rtsp,mms(转)
一起来学习Linux内核
Linux内核相关的i386硬件
使用PYTHON发送多播数据
100美元笔记本明年出品预计中国定购300万台
iptables 的配置问题?
Squid 错误解决一则:squid: ERROR: No running copy
FVWM新手入门不完全手册
CHATTR命令详解
vi 使用簡明手冊
GTK+2.6安装笔记
xfce 下面支持中文的终端
Fedora core3里Phpldapadmin的配置(一)
我的emacs设定。
老公的“另类”情话
用rpm包装Mysql
目录树概述
RFC文档目录

Unix/Linux 中的 Building a Chrooted sftp Environment on Linux


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-01   浏览: 46 ::
收藏到网摘: n/a

There was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin
Building a Chrooted sftp Environment - Printable ViewThere was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin.Building a chrooted sshBy design, OpenSSH does not include the capacity to be chrooted, as the developers contend such functionality belongs in the OS. Luckily, a third party patch has been developed. The patch, a pre-patched openssh tarball, and a good document about setting up the chrooted sftp are available at http://chrootssh.sourceforge.net/. Download the tarball for openssh, and the chrootssh patch. Untar the openssh sources, then apply the patch. [urbana@bubbles ssh]$ tar xzf openssh-3.6.1p2.tar.gz[urbana@bubbles ssh]$ cd openssh-3.6.1p2[urbana@bubbles openssh-3.6.1p2]$ patch -p1 < ../osshChroot-3.6.1.diffpatching file session.cNow build the chroooted OpenSSH. [urbana@bubbles openssh-3.6.1p2]$ ./configure --with-md5-password[urbana@bubbles openssh-3.6.1p2]$ makeBefore you make install, you may want to make a copy of your current ssh binaries, if they are installed in /usr/local/bin and /usr/local/sbin, which is where openssh will put them by default. The install will not overwrite your config files or host keys, though if you're paranoid like us you'll back them up anyway. [root@bubbles openssh-3.6.1p2]# make installThis goes swimmingly on my Red Hat 7.3 workstation. Now, you'll need to kill the old sshd and start the new one. In my case, I have been running sshd from a different location, /usr/sbin/sshd which is where Red Hat installs it. In order to keep the rc script working, either change the path to sshd in your sshd rc script, (/etc/rc.d/init.d/sshd or something like that) or create a link like so: [root@bubbles openssh-3.6.1p2]# mv /usr/sbin/sshd /usr/sbin/sshd.old[root@bubbles openssh-3.6.1p2]# ln -s /usr/local/sbin/sshd /usr/sbin/sshd[root@bubbles ssh]# service sshd stopStopping sshd: [ OK ][root@bubbles ssh]# service sshd startStarting sshd: [ OK ]Make sure you can ssh to your machine from another box. If sshd is working, we can proceed to my favorite part, setting up the chrooted jail. Building a Jail The chrooted environment must contain everything a user needs to copy files back and forth using sftp. This includes utilities used by sftp, libraries, a home directory, and even some device files. This will keep the user safely off the rest of the system. Before you get too excited, keep in mind that chrooted jails can be broken. But not easily. Referring to the document at chrootssh.sourceforge.net, we'll build our jail. We're going to call ours alcatraz. [root@bubbles u01]# mkdir alcatraz[root@bubbles alcatraz]# mkdir bin dev home lib usr[root@bubbles alcatraz]# cd binCopying the necessary binaries: [root@bubbles bin]# cp /