pam_chroot

[root@node1 ~]# cat /etc/issue

Red Hat Enterprise Linux Serverrelease 5.8 (Tikanga)

Kernel \r on an \m

 

建立测试用户

[root@node1 ~]# useradd test

[root@node1 ~]# mkdir /chroot

[root@node1 ~]# export _DIR=/chroot

[root@node1 ~]# export _USER=test

 

创建必要的设备文件

[root@node1 ~]# mkdir -pv$_DIR/{etc,bin,dev/pts,lib,home/$_USER,proc}

[root@node1 ~]# mknod -m 644$_DIR/dev/tty1 c 4 1

[root@node1 ~]# mknod -m 644$_DIR/dev/tty2 c 4 2

[root@node1 ~]# mknod -m 644 $_DIR/dev/tty3 c 4 3              

[root@node1 ~]# mknod -m 644$_DIR/dev/tty4 c 4 4

[root@node1 ~]# mknod -m 644$_DIR/dev/tty5 c 4 5

[root@node1 ~]# mknod -m 644$_DIR/dev/tty6 c 4 6

[root@node1 ~]# mknod -m 444$_DIR/dev/urandom c 1 9

[root@node1 ~]# mknod -m 666$_DIR/dev/zero c 1 5

[root@node1 ~]# mknod -m 666$_DIR/dev/null c 1 3

[root@node1 ~]# mknod -m 666$_DIR/dev/ptmx c 5 2

 

 

[root@node1 ~]# vim /etc/fstab

devpts          /chroot/dev/pts

devpts

gid=5,mode=620  0 0

proc             /chroot/proc              proc     defaults          0 0

 

[root@node1 ~]# cp /bin/bash/bin/false /bin/pwd /usr/sbin/sshd /bin/true $_DIR/bin/

可以用 ldd 命令查看每个可执行文件需要的 lib

 

[root@node1 lib]# ls $_DIR/lib

ld-linux.so.2     libfipscheck.so.1     libnspr4.so

libaudit.so.0     libgssapi_krb5.so.2  libnss3.so

libcom_err.so.2  libk5crypto.so.3      libnssutil3.so

libcrypto.so.6   libkeyutils.so.1      libpam.so.0

libcrypt.so.1     libkrb5.so.3           libplc4.so

libc.so.6          libkrb5support.so.0  libplds4.so

libdl.so.2         libnsl.so.1             libpthread.so.0

 

配置文件

libresolv.so.2

libselinux.so.1

libsepol.so.1

libtermcap.so.2

libutil.so.1

libwrap.so.0

libz.so.1

[root@node1 ~]# echo "$_USER

[root@node1 ~]# echo "session

[root@node1 ~]# echo "session

$_DIR">>/etc/security/chroot.conf

required     pam_chroot.so" >>/etc/pam.d/sshd

required      pam_chroot.so">>/etc/pam.d/login

[root@node1 ~]# grep"root:\|$_USER" /etc/passwd > $_DIR/etc/passwd

[root@node1 ~]# grep"root:\|$_USER" /etc/group > $_DIR/etc/group

[root@node1 ~]# chown -R root:root$_DIR

[root@node1 ~]# chown -R$_USER:$_USER $_DIR/home/$_USER

 

重新启动服务

[root@node1 ~]# service sshd restart

客户端测试

[root@Server250 ~]# sshtest@192.168.122.10

test@192.168.122.10's password:

-bash-3.2$ ls

-bash: ls: command not found

服务器查看 sshd 进程

[root@node1 ~]# ps -ef | grep sshd

root      10131     1  0 12:06 ?

root      10249 10131  0 12:21 ?

root      10287 10131  0 12:24 ?

test      10291 10287  0 12:24 ?

root      10296 10253  0 12:24 pts/0

00:00:00 /usr/sbin/sshd

00:00:00 sshd: root@pts/0

00:00:00 sshd: test [priv]

00:00:00 sshd: test@pts/1

00:00:00 grep sshd

[root@node1 ~]# ls -l/proc/10291/root

lrwxrwxrwx 1 root root 0 11-05 12:24/proc/10291/root -> /chroot

 

cp /bin/uname  /chroot/bin/
cp /usr/bin/dirname  /chroot/bin/
cp /bin/touch   /chroot/bin/
cp /lib/tls/librt.so.1  /chroot/lib/tls
cp /usr/bin/tty  /chroot/bin/