[linux] scp

[Ing. Jan ONDREJ]

On Wed, Nov 26, 2003 at 08:20:22AM +0100, Martin Vana wrote:
> Zdravim,
> 
> snazim sa najst - zatial neuspesne - ako vyriesit nasledovny problem.
> Potrebujem zabezpecit klientovi pristup cez scp do adresara, ale 
> nechcem aby mohol volne browsovat po disku. Zatial som hladal riesenie
> marne ...

Riesenim je chrootovane ssh. :-)

Konkretne pre Fedoru (RedHat) - iba pisem nazov suboru a co tam pridat:

/etc/pam.d/sshd
  session    required     pam_chroot.so debug onerr=fail

/etc/security/chroot.conf
  ^jehologin$	/home/chroots/jehologin

Nuz a pre daneho usera vytvorit home nieco ako toto (do /home/chroots/jehologin)
  ./bin/cat
  ./bin/cp
  ./bin/cpio
  ./bin/dd
  ./bin/df
  ./bin/bash
  ./bin/gzip
  ./bin/chmod
  ./bin/ls
  ./bin/mkdir
  ./bin/mv
  ./bin/pwd
  ./bin/rm
  ./bin/rmdir
  ./bin/tar
  ./bin/compress
  ./bin/groups
  ./bin/id
  ./bin/scp
  ./bin/true
  ./lib/ld-2.2.4.so
  ./lib/libc-2.2.4.so
  ./lib/libdl-2.2.4.so
  ./lib/libnsl-2.2.4.so
  ./lib/libnss_files-2.2.4.so
  ./lib/libcrypto.so.0.9.6b
  ./lib/libpam.so.0.75
  ./lib/libutil-2.2.4.so
  ./lib/libz.so.1.1.3
  ./lib/libtermcap.so.2.0.8
  ./lib/libncurses.so.5.2
  ./etc/group
  ./etc/ld.so.cache
  ./etc/passwd
  ./etc/pam.d/system-auth
  ./etc/localtime

Dalej modifikujes to ./etc/passwd a group, aby si tam nemal zbytocnosti.
Staci nechat roota a daneho usera.

Dalej tusim treba vypnut PriviledgeSeparation v sshd, pretoze s nim
to zatial nechodi:

/etc/ssh/sshd_config
  UsePrivilegeSeparation no

Restart a malo by to fungovat. :-)
Pravdaze pristup bude len cez WinSCP, pre niektorych guruov aj cez
ssh. Aj ked sa tam user dostane, nema tam ziaden suidnuty program,
takze si moze robit len volovinky v svojich veciach.

Ak som na nieco zabudol, tak sorry. :-)

		SAL