0
我想監禁一個「正常」用戶,併爲SFTP和SSH特殊組developer。在SFTP + SSH中監禁用戶
用戶只能通過SSH在/srv/DEVELOPMENT(SSH/SFTP)和上導航,用戶只能執行命令限制(請參閱底部的腳本)。
爲什麼我要這個?
我在一個小項目上工作。最後幾天,另一位開發人員不願意用他們的經驗來支持這個項目。開發人員可以編輯「開發人員網站」,並可以通過SSH啓動/停止/重新啓動一個Node.js應用程序。接下來的想法是:用戶必須使用shell來更改他們的賬戶密碼。
目前,我已經配置了SSH-守護進程與以下步驟:
監獄超過SFTP
Match Group developer
X11Forwarding no
AllowTcpForwarding yes
ChrootDirectory /srv/DEVELOPMENT
ForceCommand internal-sftp
加入用戶通過以下命令/選項:
useradd --base-dir /srv/ --home-dir /srv/ --no-user-group --shell /srv/shell.sh $USERNAME
usermod -G developer $USERNAME
id $USERNAME
passwd $USERNAME
當前目錄權限
/srv developer:root 0755
/srv/DEVELOPMENT developer:root 0750
/srv/DEVELOPMENT/* developer:root 0777
與SFTP它工作正常。通過SSH監控用戶的第二部分目前有點難度。這一步目前不會工作,這就是我的問題。
該chroot是有限的internal-sfpt。當我嘗試登錄,連接將隨消息中止,該連接只允許SFTP:
ssh [email protected]
[email protected]'s password:
This service allows sftp connections only.
Connection to example.com closed.
在這裏,我不得不對SSH-後臺程序配置中刪除ForceCommand>的登錄會成功。
但這裏是我的問題
當我嘗試登錄,沒有可執行文件不能使用:
ssh [email protected]
[email protected]'s password:
Linux example.com 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64
Last login: Sun Jul 30 18:00:11 2017 from ****************
/srv/shell.sh: No such file or directory
Connection to example.com closed.
/srv/shell.sh是一個自定義的shell腳本來限制命令,樣品:
#!/bin/bash
commands=("man" "passwd" "ls" "account", "whoami", "clear", "cd")
RED='\033[0;31m'
YELLOW='\033[0;33m'
MAGENTA='\033[0;35m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
INDENTATION=' '
SYSTEM_UPTIME=`uptime --pretty`
SYSTEM_USERS=`who -q`
SYSTEM_QUOTA="None"
SYSTEM_RAM="None"
timestamp(){
date +"%Y-%m-%d %H:%M:%S"
}
log(){
echo -e "[$(timestamp)]\t$1\t$(whoami)\t$2" >> /var/log/developer-user/shell.log;
}
execute() {
# EXIT
if [[ "$ln" == "exit" ]] || [[ "$ln" == "q" ]]
then
exit
# HELP
elif [[ "$ln" == "help" ]]
then
echo "Type exit or q to quit."
echo "Commands you can use:"
echo " account"
echo " help"
echo " echo"
echo " man <ManPage>"
echo " passwd"
echo " ls"
echo " clear"
echo " cd"
# CD
elif [[ "$ln" =~ ^cd\ .*$ ]]
then
LAST=`pwd`
$ln
CURRENT=`pwd`
if [[ $CURRENT == "/srv" ]]
then
log CHANGE_DIR FAILED_PERMISSIONS "$ln"
echo -e "${RED}ERROR:${NC} Sorry, you can't change to the previous directory ${YELLOW}\"${CURRENT}\"${NC}."
cd $LAST
elif [[ ! "$CURRENT" =~ ^/srv/DEVELOPMENT ]]
then
log CHANGE_DIR FAILED_PERMISSIONS "$ln"
echo -e "${RED}ERROR:${NC} Sorry, you can't change to the directory ${YELLOW}\"${CURRENT}\"${NC}."
cd $LAST
elif [[ `stat -c "%G" ${CURRENT}` == "friendlounge" ]]
then
log CHANGE_DIR "$ln"
else
log CHANGE_DIR FAILED_PERMISSIONS "$ln"
echo -e "${RED}ERROR:${NC} You have no permissions on ${YELLOW}\"${CURRENT}\"${NC}."
cd $LAST
fi
# ECHO
elif [[ "$ln" =~ ^echo\ .*$ ]]
then
$ln
log COMMAND "$ln"
# ACCOUNT
elif [[ "$ln" = "account" ]]
then
echo -e "YOUR ACCOUNT:"
echo -e "Username: $(whoami)"
# OTHERS
else
ok=false
for cmd in "${commands[@]}"
do
if [[ "$cmd" == "$ln" ]]
then
ok=true
fi
done
if $ok
then
$ln
else
echo -e "${RED}ERROR:${NC} You have no permissions to execute ${YELLOW}\"${ln}\"${NC}."
log DENIED "$ln"
fi
fi
}
# WELCOME MESSAGE
echo -e "${INDENTATION}${MAGENTA}Account:${NC}${INDENTATION}$(whoami)"
echo -e "${INDENTATION}${MAGENTA}Date:${NC}${INDENTATION}${INDENTATION}$(timestamp)"
echo -e "${INDENTATION}${MAGENTA}Uptime:${NC}${INDENTATION}${INDENTATION}${SYSTEM_UPTIME}"
echo -e "${INDENTATION}${MAGENTA}Users:${NC}${INDENTATION}${INDENTATION}${SYSTEM_USERS}"
echo -e "${INDENTATION}${MAGENTA}Quota:${NC}${INDENTATION}${INDENTATION}${SYSTEM_QUOTA}"
echo -e "${INDENTATION}${MAGENTA}RAM:${NC}${INDENTATION}${INDENTATION}${SYSTEM_RAM}"
log LOGIN "[email protected]"
cd
trap "trap=\"\";log LOGOUT;exit" EXIT
# Optionally check for '-c custom_command' arguments passed directly to shell
# Then you can also use ssh [email protected] custom_command, which will execute /root/rbash.sh
if [[ "$1" == "-c" ]]
then
shift
execute "[email protected]"
else
while echo -e -n "${RED}$(whoami)${YELLOW}@${CYAN}$(hostname) ${YELLOW}$(pwd) ${MAGENTA}#${NC} " && read ln
do
execute "$ln"
done
fi
該shell腳本檢查用戶的permission,並強制只有/srv/DEVELOPMENT目錄或子目錄。
設置其他登錄shell如/bin/bash或其他 - 無關緊要 - 在每次登錄時,SSH-Demon在錯誤消息XXXX: No such file or directory後關閉連接。
我曾嘗試設置不同的權限和其他。我無法解決通過SSH連接的問題。
任何人有想法?
之前,你回答
- 是的,我知道可能存在的安全原因(樣品時,在我的「自己的」殼登錄腳本來管理權限)
- 沒有,我不t想要安裝像
schroot或jailkit(在google上發現,閱讀第一分鐘說,這些替代方案使用像虛擬機(?)這樣的完全解耦的系統)的巨大替代方案 - 告訴我,何時顯式信息出錯)
當你說/srv/shell.sh你的意思/srv/DEVELOPMENT/srv/shell.sh? – spinkus
Duplicate:https://stackoverflow.com/a/32653528/2196426 – Jakuje
@spinkus不,我的意思是/srv/shell.sh。 –