sftp,scp接続を許してsshを許さないscponly
sftp,scp接続を許してsshを許さないscponly
0.改訂履歴
- 2005.10.14 新規作成
- 2006.02.17 最新版に修正
- 2006.12.07 アカウント作成後の処理について追記
- 2008.02.19 公式サイトの変更と脆弱性について追記
1.はじめに
このドキュメントでは,scponlyを導入する手順を説明する.
scponlyとは,ログインを許さなずにscpおよびsftpによるアクセスを許可する制限付きシェルである. また,オプションにより自分のホーム
ディレクトリ以外に移動できないchroot機能を利用する設定も可能である.
なお,使用している環境はRedHat
ES3である. なお,このページで紹介しているバージョン4.6には,セキュリティホールがある事が発表されているので,最新版を入手してインストール
する.
2.モジュールの入手とインストール
- scponlyの公式サイトは次の通り.
- wgetコマンドにてモジュールを取得する.
- 新しいサイトの場合は,以下のURLからダウンロードする.
[root@uranos Downlaod]$ wget http://www.sublimation.org/scponly/scponly- 4.6.tgz
--15:41:28-- http://www.sublimation.org/scponly/scponly-4.6.tgz
=> `scponly-4.6.tgz'
Resolving www.sublimation.org... done.
Connecting to www.sublimation.org[66.93.79.58]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 96,578 [application/x-tar]
100%[==============================>] 96,578 64.78K/s ETA 00:00
15:41:30 (64.78 KB/s) - `scponly-4.6.tgz' saved [96578/96578]
[root@uranos Downlaod]$
|
[root@uranos Downlaod]$ tar xzf scponly-4.6.tgz [root@uranos Downlaod]$ cd scponly-4.6
[root@uranos scponly-4.6]$ ls
AUTHOR TODO groups.c BUILDING-JAILS.TXT aclocal.m4 helper.c CHANGELOG build_extras install-sh CONTRIB config.guess scponly.8 COPYING config.h.in scponly.8.alternate_manpage INSTALL config.sub scponly.c Makefile.in configure scponly.h README configure.in setup_chroot.sh.in [root@uranos scponly-4.6]$
|
[root@uranos scponly-4.6]$ ./configure --help
`configure' configures scponly 4.6 to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc. You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--datadir=DIR read-only architecture-independent data [PREFIX/share]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--infodir=DIR info documentation [PREFIX/info]
--mandir=DIR man documentation [PREFIX/man]
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
Optional Features:
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--disable-restrictive-names
disable restrictive filename checks
--disable-wildcards disable wildcard processing --disable-gftp-compat disable gftp compatibility --enable-winscp-compat enable winscp (and scp) compatibility --enable-sftp-logging-compat Enable SFTP logging compatibility --enable-unison-compat enable unison compatibility --enable-scp-compat enable scp compatibility --enable-rsync-compat enable rsync compatibility --enable-chrooted-binary
install chrooted binary 'scponlyc'
--disable-chroot-checkdir
disable checking chroot dir ownership
--enable-svn-compat enable subversion SCS cli compatibility
--enable-svnserv-compat enable subversion SCS svnserve compatibility
--enable-passwd-compat enable passwd compatibility
--enable-quota-compat enable quota compatibility
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-sftp-server path to sftp-server binary
defaults, to, on+guessed
--with-default-chdir=DIR
cd to this directory after authentication (only for
interactive logins)
Some influential environment variables:
CC C compiler command
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
CPPFLAGS C/C++ preprocessor flags, e.g. -I<include dir> if you have
headers in a nonstandard directory <include dir>
CPP C preprocessor
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to <joe@sublimation.org>.
[root@uranos scponly-4.6]$
|
- chrootというのがホームディレクトリ以外移動できないようにするオプションである.
- 必要最低限と思われるオプションをつけてconfigureする.
[root@uranos scponly-4.6]$ ./configure ¥
> --enable-chrooted-binary ¥
> --disable-wildcards ¥
> --disable-chroot-checkdir ¥ > --enable-winscp-compat checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking for a BSD-compatible install... /usr/bin/install -c checking whether ln -s works... yes checking for cut... /bin/cut checking for grep... /bin/grep checking for sort... /bin/sort checking for ldd... /usr/bin/ldd checking for useradd... no checking for chown... /bin/chown checking for chmod... /bin/chmod checking for dirname... /usr/bin/dirname checking for id... /usr/bin/id checking for pw... no checking for rm... /bin/rm checking for pwd_mkdb... no configure: enabling WinSCP compatability... checking for pwd... /bin/pwd checking for groups... /usr/bin/groups checking for id... /usr/bin/id checking for echo... /bin/echo configure: enabling SFTP compatability... checking for sftp-server... /usr/libexec/openssh/sftp-server checking how to run the C preprocessor... gcc -E checking for egrep... grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking syslog.h usability... yes checking syslog.h presence... yes checking for syslog.h... yes checking for unistd.h... (cached) yes checking wordexp.h usability... yes checking wordexp.h presence... yes checking for wordexp.h... yes checking glob.h usability... yes checking glob.h presence... yes checking for glob.h... yes checking libgen.h usability... yes checking libgen.h presence... yes checking for libgen.h... yes checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking for an ANSI C-conforming const... yes checking for inline... inline checking for working alloca.h... yes checking for alloca... yes checking for malloc... yes checking for atexit... yes checking for bzero... yes checking for strchr... yes checking for strerror... yes checking for glob... yes checking for wordexp... yes checking for strspn... yes checking for basename... yes checking for getopt... yes checking whether optreset is declared... no configure: creating ./config.status config.status: creating Makefile config.status: creating setup_chroot.sh config.status: creating config.h [root@uranos scponly-4.6]$
|
[root@uranos scponly-4.6]# make
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debugl
evel"' -o scponly.o -c scponly.c
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debugl
evel"' -o helper.o -c helper.c
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debugl
evel"' -o scponly scponly.o helper.o
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debugl
evel"' -o groups groups.c
[root@uranos scponly-4.6]#
|
[root@uranos scponly-4.6]# make install
echo "0" > debuglevel
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debugl
evel
if test "xscponlyc" != "x"; then ¥
/usr/bin/install -c -d /usr/local/sbin; ¥
rm -f /usr/local/sbin/scponlyc; ¥
cp scponly scponlyc; ¥
/usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponly
c; ¥ fi
|
- scponlyコマンドがインストールされた.
- ログインシェルとしてscponlycコマンドを登録する.
変更前 |
[root@uranos scponly-4.6]# cat /etc/shells /bin/sh /bin/bash /sbin/nologin /bin/bash2 /bin/ash /bin/bsh /bin/tcsh /bin/csh [root@uranos scponly-4.6]#
|
変更後 |
[root@uranos scponly-4.6]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/bash2
/bin/ash
/bin/bsh
/bin/tcsh
/bin/csh
/usr/local/bin/scponlyc [root@uranos scponly-4.6]#
|
3.初めて制限されるユーザを作成する
- 初めて作成する場合は,make jailを実行する.
- ここでは,newuserというアカウントで作成する.
[root@uranos scponly-4.6]# make jail
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel
if test "xscponlyc" != "x"; then ¥
/usr/bin/install -c -d /usr/local/sbin; ¥
rm -f /usr/local/sbin/scponlyc; ¥
cp scponly scponlyc; ¥
/usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; ¥
fi
chmod u+x ./setup_chroot.sh
./setup_chroot.sh
Next we need to set the home directory for this scponly user.
please note that the user's home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.
for this reason, a writeable subdirectory will be created that
the scponly user can write into.
Username to install [scponly]
|
Username to install [scponly]newuser home directory you wish to set for this user [/home/newuser]
|
[home directory you wish to set for this user [/home/newuser]/home/newuser
name of the writeable subdirectory [incoming]
|
- アップロード用のサブディレクトリを指定する.このディレクトリは,ホームディレクトリの配下に作成される.
name of the writeable subdirectory [incoming]incoming ./setup_chroot.sh: line 14: ldconfig: command not found
creating /home/newuser/incoming directory for uploading files
Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
- joe at sublimation dot org
please set the password for newuser:
Changing password for user newuser.
New password: make: *** [jail] 割り込み
[root@uranos scponly-4.6]#
|
- ldconfigコマンドが見つからないエラーが出ているので,Control+Cで中止する.
- ldconfigを探して,パスを設定する.
[root@uranos scponly-4.6]# which ldconfig
/usr/bin/which: no ldconfig in (/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/ home/root/bin:/usr/sbin) [root@uranos scponly-4.6]# locate ldconfig
/usr/share/man/man8/ldconfig.8.gz
/usr/share/man/ja/man8/ldconfig.8.gz
/sbin/ldconfig
[root@uranos scponly-4.6]# export PATH=$PATH:/sbin [root@uranos scponly-4.6]# which ldconfig
/sbin/ldconfig
[root@uranos scponly-4.6]#
|
[root@uranos scponly-4.6]# /usr/sbin/userdel newuser
[root@uranos scponly-4.6]# rm -rf /home/newuser [root@uranos scponly-4.6]#
|
[root@uranos scponly-4.6]# make jail
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel
if test "xscponlyc" != "x"; then ¥
/usr/bin/install -c -d /usr/local/sbin; ¥
rm -f /usr/local/sbin/scponlyc; ¥
cp scponly scponlyc; ¥
/usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; ¥
fi
chmod u+x ./setup_chroot.sh
./setup_chroot.sh
Next we need to set the home directory for this scponly user.
please note that the user's home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.
for this reason, a writeable subdirectory will be created that
the scponly user can write into.
Username to install [scponly]newuser home directory you wish to set for this user [/home/newuser]/home/newuser name of the writeable subdirectory [incoming]incomming
creating /home/newuser/incomming directory for uploading files
Your platform (Linux) does not have a platform specific setup script. This install script will attempt a best guess. If you perform customizations, please consider sending me your changes. Look to the templates in build_extras/arch. - joe at sublimation dot org
please set the password for newuser: Changing password for user newuser. New password:
|
- 今回は正しく実行されている.
- ユーザのパスワードを設定する.
New password: ■■■■■ BAD PASSWORD: it is based on a dictionary word Retype new password: ■■■■■
passwd: all authentication tokens updated successfully. if you experience a warning with winscp regarding groups, please install the provided hacked out fake groups program into your chroot, like so: cp groups /home/newuser/bin/groups [root@uranos scponly-4.6]#
|
- これで終了.
- 作成されたユーザのホームディレクトリを確認する
[root@uranos scponly-4.6]# ls -la /home/newuser
total 64
drwxr-xr-x 8 root root 4096 Feb 17 16:52 .
drwxr-x--x 444 root root 8192 Feb 17 16:52 ..
-rw-r--r-- 1 newuser newuser 24 Feb 17 16:52 .bash_logout
-rw-r--r-- 1 newuser newuser 191 Feb 17 16:52 .bash_profile
-rw-r--r-- 1 newuser newuser 124 Feb 17 16:52 .bashrc
-rw-r--r-- 1 newuser newuser 5531 Feb 17 16:52 .canna
-rw-r--r-- 1 newuser newuser 847 Feb 17 16:52 .emacs
-rw-r--r-- 1 newuser newuser 120 Feb 17 16:52 .gtkrc
drwx------ 5 newuser newuser 4096 Feb 17 16:52 Maildir
drwxr-xr-x 2 root root 4096 Feb 17 16:52 bin
drwxr-xr-x 2 root root 4096 Feb 17 16:52 etc
drwxr-xr-x 3 newuser newuser 4096 Feb 17 17:00 incomming drwxr-xr-x 3 root root 4096 Feb 17 16:52 lib drwxr-xr-x 6 root root 4096 Feb 17 16:52 usr [root@uranos scponly-4.6]#
|
iMacG5:~ root$ sftp newuser@secure.ujp.jp
Connecting to secure.ujp.jp...
newuser@secure.ujp.jp's password: ■■■■■■
sftp>
|
sftp> ls
. .. .bash_logout .bash_profile
.bashrc .canna .emacs .gtkrc
Maildir bin etc incomming lib usr sftp>
|
sftp> mkdir test
Couldn't create directory: Permission denied
sftp>
|
- アクセス権が制限されていることが確認できた.
- 書き込み許可がされているincommingディレクトリに移動して書き込み権限を確認する.
sftp> cd incomming
sftp> ls
. ..
sftp> mkdir test
sftp> ls
. .. test sftp>
|
[root@uranos scponly-4.6]# rm -rf /home/newuser/Maildir [root@uranos scponly-4.6]# rm -rf /home/newuser/.*
rm: cannot remove `.' or `..'
rm: cannot remove `.' or `..'
[root@uranos scponly-4.6]# ls -la /home/newuser total 32 drwxr-xr-x 7 root root 4096 Feb 17 17:23 . drwxr-x--x 445 root root 8192 Feb 17 17:19 .. drwxr-xr-x 2 root root 4096 Feb 17 16:52 bin drwxr-xr-x 2 root root 4096 Feb 17 16:52 etc drwxr-xr-x 3 newuser newuser 4096 Feb 17 17:13 incomming drwxr-xr-x 3 root root 4096 Feb 17 16:52 lib drwxr-xr-x 6 root root 4096 Feb 17 16:52 usr [root@uranos scponly-4.6]#
|
4.ユーザを作成する方法
- 2回目以降は,setup_chroot.shコマンドを実行する.
- その時に,コンパイルしたディレクトリの中で実行する.
- /etc/ssh/sshd_configを利用している場合は,Allowリストにあることを確認する.
- /etc/ssh/sshd_configファイルを編集した場合には,/etc/init.d/sshd restartを実行する.