sftp,scp接続を許してsshを許さないscponly
sftp,scp接続を許してsshを許さないscponly
0.改訂履歴
- 2005.10.14 新規作成
- 2006.02.17 最新版に修正
- 2006.12.07 アカウント作成後の処理について追記
- 2008.02.19 公式サイトの変更と脆弱性について追記
1.はじめに
このドキュメントでは,scponlyを導入する手順を説明する.
scponlyとは,ログインを許さなずにscpおよびsftpによるアクセスを許可する制限付きシェルである. また,オプションにより自分のホーム
ディレクトリ以外に移動できないchroot機能を利用する設定も可能である.
なお,使用している環境はRedHat
ES3である. なお,このページで紹介しているバージョン4.6には,セキュリティホールがある事が発表されているので,最新版を入手してインストール
する.
2.モジュールの入手とインストール
- scponlyの公式サイトは次の通り.
- wgetコマンドにてモジュールを取得する.
- 新しいサイトの場合は,以下のURLからダウンロードする.
[root@uranos Downlaod]$ wget http://www.sublimation.org/scponly/scponly-
4.6.tgz
--15:41:28-- http://www.sublimation.org/scponly/scponly-4.6.tgz
=> `scponly-4.6.tgz'
Resolving www.sublimation.org... done.
Connecting to www.sublimation.org[66.93.79.58]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 96,578 [application/x-tar]
100%[==============================>] 96,578 64.78K/s ETA 00:00
15:41:30 (64.78 KB/s) - `scponly-4.6.tgz' saved [96578/96578]
[root@uranos Downlaod]$
|
[root@uranos Downlaod]$ tar xzf scponly-4.6.tgz
[root@uranos Downlaod]$ cd scponly-4.6
[root@uranos scponly-4.6]$ ls
AUTHOR TODO groups.c
BUILDING-JAILS.TXT aclocal.m4 helper.c
CHANGELOG build_extras install-sh
CONTRIB config.guess scponly.8
COPYING config.h.in scponly.8.alternate_manpage
INSTALL config.sub scponly.c
Makefile.in configure scponly.h
README configure.in setup_chroot.sh.in
[root@uranos scponly-4.6]$
|
[root@uranos scponly-4.6]$ ./configure --help
`configure' configures scponly 4.6 to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc. You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--datadir=DIR read-only architecture-independent data [PREFIX/share]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--infodir=DIR info documentation [PREFIX/info]
--mandir=DIR man documentation [PREFIX/man]
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
Optional Features:
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--disable-restrictive-names
disable restrictive filename checks
--disable-wildcards disable wildcard processing
--disable-gftp-compat disable gftp compatibility
--enable-winscp-compat enable winscp (and scp) compatibility
--enable-sftp-logging-compat
Enable SFTP logging compatibility
--enable-unison-compat enable unison compatibility
--enable-scp-compat enable scp compatibility
--enable-rsync-compat enable rsync compatibility
--enable-chrooted-binary
install chrooted binary 'scponlyc'
--disable-chroot-checkdir
disable checking chroot dir ownership
--enable-svn-compat enable subversion SCS cli compatibility
--enable-svnserv-compat enable subversion SCS svnserve compatibility
--enable-passwd-compat enable passwd compatibility
--enable-quota-compat enable quota compatibility
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-sftp-server path to sftp-server binary
defaults, to, on+guessed
--with-default-chdir=DIR
cd to this directory after authentication (only for
interactive logins)
Some influential environment variables:
CC C compiler command
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
CPPFLAGS C/C++ preprocessor flags, e.g. -I<include dir> if you have
headers in a nonstandard directory <include dir>
CPP C preprocessor
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to <joe@sublimation.org>.
[root@uranos scponly-4.6]$
|
- chrootというのがホームディレクトリ以外移動できないようにするオプションである.
- 必要最低限と思われるオプションをつけてconfigureする.
[root@uranos scponly-4.6]$ ./configure ¥
> --enable-chrooted-binary ¥
> --disable-wildcards ¥
> --disable-chroot-checkdir ¥
> --enable-winscp-compat
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking for cut... /bin/cut
checking for grep... /bin/grep
checking for sort... /bin/sort
checking for ldd... /usr/bin/ldd
checking for useradd... no
checking for chown... /bin/chown
checking for chmod... /bin/chmod
checking for dirname... /usr/bin/dirname
checking for id... /usr/bin/id
checking for pw... no
checking for rm... /bin/rm
checking for pwd_mkdb... no
configure: enabling WinSCP compatability...
checking for pwd... /bin/pwd
checking for groups... /usr/bin/groups
checking for id... /usr/bin/id
checking for echo... /bin/echo
configure: enabling SFTP compatability...
checking for sftp-server... /usr/libexec/openssh/sftp-server
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking wordexp.h usability... yes
checking wordexp.h presence... yes
checking for wordexp.h... yes
checking glob.h usability... yes
checking glob.h presence... yes
checking for glob.h... yes
checking libgen.h usability... yes
checking libgen.h presence... yes
checking for libgen.h... yes
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for working alloca.h... yes
checking for alloca... yes
checking for malloc... yes
checking for atexit... yes
checking for bzero... yes
checking for strchr... yes
checking for strerror... yes
checking for glob... yes
checking for wordexp... yes
checking for strspn... yes
checking for basename... yes
checking for getopt... yes
checking whether optreset is declared... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating setup_chroot.sh
config.status: creating config.h
[root@uranos scponly-4.6]$
|
[root@uranos scponly-4.6]# make
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debugl
evel"' -o scponly.o -c scponly.c
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debugl
evel"' -o helper.o -c helper.c
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debugl
evel"' -o scponly scponly.o helper.o
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debugl
evel"' -o groups groups.c
[root@uranos scponly-4.6]#
|
[root@uranos scponly-4.6]# make install
echo "0" > debuglevel
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debugl
evel
if test "xscponlyc" != "x"; then ¥
/usr/bin/install -c -d /usr/local/sbin; ¥
rm -f /usr/local/sbin/scponlyc; ¥
cp scponly scponlyc; ¥
/usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponly
c; ¥
fi
|
- scponlyコマンドがインストールされた.
- ログインシェルとしてscponlycコマンドを登録する.
| 変更前 |
[root@uranos scponly-4.6]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/bash2
/bin/ash
/bin/bsh
/bin/tcsh
/bin/csh
[root@uranos scponly-4.6]#
|
| 変更後 |
[root@uranos scponly-4.6]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/bash2
/bin/ash
/bin/bsh
/bin/tcsh
/bin/csh
/usr/local/bin/scponlyc
[root@uranos scponly-4.6]#
|
3.初めて制限されるユーザを作成する
- 初めて作成する場合は,make jailを実行する.
- ここでは,newuserというアカウントで作成する.
[root@uranos scponly-4.6]# make jail
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel
if test "xscponlyc" != "x"; then ¥
/usr/bin/install -c -d /usr/local/sbin; ¥
rm -f /usr/local/sbin/scponlyc; ¥
cp scponly scponlyc; ¥
/usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; ¥
fi
chmod u+x ./setup_chroot.sh
./setup_chroot.sh
Next we need to set the home directory for this scponly user.
please note that the user's home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.
for this reason, a writeable subdirectory will be created that
the scponly user can write into.
Username to install [scponly]
|
Username to install [scponly]newuser
home directory you wish to set for this user [/home/newuser]
|
[home directory you wish to set for this user [/home/newuser]/home/newuser
name of the writeable subdirectory [incoming]
|
- アップロード用のサブディレクトリを指定する.このディレクトリは,ホームディレクトリの配下に作成される.
name of the writeable subdirectory [incoming]incoming
./setup_chroot.sh: line 14: ldconfig: command not found
creating /home/newuser/incoming directory for uploading files
Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
- joe at sublimation dot org
please set the password for newuser:
Changing password for user newuser.
New password: make: *** [jail] 割り込み
[root@uranos scponly-4.6]#
|
- ldconfigコマンドが見つからないエラーが出ているので,Control+Cで中止する.
- ldconfigを探して,パスを設定する.
[root@uranos scponly-4.6]# which ldconfig
/usr/bin/which: no ldconfig in (/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/
home/root/bin:/usr/sbin)
[root@uranos scponly-4.6]# locate ldconfig
/usr/share/man/man8/ldconfig.8.gz
/usr/share/man/ja/man8/ldconfig.8.gz
/sbin/ldconfig
[root@uranos scponly-4.6]# export PATH=$PATH:/sbin
[root@uranos scponly-4.6]# which ldconfig
/sbin/ldconfig
[root@uranos scponly-4.6]#
|
[root@uranos scponly-4.6]# /usr/sbin/userdel newuser
[root@uranos scponly-4.6]# rm -rf /home/newuser
[root@uranos scponly-4.6]#
|
[root@uranos scponly-4.6]# make jail
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel
if test "xscponlyc" != "x"; then ¥
/usr/bin/install -c -d /usr/local/sbin; ¥
rm -f /usr/local/sbin/scponlyc; ¥
cp scponly scponlyc; ¥
/usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; ¥
fi
chmod u+x ./setup_chroot.sh
./setup_chroot.sh
Next we need to set the home directory for this scponly user.
please note that the user's home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.
for this reason, a writeable subdirectory will be created that
the scponly user can write into.
Username to install [scponly]newuser
home directory you wish to set for this user [/home/newuser]/home/newuser
name of the writeable subdirectory [incoming]incomming
creating /home/newuser/incomming directory for uploading files
Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
- joe at sublimation dot org
please set the password for newuser:
Changing password for user newuser.
New password:
|
- 今回は正しく実行されている.
- ユーザのパスワードを設定する.
New password: ■■■■■
BAD PASSWORD: it is based on a dictionary word
Retype new password: ■■■■■
passwd: all authentication tokens updated successfully.
if you experience a warning with winscp regarding groups, please install
the provided hacked out fake groups program into your chroot, like so:
cp groups /home/newuser/bin/groups
[root@uranos scponly-4.6]#
|
- これで終了.
- 作成されたユーザのホームディレクトリを確認する
[root@uranos scponly-4.6]# ls -la /home/newuser
total 64
drwxr-xr-x 8 root root 4096 Feb 17 16:52 .
drwxr-x--x 444 root root 8192 Feb 17 16:52 ..
-rw-r--r-- 1 newuser newuser 24 Feb 17 16:52 .bash_logout
-rw-r--r-- 1 newuser newuser 191 Feb 17 16:52 .bash_profile
-rw-r--r-- 1 newuser newuser 124 Feb 17 16:52 .bashrc
-rw-r--r-- 1 newuser newuser 5531 Feb 17 16:52 .canna
-rw-r--r-- 1 newuser newuser 847 Feb 17 16:52 .emacs
-rw-r--r-- 1 newuser newuser 120 Feb 17 16:52 .gtkrc
drwx------ 5 newuser newuser 4096 Feb 17 16:52 Maildir
drwxr-xr-x 2 root root 4096 Feb 17 16:52 bin
drwxr-xr-x 2 root root 4096 Feb 17 16:52 etc
drwxr-xr-x 3 newuser newuser 4096 Feb 17 17:00 incomming
drwxr-xr-x 3 root root 4096 Feb 17 16:52 lib
drwxr-xr-x 6 root root 4096 Feb 17 16:52 usr
[root@uranos scponly-4.6]#
|
iMacG5:~ root$ sftp newuser@secure.ujp.jp
Connecting to secure.ujp.jp...
newuser@secure.ujp.jp's password: ■■■■■■
sftp>
|
sftp> ls
. .. .bash_logout .bash_profile
.bashrc .canna .emacs .gtkrc
Maildir bin etc incomming
lib usr
sftp>
|
sftp> mkdir test
Couldn't create directory: Permission denied
sftp>
|
- アクセス権が制限されていることが確認できた.
- 書き込み許可がされているincommingディレクトリに移動して書き込み権限を確認する.
sftp> cd incomming
sftp> ls
. ..
sftp> mkdir test
sftp> ls
. .. test
sftp>
|
[root@uranos scponly-4.6]# rm -rf /home/newuser/Maildir
[root@uranos scponly-4.6]# rm -rf /home/newuser/.*
rm: cannot remove `.' or `..'
rm: cannot remove `.' or `..'
[root@uranos scponly-4.6]# ls -la /home/newuser
total 32
drwxr-xr-x 7 root root 4096 Feb 17 17:23 .
drwxr-x--x 445 root root 8192 Feb 17 17:19 ..
drwxr-xr-x 2 root root 4096 Feb 17 16:52 bin
drwxr-xr-x 2 root root 4096 Feb 17 16:52 etc
drwxr-xr-x 3 newuser newuser 4096 Feb 17 17:13 incomming
drwxr-xr-x 3 root root 4096 Feb 17 16:52 lib
drwxr-xr-x 6 root root 4096 Feb 17 16:52 usr
[root@uranos scponly-4.6]#
|
4.ユーザを作成する方法
- 2回目以降は,setup_chroot.shコマンドを実行する.
- その時に,コンパイルしたディレクトリの中で実行する.
- /etc/ssh/sshd_configを利用している場合は,Allowリストにあることを確認する.
- /etc/ssh/sshd_configファイルを編集した場合には,/etc/init.d/sshd restartを実行する.
