版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明。
https://windtear.net/archives/2004/04/14/000299.html
chroot(PATH)
bin
dev
etc
lib
proc
http://www.ssh.org/
http://www.ssh.com/support/downloads/secureshellserver/non-commercial.html
ftp://ftp.ssh.com/pub/ssh > ls
-rwxrwxr-x 1 2012 2012 2269281 Dec 3 15:24 ssh-3.2.9.1.tar.gz
-rwxrwxr-x 1 2012 2012 72 Dec 3 16:12 ssh-3.2.9.1.tar.gz.sig-gpg
-rwxrwxr-x 1 2012 2012 280 Dec 3 16:12 ssh-3.2.9.1.tar.gz.sig-pgp2
-rwxrwxr-x 1 2012 2012 65 Dec 3 16:12 ssh-3.2.9.1.tar.gz.sig-pgp5
ssh-3.2.9.1.tar.gz
Modify: Wed Dec 3 21:24:22 2003
md5sum
f3ed49f13419d97dc1d0d3bfb4bb99bf ssh-3.2.9.1.tar.gz
sshd2: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu
-----> etc configs
knownhosts/
hostkeys/
subconfig/
ssh_dummy_shell.out
sshd2_config.example
ssh2_config.example
ssh2_config
hostkey.pub
hostkey
sshd2_config
subconfig/
anonymous.example
host_ext.example
host_int.example
user.example
% cat sshd2_config
Port 22
SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZ
DenyGroups nobody,guest,anonymous
PermitRootLogin no
ChRootGroups ftpadmin
subsystem-sftp sftp-server
-----> README
SSH2 Binaries
=============
ssh2 The SSH2 client.
sshd2 The SSH2 daemon.
sftp2 The SFTP client (needs ssh2). Type "?" in the
command line for help.
sftp-server2 The SFTP server (executed by sshd2).
scp2 The SCP client.
ssh-keygen2 The utility for generating keys. Use -h for help.
ssh-add2 Add identities to the authentication agent.
ssh-agent2 The authentication agent.
ssh-askpass2 X11 utility for querying passwords.
ssh-signer2 A small program that signs "hostbased" authentication
packets. Executed by ssh2, and for proper function,
must be suid root. (This is done by 'make install'.)
ssh-probe2 Program to probe a given network for ssh2
servers. See ssh-probe(1) and sshd2_config(5)
for MaxBroadcastsPerSecond.
ssh-dummy-shell Can be used as a restricted shell when only file
transfer or tcp forwarding functionality is desired.
ssh-certenroll2 A certificate enrollment client (only in
commercial distribution)
sshd-check-conf A configuration checker utility for use with
sshd2
Installation
============
% tar zxvf ssh-3.x.y.tar.gz
% ./configure
% make
# make install
This should set everything up and create the host key.
The old files are moved to *.old files. If you don't want them
around, goto apps/ssh and run
# make clean-up-old
which will delete them.
ssh2 files
===========
Public keys have a .pub suffix, private keys have no suffix.
For example:
id_dsa_1024_a A 1024-bit DSA private key
id_dsa_1024_a.pub The corresponding public key
There is no "known_hosts", as in ssh1. The host keys are stored
in separate files in ~/.ssh2/hostkeys .
~/.ssh2/hostkeys/key_xxxx_yyyy.pub
-----------------------------
This would be the public host key of the ssh2 daemon running in
port xxxx of the host yyyy.
/etc/ssh2/hostkey.pub and /etc/ssh2/hostkey
-----------------------------------------
Public and private hostkeys for sshd2. Created by "make install".
If this is not created by "make install" or you need to recreate
your host keypair, run
# rm /etc/ssh2/hostkey*
# ssh-keygen2 -P /etc/ssh2/hostkey
~/.ssh2/identification
----------------------
Lists the private keys that are offered to the server in public-key
user authentication.
# identification
IdKey id_dsa_1024_a
This means that the private key in the file ~/.ssh2/id_dsa_1024_a
is used for public key authentication. Use CertKey instead of IdKey
if certificates are used (only in commercial distribution).
~/.ssh2/authorization
---------------------
Lists the public keys that are accepted for authentication on
this host.
# authorization
Key id_dsa_1024_a.pub
This means that anyone who holds the matching private key to the
public key in the file $USER/.ssh2/id_dsa_1024_a.pub can log in
as $USER.
/etc/ssh2/sshd2_config
--------------------
The server configuration file, copied here by "make install".
See the man page for details.
The line:
subsystem-sftp sftp-server
means that when the subsystem "sftp" is requested, the
command "sftp-server" is started. For example, if our sshd2_config
reads:
subsystem-quux echo "fim fam foo"
the command "ssh2 host -s quux" would simply print the text
"fim fam foo".
~/.ssh2/ssh2_config
-------------------
The client configuration file. See the global client config file
ssh2_config in /etc/ssh2.
~/.ssh2/knownhosts/xxxxyyyy.pub
-------------------------------
These are the public host keys of the hosts that a user wants to
log from using host based authentication (equivalent with SSH1's
RhostsRSAAuthentication).
Also, a user has to set up her/his ~/.shosts (which only SSH uses)
or ~/.rhosts file (insecure, as it is also used by the r*-commands).
If the username is the same in both hosts, it is adequate to put
the public hostkey to /etc/ssh2/knownhosts and add the host's name to
/etc/shosts.equiv (or /etc/hosts.equiv).
xxxx denotes the hostname (FQDN) and yyyy the public key algorithm
of the key.
For example, zappa.foo.fi's hostkey algorithm is ssh-dss. The
hostkey would be named
zappa.foo.fi.ssh-dss.pub
in the knownhosts directory.
Possible values for publickey-algorithms are "ssh-dss" and
"ssh-rsa" (without the quotes).
/etc/ssh2/knownhosts/xxxxyyyy.pub
---------------------------------
As above, but system-wide. These can be overridden by the user
by putting a file with the same name to her/his ~/.ssh2/knownhosts
directory.
/etc/hosts.equiv and /etc/shosts.equiv
--------------------------------------
Used to check whether authentication from host is allowed using
host based authentication. In its simplest form, the file contains
host names, one per line.
For more information, see 'man sshd2'.
~/.rhosts and ~/.shosts
-----------------------
This file contains host-username-pairs, separated by spaces, one
per line. The given user from the specified host is allowed to
log in without a password.
For more information, see 'man ssh2' and 'man sshd2'.
===== chroot
@ v2.4.0 by flyriver
sshchsession.c
ssh_session_init_env
if (!strcmp("ftpadmin", ssh_group_name(session->common->user_data)))
{
char home_dir[512];
snprintf(home_dir, sizeof(home_dir), "/home/%s", user_name);
ssh_child_set_env(envp, envsizep, "HOME", home_dir);
}
else
ssh_child_set_env(envp, envsizep, "HOME", user_dir);
ssh_channel_session_child
sshunixuser.c
@ v3.2.9.1
sshchsession.c
ssh_session_init_env
492 if (ssh_user_needs_chroot(session->common->user_data, session->common))
493 user_dir = "/";
494 else
495 user_dir = ssh_user_dir(session->common->user_data);
% grep -rin 'chroot' ./
./FAQ:27: 2.4: Q: How do I set up chrooted accounts (w/ restricted shell access, and
./FAQ:249:Q: How do I set up chrooted accounts (with restricted shell access, and
./lib/sshsession/sshunixuser.c:1427: const char *chroot_dir,
./lib/sshsession/sshunixuser.c:1522: /* chrooting at this point. */
./lib/sshsession/sshunixuser.c:1523: if (chroot_dir)
./lib/sshsession/sshunixuser.c:1525: if (chroot(chroot_dir) < 0)
./lib/sshsession/sshunixuser.c:1527: ssh_warning("Chroot to '%s' failed!", chroot_dir);
./lib/sshsession/sshunixuser.c:1536: /* XXX does chroot work after this? If not, this should be done after
./lib/sshsession/sshunixuser.c:1537: chroot (and before setuid()). */
./lib/sshsession/sshuser.h:95: called before chroot()ing. */
./lib/sshsession/sshuser.h:101: ``chroot_dir'' call chroot() with this as argument in the approriate
./lib/sshsession/sshuser.h:103: the user. Will return FALSE, if chroot() fails. Note
./lib/sshsession/sshuser.h:106: be NULL, in which case the user is not chrooted.
./lib/sshsession/sshuser.h:114: const char *chroot_dir,
./NEWS:4:ssh-pubkeymgr and ssh-chrootmgr
./apps/ssh/sshchsession.c:248:/* Return TRUE if user is configured to have home directory chrooted. */
./apps/ssh/sshchsession.c:250:Boolean ssh_user_needs_chroot(SshUser user, SshCommon common);
./apps/ssh/sshchsession.c:252:/* Return TRUE if user is configured to have home directory chrooted. */
./apps/ssh/sshchsession.c:254:Boolean ssh_user_needs_chroot(SshUser uc, SshCommon common)
./apps/ssh/sshchsession.c:257: "won't be chrooted",
./apps/ssh/sshchsession.c:258: "will be chrooted",
./apps/ssh/sshchsession.c:262: common->config->chroot_users,
./apps/ssh/sshchsession.c:264: common->config->chroot_groups);
./apps/ssh/sshchsession.c:492: if (ssh_user_needs_chroot(session->common->user_data, session->common))
./apps/ssh/sshchsession.c:849: Boolean needs_chroot = FALSE, run_internal_sftp_server = FALSE;
./apps/ssh/sshchsession.c:850: const char *chroot_dir = NULL;
./apps/ssh/sshchsession.c:901: needs_chroot = ssh_user_needs_chroot(session->common->user_data,
./apps/ssh/sshchsession.c:922: if (needs_chroot)
./apps/ssh/sshchsession.c:924: chroot_dir = ssh_user_dir(session->common->user_data);
./apps/ssh/sshchsession.c:926: "User '%s' will be chrooted to directory '%s'.",
./apps/ssh/sshchsession.c:927: ssh_user_name(session->common->user_data), chroot_dir);
./apps/ssh/sshchsession.c:931: and chroots, as needed. */
./apps/ssh/sshchsession.c:933: chroot_dir, close_fds, session))
./apps/ssh/sshchsession.c:935: ssh_debug("Switching to user '%s' (with chroot) failed!",
./apps/ssh/sshchsession.c:962: if (needs_chroot)
./apps/ssh/sshchsession.c:966: ssh_debug("Chroot to user '%s' home directory failed!",
./apps/ssh/sshchsession.c:1188: (needs_chroot ? "" :
./apps/ssh/sftp-server2.c:92: XXX Logging in a chrooted environment is a _major_ pain in the
./apps/ssh/sshconfig.c:1675: ADD_PARAM_PATTERN_LIST("ChrootUsers", &config->chroot_users, 0);
./apps/ssh/sshconfig.c:1676: ADD_PARAM_PATTERN_LIST("ChrootGroups", &config->chroot_groups, 0);
./apps/ssh/sshconfig.c:2111: config->chroot_users = NULL;
./apps/ssh/sshconfig.c:2112: config->chroot_groups = NULL;
./apps/ssh/sshconfig.c:2451: ssh_adt_destroy(config->chroot_users);
./apps/ssh/sshconfig.c:2452: ssh_adt_destroy(config->chroot_groups);
./apps/ssh/sshconfig.h:255: SshADTContainer chroot_users;
./apps/ssh/sshconfig.h:256: SshADTContainer chroot_groups;
./apps/ssh/sshd2_subconfig.5:208:.B ChrootGroups
./apps/ssh/sshd2_subconfig.5:210:.B ChrootUsers
./apps/ssh/sshd2_config:174:## Chrooted environment
./apps/ssh/sshd2_config:176:# ChRootUsers anonymous,ftp,guest
./apps/ssh/sshd2_config:177:# ChRootGroups sftp,guest
./apps/ssh/subconfig/host_ext.example:17: ChrootGroups anonymous,sftp
./apps/ssh/subconfig/anonymous.example:11:## /etc/passwd file. Chroot this user in main sshd2_config or host
./apps/ssh/sshd-check-conf.5:52:.BR ChrootUsers ,
./apps/ssh/sshd-check-conf.5:53:.BR ChrootGroups ,
./apps/ssh/sshd-check-conf.c:117: "won't be chrooted",
./apps/ssh/sshd-check-conf.c:118: "will be chrooted",
./apps/ssh/sshd-check-conf.c:121: config->chroot_users,
./apps/ssh/sshd-check-conf.c:123: config->chroot_groups))
./apps/ssh/sshd-check-conf.c:124: ssh_informational(" User %s will be chrooted.\r\n", user);
./apps/ssh/sshd-check-conf.c:126: ssh_informational(" User %s will not be chrooted.\r\n", user);
./apps/ssh/sshd-check-conf.c:453: DUMP_PATTERN_LIST("ChrootUsers", config->chroot_users);
./apps/ssh/sshd-check-conf.c:454: DUMP_PATTERN_LIST("ChrootGroups", config->chroot_groups);
./apps/ssh/sshd2_config.5:315:.B ChRootGroups
./apps/ssh/sshd2_config.5:316:This option works like \fBChRootUsers\fR, except that it can be used
./apps/ssh/sshd2_config.5:322:.B ChRootUsers
./apps/ssh/sshd2_config.5:324:gives all users listed here a chrooted environment (e.g. "/home").
./apps/ssh/sshd2_config.5:971:requests. This enables better logging in chrooted environments, and
./README:346: * For detailed info on how to set up chrooted accounts, see
./README:411: needed in order to chroot sftp users, see FAQ)
./HOWTO.anonymous.sftp:13: found by ssh-dummy-shell and sftp-server in the chrooted
./HOWTO.anonymous.sftp:18: chrooting considerably. You don't need to build the static binaries.
./HOWTO.anonymous.sftp:27: chrooted environment, so choose wisely (you can change it later, of
./HOWTO.anonymous.sftp:41: % ssh-chrootmgr -v ssh-guest # (or the account you created)
./HOWTO.anonymous.sftp:51: ChRootUsers ssh-guest
./HOWTO.anonymous.sftp:93: Note, that logging in the chrooted environment with a separate
./HOWTO.anonymous.sftp:95: /dev/log device under the chrooted jail, and add that to the listened
./HOWTO.anonymous.sftp:100: Logging in the chrooted jail is much simpler with the internal
./projects/ssh-f-configd/fsma-oids/sshd2.oid:31:1.3.6.1.4.1.2213.36.1.2.7.5 ChRootUsers
./projects/ssh-f-configd/fsma-oids/sshd2.oid:32:1.3.6.1.4.1.2213.36.1.2.7.6 ChRootGroups
./CHANGES:160: * Removed ssh-pubkeymgr and ssh-chrootmgr from the distribution
./CHANGES:269: that chroot() was not done.
./CHANGES:516: * sshd2: Changed chroot() logic. Now secondary groups will be
./CHANGES:517: initialized after chrooting, without the need to copy /etc/group
./CHANGES:518: to the chroot jail.
./CHANGES:1012: groups in the configuration (ie. ChrootGroups, AllowGroups, etc).
./CHANGES:1128: * Added ssh-chrootmgr, a simple script to help in setting up
./CHANGES:1129: chrooted environments for users.
./CHANGES:1135: ChRoot{Users,Groups}. Currently only works (that I know of) in GCC
./CHANGES:1193: * Fixed a bug in ChRootGroups, which basically rendered it useless
./CHANGES:1260: * Previous by tri: implemented ChRootGroups and ChRootUsers
|
|
