- 论坛徽章:
- 0
|
Setup CHROOT Environment on a Solaris 8/SPARC Host
Install a CHROOT SSH package
============================
# pkgadd -d ./OpenSSH_3.9p1-Solaris-sparc.pkg OpenSSH
Processing package instance <OpenSSH> from </export/home/jinyang/OpenSSH_3.9p1-Solaris
-sparc.pkg>
OpenSSH Portable for Solaris
(sparc) OpenSSH_3.9p1
OpenSSH Portable Team - http://www.openssh.com/portable.html
Do you want symbolic links for the start/stop scripts? (default: n) [y,n,?,q] y
Start the sshd daemon after installing this package? (default: n) [y,n,?,q] n
## Processing package information.
## Processing system information.
5 package pathnames are already properly installed.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
The following files are being installed with setuid and/or setgid
permissions:
/opt/ssh/libexec/ssh-keysign <setuid root>
Do you want to install these as setuid/setgid files [y,n,?,q] y
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <OpenSSH> [y,n,?] y
Installing OpenSSH Portable for Solaris as <OpenSSH>
## Executing preinstall script.
## Installing part 1 of 1.
/etc/init.d/opensshd
/opt/ssh/bin/scp
/opt/ssh/bin/sftp
/opt/ssh/bin/slogin <symbolic link>
/opt/ssh/bin/ssh
/opt/ssh/bin/ssh-add
/opt/ssh/bin/ssh-agent
/opt/ssh/bin/ssh-keygen
/opt/ssh/bin/ssh-keyscan
/opt/ssh/etc/moduli
/opt/ssh/etc/ssh_config.default
/opt/ssh/etc/sshd_config.default
/opt/ssh/libexec/sftp-server
/opt/ssh/libexec/ssh-keysign
/opt/ssh/man/man1/scp.1
/opt/ssh/man/man1/sftp.1
/opt/ssh/man/man1/slogin.1 <symbolic link>
/opt/ssh/man/man1/ssh-add.1
/opt/ssh/man/man1/ssh-agent.1
/opt/ssh/man/man1/ssh-keygen.1
/opt/ssh/man/man1/ssh-keyscan.1
/opt/ssh/man/man1/ssh.1
/opt/ssh/man/man5/ssh_config.5
/opt/ssh/man/man5/sshd_config.5
/opt/ssh/man/man8/sftp-server.8
/opt/ssh/man/man8/ssh-keysign.8
/opt/ssh/man/man8/sshd.8
/opt/ssh/sbin/sshd
/opt/ssh/share/Ssh.bin
[ verifying class <none> ]
## Executing postinstall script.
UsePrivilegeSeparation enabled in config (or defaulting to on).
PrivSep user sshd already exists.
PrivSep group sshd already exists.
Installation of <OpenSSH> was successful.
#
Build CHROOT environment
========================
- create a script \"setup_chroot_env\" and replace /export/home/chroot with what you
desire.
#!/bin/sh
CHROOT_DIR=/export/home/chroot
REQUIRED_CHROOT_FILES=\" /bin/cp \\
/bin/ls \\
/bin/mkdir \\
/bin/mv \\
/bin/rm \\
/bin/rmdir \\
/bin/sh \\
/bin/ldd \\
/opt/ssh/libexec/sftp-server\"
# Create $CHROOT_DIR
[ ! -d $CHROOT_DIR ] && mkdir -p $CHROOT_DIR
cd $CHROOT_DIR
# Copy $REQUIRED_CHROOT_FILES and shared library dependencies
# to chroot environment
for FILE in $REQUIRED_CHROOT_FILES
do
DIR=`dirname $FILE | cut -c2-`
[ ! -d $DIR ] && mkdir -p $DIR
cp $FILE `echo $FILE | cut -c2-`
for SHARED_LIBRARY in `ldd $FILE | awk \'{print $NF}\'`
do
DIR=`dirname $SHARED_LIBRARY | cut -c2-`
[ ! -d $DIR ] && mkdir -p $DIR
[ ! -s \"`echo $SHARED_LIBRARY | cut -c2-`\" ] && \\
cp $SHARED_LIBRARY `echo $SHARED_LIBRARY | cut -c2-`
done
done
cp /usr/lib/ld.so.1 usr/lib
[ ! -d $CHROOT_DIR/etc ] && mkdir $CHROOT_DIR/etc
# Create required character devices
[ ! -d $CHROOT_DIR/dev ] && mkdir $CHROOT_DIR/dev
mknod $CHROOT_DIR/dev/zero c 13 12
mknod $CHROOT_DIR/dev/null c 13 2
chmod 666 $CHROOT_DIR/dev/zero $CHROOT_DIR/dev/null
- run the script to set up the chroot environment.
Create a CHROOT user
====================
- create the account by \"useradd -m -d /export/home/chroot/eehome -s /bin/sh ee\"
- replace its home entry with /export/home/chroot/./eehome on /etc/passwd
- # grep ^ee: /etc/passwd >> /export/home/chroot/etc/passwd
Test SSH/chroot/the chroot account
==================================
- modify /opt/ssh/etc/sshd_config to get SSH to run on a free port, and start SSH by
\"/etc/rc2.d/S98opensshd start\".
# ps -ef | grep ssh
root 2151 1 0 Feb 22 ? 0:00 /usr/local/sbin/sshd
root 1185 28788 0 00:55:29 pts/1 0:00 grep ssh
root 28778 2151 0 23:13:30 ? 0:00 /usr/local/sbin/sshd
root 29836 1 0 00:42:51 ? 0:01 /opt/ssh/sbin/sshd
- test chroot
# chroot /export/home/chroot /bin/sh
# pwd
/
# ls -l
total 32
drwxr-xr-x 2 0 1 8192 Feb 13 23:14 bin
drwxr-xr-x 2 0 1 96 Feb 13 23:19 dev
drwxr-xr-x 2 60405 1 8192 Feb 14 01:27 eehome
drwxr-xr-x 2 0 1 96 Mar 1 00:33 etc
drwxr-xr-x 3 0 1 96 Feb 13 23:14 opt
drwxr-xr-x 6 0 1 96 Feb 13 23:14 usr
- test the chroot account & \"root\" (test \"sftp\" if neccessary\")
# ssh ee@localhost -p 2222
ee@localhost\'s password:
Last login: Thu Mar 1 01:01:04 2007 from localhost
$ pwd
/eehome
$ ls -al ..
total 64
drwxr-xr-x 8 0 1 8192 Feb 14 01:31 .
drwxr-xr-x 8 0 1 8192 Feb 14 01:31 ..
drwxr-xr-x 2 0 1 8192 Feb 13 23:14 bin
drwxr-xr-x 2 0 1 96 Feb 13 23:19 dev
drwxr-xr-x 2 60405 1 8192 Feb 14 01:27 eehome
drwxr-xr-x 2 0 1 96 Mar 1 00:33 etc
drwxr-xr-x 3 0 1 96 Feb 13 23:14 opt
drwxr-xr-x 6 0 1 96 Feb 13 23:14 usr
$
Terminate original SSH & bring up CHROOT SSH
============================================
- stop CHROOT SSH for testing purpose.
- modify /opt/ssh/etc/sshd_config and change \"Port\" back to \"22\".
- terminate the original SSH damemon process (only the server process which is listening at port 22/tcp, you can determine which process by \"lsof -i tcp:22\").
- bring up CHROOT SSH at port 22/tcp.
# ps -ef | grep ssh
root 2151 1 0 Feb 22 ? 0:00 /usr/local/sbin/sshd
root 1279 28788 0 01:24:59 pts/1 0:00 grep ssh
root 28778 2151 0 23:13:30 ? 0:01 /usr/local/sbin/sshd
root 29836 1 0 00:42:51 ? 0:01 /opt/ssh/sbin/sshd
# /etc/rc2.d/S98opensshd stop
# ps -ef | grep ssh
root 2151 1 0 Feb 22 ? 0:00 /usr/local/sbin/sshd
root 1285 28788 0 01:25:09 pts/1 0:00 grep ssh
root 28778 2151 0 23:13:30 ? 0:01 /usr/local/sbin/sshd
# kill 2151
# ps -ef | grep ssh
root 1287 28788 0 01:27:11 pts/1 0:00 grep ssh
root 28778 1 0 23:13:30 ? 0:01 /usr/local/sbin/sshd
# /etc/rc2.d/S98opensshd start
starting /opt/ssh/sbin/sshd... done.
# ps -ef | grep ssh
root 1292 28788 0 01:27:37 pts/1 0:00 grep ssh
root 28778 1 0 23:13:30 ? 0:01 /usr/local/sbin/sshd
root 1290 1 1 01:27:34 ? 0:01 /opt/ssh/sbin/sshd
Verify SSH connection & CHROOT accounts
=======================================
- try \"ssh\" the host with \"root\".
- try \"ssh\" the host with a chroot account.
Cleanup
=======
# ls -al /etc/rc*.d/* | grep -i ssh
lrwxrwxrwx 1 root other 18 Feb 28 23:40 /etc/rc0.d/K30opensshd -> ../init.d/opensshd
lrwxrwxrwx 1 root other 14 Feb 16 18:03 /etc/rc0.d/K30sshd -> ../init.d/sshd
lrwxrwxrwx 1 root other 18 Feb 28 23:40 /etc/rc1.d/K30opensshd -> ../init.d/opensshd
lrwxrwxrwx 1 root other 14 Feb 16 18:03 /etc/rc1.d/K30sshd -> ../init.d/sshd
lrwxrwxrwx 1 root other 18 Feb 28 23:40 /etc/rc2.d/S98opensshd -> ../init.d/opensshd
lrwxrwxrwx 1 root other 14 Feb 16 18:03 /etc/rc2.d/S98sshd -> ../init.d/sshd
lrwxrwxrwx 1 root other 18 Feb 28 23:40 /etc/rcS.d/K30opensshd -> ../init.d/opensshd
lrwxrwxrwx 1 root other 14 Feb 16 18:03 /etc/rcS.d/K30sshd -> ../init.d/sshd
# unlink /etc/rc0.d/K30sshd
# unlink /etc/rc1.d/K30sshd
# unlink /etc/rc2.d/S98sshd
# unlink /etc/rcS.d/K30sshd
P.S.: to create some more CHROOT accounts, just repeat the steps under \"Create a CHROOT user\".
Reference: http://www.brandonhutchinson.com/chroot_ssh.html |
|
免费注册
发表于 2007-06-29 20:34
