centos_openssh_server6.1_chroot配置文档

实现ssh强大的chroot功能

在openssh 4.8p1以前的版本，要支持chroot，必须使用第三方的修改。但从openssh 4.8p1以后，chroot功能已经被内置了，为此可以直接在服务器系统（CentOS 5.5）上搭建。

1、为保证远程升级失败而无法连接服务器，在升级前临时打开telnet访问备用。
安装telnet服务
# yum -y install telnet-server

检查telnet是否开机启动
# chkconfig --level 35 --list|grep telnet

# vim /etc/xinetd.d/telnet
disable = no

# /etc/init.d/xinetd start

# netstat -anp|grep 23
tcp        0      0 0.0.0.0:23                  0.0.0.0:*                   LISTEN      1594/xinetd   

$ telnet 192.168.0.200

Telnet是不能以root直接登陆的。以普通用户登录后再su切换root。SSH升级成功后，记得关闭telnet服务。

 

2、升级openssh server到目前最新版openssh-6.1p1
# ssh -v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.1p1.tar.gz

a、以并行的方式升级
tar xzvf openssh-6.1p1.tar.gz
cd openssh-6.1p1
ssh -v
./configure
make
make install

#This will install the OpenSSH binaries in /usr/local/bin, configuration files
in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
installation prefix, use the --prefix option to configure:

/usr/local/sbin/sshd -t -f /usr/local/etc/sshd_config

b、以覆盖的方式安装
tar xzvf openssh-6.1p1.tar.gz
cd openssh-6.1p1
./configure --prefix=/usr --sysconfdir=/etc/ssh
make
make install

上面的方法会覆盖原版本的文件，make install覆盖/etc/ssh下配置文件时可能会报错。这时删掉/etc/ssh下的原配置文件，再make install一次就可以了
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/etc/ssh/ssh_host_key already exists, skipping.
/etc/ssh/ssh_host_dsa_key already exists, skipping.
/etc/ssh/ssh_host_rsa_key already exists, skipping.
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 74: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 76: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 87: Unsupported option UsePAM

# ssh -v
OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 74: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 76: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 87: Unsupported option UsePAM

注释掉/etc/ssh/sshd_config中74、76、87行即可。

3、chroot普通用户到家目录，将用户空间进行隔离
构建chroot环境
# adduser -M test
# passwd test

# mkdir /home/chroot_test

# more /etc/ssh/sshd_config
###chroot normal user's operator dir
Match User test
ChrootDirectory /home/chroot_test

# /etc/init.d/sshd restart

 

一个最基本的chroot环境至少有一个shell(例如sh,bash)和一些必要的系统设备文件(例如/dev/null，/dev/zero)，如果要允许用户执行一些命令，那么还要准备相应的命令可执行文件和命令依赖的库文件。
ChrootDirectory
             Specifies the pathname of a directory to chroot(2) to after authentication.  All components of the pathname must be root-owned
             directories that are not writable by any other user or group.  After the chroot, sshd(8) changes the working directory to the
             user’s home directory.

             The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is
             replaced by a literal ’%’, %h is replaced by the home directory of the user being authenticated, and %u is replaced by the user-
             name of that user.

             The ChrootDirectory must contain the necessary files and directories to support the user’s session.  For an interactive session
             this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
             arandom(4) and tty(4) devices.  For file transfer sessions using “sftp”, no additional configuration of the environment is neces-
             sary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory
             (see sftp-server(8) for details).

mkdir /home/chroot_test
cd /home/chroot_test
mkdir {bin,dev,lib,lib64,etc,home}
mknod dev/null c 1 3
mknod dev/zero c 1 5

#可选，这两个文件ssh命令需要，如缺少会报告：PRNG is not seeded
mknod dev/random c 1 8
mknod dev/urandom c 1 9

#可选，ssh命令需要，如缺少会报告：Host key verification failed
mknod dev/tty c 5 0

#修改/home/chroot_test及其子目录的属主，并修改权限
chown -R root.root /home/chroot_test
chmod -R 755 /home/chroot_test

#允许用户写这些设备文件，不可写会有些命令报错
chmod 0666 dev/{null,zero,tty}

然后将要允许用户执行的可执行文件和依赖的库文件复制到相应位置。例如必须给用户一个可用的shell，则我们一般用/bin/bash，那么执行ldd命令查看相关信息：
# ldd /bin/bash
        libtermcap.so.2 => /lib64/libtermcap.so.2 (0x0000003627800000)
        libdl.so.2 => /lib64/libdl.so.2 (0x0000003627400000)
        libc.so.6 => /lib64/libc.so.6 (0x0000003627000000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003626c00000)
说明/bin/bash要正确执行，依赖于如下几个文件：
/lib64/libtermcap.so.2
/lib64/libdl.so.2
/lib64/libc.so.6
/lib64//lib64/ld-linux-x86-64.so.2
那么我们必须把/bin/bash和相应的库文件复制到对应的位置。
 cp -p /bin/bash /home/chroot_test/bin
 cp -p /lib64/libtermcap.so.2 /home/chroot_test/lib64
 cp -p /lib64/libdl.so.2 /home/chroot_test/lib64
 cp -p /lib64/libc.so.6 /home/chroot_test/lib64
 cp -p /lib64/ld-linux-x86-64.so.2 /home/chroot_test/lib64

类似上边这样，对每个想要允许用户执行的文件都如此操作即可。

 

4.建立chroot目录中的用户主目录
mkdir /home/chroot_test/home/test
chown -R test /home/chroot_test/home/test
chmod 700 /home/chroot_test/home/test
OK,经过以上的配置，现在就可以进行测试了。用test帐号ssh登录到系统中，看到ait是被限制在了自己的宿主目录/home/test下了。测试执行一些命令，发现只有刚才复制过来的命令可以执行，其他全都不可以。

# ssh -p 6120 test@210.4.1.2
test@210.4.1.2's password:
Last login: Mon Nov 19 17:40:41 2012 from 210.4.1.3
-bash-3.2$ ls
-bash-3.2$
-bash-3.2$
-bash-3.2$ pwd
/home/test

-bash-3.2$ ssh root@192.168.0.1
You don't exist, go away!

复制/etc/passwd和/etc/group文件到/home/chroot_test/etc中，并删除用户自己和root以外的所有帐号。如果没有这两个文件，用户登录以后会报“I have no name!”
cp -p /etc/passwd /home/chroot_test/etc/
cp -p /etc/group /home/chroot_test/etc/

4、chroot普通用户，限制ssh登陆用户目录及命令，实现指定的用户从ssh登录后只能在指定的目录下工作并只能运行指定的命令或脚本。
安全最大化，普通用户登陆到这台跳板服务器后只能执行ssh，ls等有限的基础命令。

5、chroot sftp

6、关闭telnet服务
# /etc/init.d/xinetd stop