Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to restrict SSH users to access directories specified in Linux". In daily operation, I believe many people have doubts about how to restrict SSH users to access directories specified in Linux. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the questions of "how to restrict SSH users to access directories specified in Linux". Next, please follow the editor to study!

There are several reasons to restrict access to SSH user sessions to specific directories, especially on web servers, but the most obvious is for system security. To lock SSH users in a directory, we can use the chroot mechanism.

Changing root (chroot) in Unix-like systems such as Linux is a way to separate specific user actions from other Linux systems; use a new root directory called chrooted prison to change the obvious root directory of currently running user processes and their children.

In this tutorial, we will show you how to restrict SSH users from accessing directories specified in Linux. Note that we will run all commands as root. If you log in to the server as a normal user, use the sudo command.

Step 1: create SSH chroot Prison

1. Use the mkdir command to start creating the chroot prison:

# mkdir-p / home/test

Next, according to the sshd_config manual, find the desired file, and the ChrootDirectory option specifies the pathname of the directory to which you want to chroot after authentication. The directory must contain the files and directories necessary to support the user session.

For interactive sessions, this requires at least one shell, usually sh and basic / dev nodes, such as null, zero, stdin, stdout, stderr, and tty devices:

# ls-l / dev/ {null,zero,stdin,stdout,stderr,random,tty}

List the required files

3. Now use the mknod command to create the file under / dev. In the following command, the-m flag is used to specify the file weight limit, c means a character file, and the two numbers are the primary and secondary numbers that the file points to, respectively.

# mkdir-p / home/test/dev/ # cd / home/test/dev/ # mknod-m 666 null c 1 3 # mknod-m 666 tty c 50 # mknod-m 666 zero c 1 5 # mknod-m 666 random c 1 8

Create / dev and required files

4. After that, set the appropriate authority in the chroot prison. Note that chroot Prison and its subdirectories and subfiles must be owned by root users and not writable to ordinary users or user groups:

# chown root:root / home/test# chmod 0755 / home/test# ls-ld / home/test

Set directory permissions

Step 2: set up an interactive shell for SSH chroot Prison

5. First, create the bin directory and copy / bin/bash to bin:

# mkdir-p / home/test/bin # cp-v / bin/bash / home/test/bin/

Copy files to the bin directory

6. Now, identify the shared libraries required by bash and copy them into lib64 as follows:

# ldd / bin/bash# mkdir-p / home/test/lib64 # cp-v / lib64/ {libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} / home/test/lib64/

Copy shared library files

Step 3: create and configure SSH users

7. Now, use the useradd command to create the SSH user and set the security password:

# useradd tecmint # passwd tecmint

8. Create the chroot prison general configuration directory / home/test/etc and copy the updated account files (/ etc/passwd and / etc/group) to this directory:

# mkdir / home/test/etc # cp-vf / etc/ {passwd,group} / home/test/etc/

Copy password file

Note: each time you add more SSH users to the system, you need to copy the updated account files to the / home/test/etc directory.

Step 4: configure SSH to use chroot Prison

Now open the sshd_config file.

# vi / etc/ssh/sshd_config

Add or modify the following lines in this file.

# define user Match User tecmint to use chroot Prison # specify chroot Prison ChrootDirectory / home/test

Configure SSH chroot Prison

Save the file and exit, restart the sshd service:

# systemctl restart sshd or # service sshd restart

Step 5: test chroot Prison in SSH

10. This time, test whether the chroot prison setup is as successful as you had hoped:

# ssh tecmint@192.168.0.10-bash-4.1$ ls-bash-4.1$ date-bash-4.1$ uname

Test SSH users chroot Prison

From the screenshot above, we can see that SSH users are locked in chroot prison and cannot use any external commands such as (ls, date, uname, etc.).

Users can only execute bash and its built-in commands (such as pwd, history, echo, etc.):

# ssh tecmint@192.168.0.10-bash-4.1$ pwd-bash-4.1$ echo "Tecmint-Fastest Growing Linux Site"-bash-4.1$ history

SSH built-in command

Step 6: create the user's home directory and add the Linux command

11. From the previous steps, we can see that the user is locked in the root directory, and we can create a home directory for the SSH user (and for all future users):

# mkdir-p / home/test/home/tecmint # chown-R tecmint:tecmint / home/test/home/tecmint # chmod-R 0700 / home/test/home/tecmint

Create a SSH user home directory

12. Next, install several user commands, such as ls, date, mkdir, in the bin directory:

# cp-v / bin/ls / home/test/bin/ # cp-v / bin/date / home/test/bin/ # cp-v / bin/mkdir / home/test/bin/

Add commands to SSH users

13. Next, check the shared libraries of the above command and move them to the library directory of chroot Prison:

# ldd / bin/ls # cp-v / lib64/ {libselinux.so.1,libcap.so.2,libacl.so.1,libc.so.6,libpcre.so.1,libdl.so.2,ld-linux-x86-64.so.2rect libattr.so.1reel libpthread.so.0} / home/test/lib64/

Copy a shared library

Step 7: test sftp with chroot Prison

14. * do a test with sftp; test whether the commands you installed earlier are available.

Add the following line to / etc/ssh/sshd_config:

# chroot Prison ForceCommand internal-sftp with sftp enabled

Save and exit the file. Next, restart the sshd service:

# systemctl restart sshd or # service sshd restart

15. Now use the ssh test, and you will get the following error:

# ssh tecmint@192.168.0.10

Test SSH Chroot Prison

Try using sftp:

# sftp tecmint@192.168.0.10

Test sFTP SSH users

At this point, the study on "how to restrict SSH users from accessing the directories specified in Linux" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.