Hack 63 Restrict an SSH server


figs/moderate.gif figs/hack63.gif

Control your ssh scripts by placing them in a jail.

Using SSH increases the security of file transfers and network logins. Many network tasks, however, don't really need the shell associated with a user account remote backups, for example. After all, a shell brings with it commands and an entry point into a system's directory structure. That's somewhat scary when you consider that many of your SSH tasks are scripted.

Configuring a restricted SSH shell such as scponly can mitigate this risk. Not only does it provide noninteractive (read scripted) logins into the SSH server, it limits the set of available commands. Additionally, it provides a chroot option, allowing you to restrict the scponly user account to its own directory structure.

6.11.1 Installing scponly

Before installing this port, read through the available options in its Makefile:

# cd /usr/ports/shells/scponly # more Makefile

Depending on the scripts you plan on using, consider disabling wildcard processing (which can help prevent accidents like rm -R *). You can also enable rsync support, which is ideal if you're using rsnapshot for backups [Hack #35] . If you want to restrict the account to its own directory, preventing your scripts from accessing anything else on the SSH server, include the chroot option.

Once you've chosen your desired options, pass them to the make command. Here I'll enable chroot support:

# make -DWITH_SCPONLY_CHROOT install

If you include the chroot option, do not use the clean target at the end of your make command. make clean will remove the work/ directory, which contains a script that will set up the chroot for you.


Toward the end of the installation, you'll see this message:

Run following script to setup chroot cage: /usr/ports/shells/scponly/work/scponly-3.8/setup_chroot.sh

Before running this script, choose a new name for the user account you wish to restrict. The script will abort if you use an existing user account.

Here I'll create a chroot for an account named backup:

# cd work/scponly-3.8/ # chown +x setup_chroot.sh # ./setup_chroot.sh Next we need to set the home directory for this scponly user. please note that the user's home directory MUST NOT be writable by the scponly user. this is important so that the scponly user cannot subvert the .ssh configuration parameters. for this reason, an "incoming" subdirectory will be created that the scponly user can write into. if you want the scponly user to automatically change to this incoming subdirectory upon login, you can specify this when you specify the user's home directory as follows: set the home dir to /chroot_path//incoming when scponly chroots, it will only chroot to chroot_path and afterwards, it will chdir to incoming. enter the home directory you wish to set for this user:  /usr/home/rembackup/ Install for what username? backup ls: /lib/libnss_compat*: No such file or directory creating  /usr/home/rembackup/incoming directory for uploading files

6.11.2 Testing the chroot

The script will have created the following directory structure for you:

# ls -l /usr/home/rembackup total 10 drwxr-xr-x  2 root   wheel  512 Jan 22 12:37 bin/ drwxr-xr-x  2 root   wheel  512 Jan 22 12:38 etc/ drwxr-xr-x  2 backup wheel  512 Jan 22 12:38 incoming/ drwxr-xr-x  2 root   wheel  512 Jan 22 12:37 lib/ drwxr-xr-x  7 root   wheel  512 Jan 22 12:37 usr/ # ls -l /usr/home/rembackup/bin/ total 1868 -rwxr-xr-x  1 root  wheel   88808 Jan 22 12:37 chmod* -rwxr-xr-x  1 root  wheel   14496 Jan 22 12:37 echo* -rwxr-xr-x  1 root  wheel   72240 Jan 22 12:37 ln* -rwxr-xr-x  1 root  wheel  567772 Jan 22 12:37 ls* -rwxr-xr-x  1 root  wheel   73044 Jan 22 12:37 mkdir* -rwxr-xr-x  1 root  wheel  437684 Jan 22 12:37 mv* -rwxr-xr-x  1 root  wheel   80156 Jan 22 12:37 pwd* -rwxr-xr-x  1 root  wheel  439812 Jan 22 12:37 rm* -rwxr-xr-x  1 root  wheel   69060 Jan 22 12:37 rmdir* # ls -l /usr/home/rembackup/usr/bin/ total 48 -rwxr-xr-x  1 root  wheel   7016 Jan 22 12:37 chgrp* -rwxr-xr-x  1 root  wheel   7688 Jan 22 12:37 groups* -rwxr-xr-x  1 root  wheel   7688 Jan 22 12:37 id* -rwxr-xr-x  1 root  wheel  22616 Jan 22 12:37 scp* # ls -l /usr/home/rembackup/usr/sbin/ total 8 -rwxr-xr-x  1 root  wheel  7016 Jan 22 12:37 chown*

There you have it; these are the only commands that account can use during an SSH session.

You can also verify that the specified user account was created for you. I'll check for that backup account:

# grep backup /etc/master.passwd backup:*:1015:1015::0:0:User \  &:/usr/home/rembackup//incoming:/usr/local/sbin/scponlyc

Notice that the account is restricted to the scponlyc shell. The trailing c indicates that this is a chroot.

6.11.3 Now What?

Now that you have a restricted account, test it with one of your SSH scripts. Don't forget to set up your authentication method. Either set a password on the account or configure key-based authentication.

You can use this hack in conjunction with [Hack #38] and [Hack #39] .

6.11.4 See Also

  • man scponly

  • The scponly home page (http://www.sublimation.org/scponly/)



BSD Hacks
BSD Hacks
ISBN: 0596006799
EAN: 2147483647
Year: 2006
Pages: 160
Authors: Lavigne

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net