免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 8639 | 回复: 1

[OpenBSD] OpenBSD 4.7 & OpenSSH 5.5下的sftp-server的chroot等功能的应用 [复制链接]

论坛徽章:
0
发表于 2010-06-10 16:52 |显示全部楼层
本帖最后由 f5b 于 2010-06-10 16:53 编辑

OpenBSD 4.7 & OpenSSH 5.5下的sftp-server的chroot等功能的应用

OpenSSH最近发布的几个版本变化很大,功能逐渐增多到直逼流行的FTP deamon,最近发布的OpenBSD 4.7中提到
# Add a 'read-only' mode to sftp-server(  that disables open in write mode and all other fs-modifying protocol methods.
# Allow setting an explicit umask on the sftp-server( commandline to override whatever default the user has.

准备工作:
shell为ksh等或false用户可以ftp登陆服务器,容易因此泄露密码,所以sftp only用户的shell最好是nologin,
创建并加入一个叫做sftponly的组管理会比较方便

一、chroot使用方法

编辑/etc/ssh/sshd_config
在条件
Subsystem      sftp    /usr/libexec/sftp-server
后面,必须再添加Match参数,nologin用户才可以sftp登陆,否则显示错误信息Received message too long
1416128883

Match例子A
    Match Group sftponly
    ForceCommand internal-sftp
    ChrootDirectory /home/sftpchrootdirectory/

Match例子B
    Match User testuser
    ChrootDirectory /home/dir/
    ForceCommand internal-sftp

注意:
1、ChrootDirectory目录必须属于root所有并且其他用户不可写。
这样一来,非root用户在ChrootDirectory目录不能写入东西,那怎么能行呢?
答案是在ChrootDirectory目录下面建一个或者几个可写文件夹就解决了。

2、
而设置ChrootDirectory后必须相应手工配置环境参数,很复杂。
为简单化,启用internal-sftp可省却配置环境参数,但用户仅能sftp登陆,不能shell登陆。
也就是说,添加ChrootDirectory后必须再添加internal-sftp参数。


二、chroot简单配置方法
只需Subsystem       sftp    internal-sftp参数即可,此时nologin用户不必加入match参数里面,但用户sftp登陆可访问任意其他用户的目录
,除非match再添加ChrootDirectory参数。

例如,编辑/etc/ssh/sshd_config
Subsystem       sftp    internal-sftp
    Match User testuser
    ChrootDirectory /home/dir/




更多配置看
http://www.openssh.org/manual.html

一些摘要

---
sshd_config

     ChrootDirectory
             Specifies the pathname of a directory to chroot(2) to after
             authentication.  All components of the pathname must be root-
             owned directories that are not writable by any other user or
             group.  After the chroot, sshd( changes the working directory
             to the user's home directory.

             The pathname may contain the following tokens that are expanded
             at runtime once the connecting user has been authenticated: %% is
             replaced by a literal '%', %h is replaced by the home directory
             of the user being authenticated, and %u is replaced by the
             username of that user.

             The ChrootDirectory must contain the necessary files and
             directories to support the user's session.  For an interactive
             session this requires at least a shell, typically sh(1), and
             basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4),
             stderr(4), arandom(4) and tty(4) devices.  For file transfer
             sessions using ``sftp'', no additional configuration of the
             environment is necessary if the in-process sftp server is used,
             though sessions which use logging do require /dev/log inside the
             chroot directory (see sftp-server( for details).

             The default is not to chroot(2).


     ForceCommand
             Forces the execution of the command specified by ForceCommand,
             ignoring any command supplied by the client and ~/.ssh/rc if
             present.  The command is invoked by using the user's login shell
             with the -c option.  This applies to shell, command, or subsystem
             execution.  It is most useful inside a Match block.  The command
             originally supplied by the client is available in the
             SSH_ORIGINAL_COMMAND environment variable.  Specifying a command
             of ``internal-sftp'' will force the use of an in-process sftp
             server that requires no support files when used with
             ChrootDirectory.


     Subsystem
             Configures an external subsystem (e.g. file transfer daemon).
             Arguments should be a subsystem name and a command (with optional
             arguments) to execute upon subsystem request.

             The command sftp-server( implements the ``sftp'' file transfer
             subsystem.

             Alternately the name ``internal-sftp'' implements an in-process
             ``sftp'' server.  This may simplify configurations using
             ChrootDirectory to force a different filesystem root on clients.

             By default no subsystems are defined.  Note that this option
             applies to protocol version 2 only.

---
Subsystem      sftp    /usr/libexec/sftp-server (这个位置的参数)

     Command-line flags to sftp-server should be specified in the Subsystem
     declaration.  See sshd_config(5) for more information.

     Valid options are:

     -e      Causes sftp-server to print logging information to stderr instead
             of syslog for debugging.

     -f log_facility
             Specifies the facility code that is used when logging messages
             from sftp-server.  The possible values are: DAEMON, USER, AUTH,
             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
             The default is AUTH.

     -l log_level
             Specifies which messages will be logged by sftp-server.  The
             possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
             DEBUG1, DEBUG2, and DEBUG3.  INFO and VERBOSE log transactions
             that sftp-server performs on behalf of the client.  DEBUG and
             DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify higher
             levels of debugging output.  The default is ERROR.

     -R      Places this instance of sftp-server into a read-only mode.
             Attempts to open files for writing, as well as other operations
             that change the state of the filesystem, will be denied.

     -u umask
             Sets an explicit umask(2) to be applied to newly-created files
             and directories, instead of the user's default mask.

     For logging to work, sftp-server must be able to access /dev/log.  Use of
     sftp-server in a chroot configuration therefore requires that syslogd(
     establish a logging socket inside the chroot directory.

------------
FAQ from Chroot in OpenSSH
http://www.undeadly.org/cgi?action=article&sid=20080220110039

1、
>This looks like a great addition. However, can a user limited to the
> internal sftp server still forward ports?

Yes. By default. Unless you set up something like this:

Match User foo
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
        ChrootDirectory /chroot


2、
> Is is possible to have some unchrooted users using
> /usr/libexec/sftp-server and other chrooted
> users with internal-sftp on the same server?

Yes, use Match+ForceCommand+ChrootDirectory to contain the untrusted users but include a normal Subsystem line for the regular users.


--------------------
OpenBSD 4.7其他tips,特别是-r参数,get和put操作能包括所有子目录。
sftp命令
     get [-Ppr] remote-path [local-path]
             Retrieve the remote-path and store it on the local machine.  If
             the local path name is not specified, it is given the same name
             it has on the remote machine.  remote-path may contain glob(3)
             characters and may match multiple files.  If it does and
             local-path is specified, then local-path must specify a
             directory.

             If either the -P or -p flag is specified, then full file
             permissions and access times are copied too.

             If the -r flag is specified then directories will be copied
             recursively.  Note that sftp does not follow symbolic links when
             performing recursive transfers.

ftp命令(FreeBSD和NetBSD都没有的-r功能参数)
    mget [-cnr] [-d depth] remote-files
                 Expand the remote-files on the remote machine and do a get
                 for each file name thus produced.  See glob for details on
                 the filename expansion.  Resulting file names will then be
                 processed according to case, ntrans, and nmap settings.
                 Files are transferred into the local working directory, which
                 can be changed with `lcd directory'; new local directories
                 can be created with `! mkdir directory'.

                 The options are as follows:

                 -c      Use reget instead of get.

                 -d depth
                         Specify the maximum recursion level depth.  The
                         default is 0, which means unlimited.

                 -n      Use newer instead of get.

                 -r      Recursively descend the directory tree, transferring
                         all files and directories.




希望大家补充以下信息,或等俺将来有空再继续
1、sftp-server的日志问题,能做到类似ftp的log那么详尽的信息么?上下传文件名、速度等,ip等?
2、sftp-server -u umask的应用例子。

论坛徽章:
0
发表于 2010-06-10 22:04 |显示全部楼层
目录的权限也很关键

http://bbs.chinaunix.net/viewthread.php?tid=1547966 这是以前记录的贴子

经测试在FB, linux下都是这样的,不知道OpenBSD会不会是这样的
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP