当前位置: 首页 > 图文教程 > 操作系统 > Unix/Linux > Building a Chrooted sftp Environment on Linux

Unix/Linux
执行程式:多工与Session
对应DOS与Linux相关的指令
档案维护1.1.档案:前言
在redhat9上建立pppserver
Linux中禁止Ctrl-Alt-Delete
在LinuxShell程序中进行身份验证
使用EnGardeSecureLinux架设站点
RedHatLINUX学习笔记
设置文件所有者权限
./configure,make,make install
温习一下telnet
Downloading ISO's from internet
使人心灵震撼的一组图片
今天是19号, 好几天没有blog了
别人编写的,自己加工过的qmail安装文章,在RH9上绝对没问题
今天晚上自己做的饭,吃得好饱
又多了几天复习时间
查看Linux系统字长
还是vpopmail过不去
陪Yangyh买笔记本

Unix/Linux 中的 Building a Chrooted sftp Environment on Linux


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-01   浏览: 161 ::
收藏到网摘: n/a

There was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin
Building a Chrooted sftp Environment - Printable ViewThere was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin.Building a chrooted sshBy design, OpenSSH does not include the capacity to be chrooted, as the developers contend such functionality belongs in the OS. Luckily, a third party patch has been developed. The patch, a pre-patched openssh tarball, and a good document about setting up the chrooted sftp are available at http://chrootssh.sourceforge.net/. Download the tarball for openssh, and the chrootssh patch. Untar the openssh sources, then apply the patch. [urbana@bubbles ssh]$ tar xzf openssh-3.6.1p2.tar.gz[urbana@bubbles ssh]$ cd openssh-3.6.1p2[urbana@bubbles openssh-3.6.1p2]$ patch -p1 < ../osshChroot-3.6.1.diffpatching file session.cNow build the chroooted OpenSSH. [urbana@bubbles openssh-3.6.1p2]$ ./configure --with-md5-password[urbana@bubbles openssh-3.6.1p2]$ makeBefore you make install, you may want to make a copy of your current ssh binaries, if they are installed in /usr/local/bin and /usr/local/sbin, which is where openssh will put them by default. The install will not overwrite your config files or host keys, though if you're paranoid like us you'll back them up anyway. [root@bubbles openssh-3.6.1p2]# make installThis goes swimmingly on my Red Hat 7.3 workstation. Now, you'll need to kill the old sshd and start the new one. In my case, I have been running sshd from a different location, /usr/sbin/sshd which is where Red Hat installs it. In order to keep the rc script working, either change the path to sshd in your sshd rc script, (/etc/rc.d/init.d/sshd or something like that) or create a link like so: [root@bubbles openssh-3.6.1p2]# mv /usr/sbin/sshd /usr/sbin/sshd.old[root@bubbles openssh-3.6.1p2]# ln -s /usr/local/sbin/sshd /usr/sbin/sshd[root@bubbles ssh]# service sshd stopStopping sshd: [ OK ][root@bubbles ssh]# service sshd startStarting sshd: [ OK ]Make sure you can ssh to your machine from another box. If sshd is working, we can proceed to my favorite part, setting up the chrooted jail. Building a Jail The chrooted environment must contain everything a user needs to copy files back and forth using sftp. This includes utilities used by sftp, libraries, a home directory, and even some device files. This will keep the user safely off the rest of the system. Before you get too excited, keep in mind that chrooted jails can be broken. But not easily. Referring to the document at chrootssh.sourceforge.net, we'll build our jail. We're going to call ours alcatraz. [root@bubbles u01]# mkdir alcatraz[root@bubbles alcatraz]# mkdir bin dev home lib usr[root@bubbles alcatraz]# cd binCopying the necessary binaries: [root@bubbles bin]# cp /