Control your ssh scripts by placing them in a jail.
Using SSH increases the security of file transfers and network logins. Many network tasks, however, don't really need the shell associated with a user account remote backups, for example. After all, a shell brings with it commands and an entry point into a system's directory structure. That's somewhat scary when you consider that many of your SSH tasks are scripted.
Configuring a restricted SSH shell such as scponly can mitigate this risk. Not only does it provide noninteractive (read scripted) logins into the SSH server, it limits the set of available commands. Additionally, it provides a chroot option, allowing you to restrict the scponly user account to its own directory structure.
6.11.1 Installing scponly
Before installing this port, read through the available options in its Makefile:
# cd /usr/ports/shells/scponly # more Makefile
Depending on the scripts you plan on using, consider disabling wildcard processing (which can help prevent accidents like rm -R *). You can also enable rsync support, which is ideal if you're using rsnapshot for backups [Hack #35] . If you want to restrict the account to its own directory, preventing your scripts from accessing anything else on the SSH server, include the chroot option.
Once you've chosen your desired options, pass them to the make command. Here I'll enable chroot support:
# make -DWITH_SCPONLY_CHROOT install
Toward the end of the installation, you'll see this message:
Run following script to setup chroot cage: /usr/ports/shells/scponly/work/scponly-3.8/setup_chroot.sh
Before running this script, choose a new name for the user account you wish to restrict. The script will abort if you use an existing user account.
Here I'll create a chroot for an account named backup:
# cd work/scponly-3.8/ # chown +x setup_chroot.sh # ./setup_chroot.sh Next we need to set the home directory for this scponly user. please note that the user's home directory MUST NOT be writable by the scponly user. this is important so that the scponly user cannot subvert the .ssh configuration parameters. for this reason, an "incoming" subdirectory will be created that the scponly user can write into. if you want the scponly user to automatically change to this incoming subdirectory upon login, you can specify this when you specify the user's home directory as follows: set the home dir to /chroot_path//incoming when scponly chroots, it will only chroot to chroot_path and afterwards, it will chdir to incoming. enter the home directory you wish to set for this user: /usr/home/rembackup/ Install for what username? backup ls: /lib/libnss_compat*: No such file or directory creating /usr/home/rembackup/incoming directory for uploading files
6.11.2 Testing the chroot
The script will have created the following directory structure for you:
# ls -l /usr/home/rembackup total 10 drwxr-xr-x 2 root wheel 512 Jan 22 12:37 bin/ drwxr-xr-x 2 root wheel 512 Jan 22 12:38 etc/ drwxr-xr-x 2 backup wheel 512 Jan 22 12:38 incoming/ drwxr-xr-x 2 root wheel 512 Jan 22 12:37 lib/ drwxr-xr-x 7 root wheel 512 Jan 22 12:37 usr/ # ls -l /usr/home/rembackup/bin/ total 1868 -rwxr-xr-x 1 root wheel 88808 Jan 22 12:37 chmod* -rwxr-xr-x 1 root wheel 14496 Jan 22 12:37 echo* -rwxr-xr-x 1 root wheel 72240 Jan 22 12:37 ln* -rwxr-xr-x 1 root wheel 567772 Jan 22 12:37 ls* -rwxr-xr-x 1 root wheel 73044 Jan 22 12:37 mkdir* -rwxr-xr-x 1 root wheel 437684 Jan 22 12:37 mv* -rwxr-xr-x 1 root wheel 80156 Jan 22 12:37 pwd* -rwxr-xr-x 1 root wheel 439812 Jan 22 12:37 rm* -rwxr-xr-x 1 root wheel 69060 Jan 22 12:37 rmdir* # ls -l /usr/home/rembackup/usr/bin/ total 48 -rwxr-xr-x 1 root wheel 7016 Jan 22 12:37 chgrp* -rwxr-xr-x 1 root wheel 7688 Jan 22 12:37 groups* -rwxr-xr-x 1 root wheel 7688 Jan 22 12:37 id* -rwxr-xr-x 1 root wheel 22616 Jan 22 12:37 scp* # ls -l /usr/home/rembackup/usr/sbin/ total 8 -rwxr-xr-x 1 root wheel 7016 Jan 22 12:37 chown*
There you have it; these are the only commands that account can use during an SSH session.
You can also verify that the specified user account was created for you. I'll check for that backup account:
# grep backup /etc/master.passwd backup:*:1015:1015::0:0:User \ &:/usr/home/rembackup//incoming:/usr/local/sbin/scponlyc
Notice that the account is restricted to the scponlyc shell. The trailing c indicates that this is a chroot.
6.11.3 Now What?
Now that you have a restricted account, test it with one of your SSH scripts. Don't forget to set up your authentication method. Either set a password on the account or configure key-based authentication.
You can use this hack in conjunction with [Hack #38] and [Hack #39] .
6.11.4 See Also