Shulou(Shulou.com)06/01 Report--

Background: create two virtual machines in vcenter6.5, as shown in the following figure

Objective: to create a user who can simultaneously implement chroot to restrict ssh and sftp to a specified directory, which can achieve system security.

Where we will configure it in pool-test (ip:172.16.6.11) and test it with vsan-test1 (ip:172.16.6.10).

Next, start configuring ssh in pool-test.

First, create a specified directory

Mkdir / home/share_conext

Lists that the specified directory must contain files and directories necessary to support user sessions

Ls-l / dev/ {null,zero,stdin,stdout,stderr,random,tty}

Use the mknod command to create a file under / dev. The-m flag is used to specify the file weight limit. C means a character file, and the two numbers are the primary and secondary numbers that the file points to, respectively.

Mkdir-p / home/share_conext/dev/cd / home/share_conext/dev/mknod-m 666 null c 1 3mknod-m 666 tty c 5 0mknod-m 666 zero c 1 5mknod-m 666 random c 1 8ls

Set up appropriate authority in chroot prison. Note that chroot Prison and its subdirectories and subfiles must be owned by root users and not writable to ordinary users or user groups:

Chown root:root / home/share_conext/chmod 755 / home/share_conext/

Set up an interactive shell for SSH

Mkdir-p / home/share_conext/bincp-v / bin/bash / home/share_conext/bin/

Mkdir-p / home/share_conext/lib64ldd / bin/bash

Copy the identified shared libraries to the lib64 directory below

Cp-v / lib64/libtinfo.so.5 / lib64/libdl.so.2 / lib64/libc.so.6 / lib64/ld-linux-x86-64.so.2 / share_conext/lib64

Create and configure sshuser users and set security passwords

Useradd sshuserpasswd sshuser

Mkdir / home/share_conext/etccp-vf / etc/ {group,passwd} / home/share_conext/etc/

Note: if you add more users, you need to perform the previous step again.

Configure ssh to use chroot

Vi / etc/ssh/sshd_config

Modify Match User sshuser in the file and specify the directory ChrootDirectory / home/share_context/

And save exit

Restart sshd.service

Systemctl restart sshd.service

Testing in vsan-test1

Ssh sshuser@172.16.6.11

You can see that the current directory is already the "root directory".

Next, start configuring sftp in pool-test

Vi / etc/ssh/sshd_config

Add to the file

# find the following line and comment out Subsystem sftp / usr/libexec/openssh/sftp-server # add the following lines Subsystem sftp internal-sftp # specify to use the sftp service to use the group ForceCommand internal-sftp # created by default before the system's native internal-sftp Match Group sshuser # specify the sftp command

Then, restart the sshd service

Service restart sshd.service

After the restart, the user sshuser can log in normally through the sftp client.

But because / home/share_conext belongs to the root user group, there is no write permission. Do the following:

Create an upload directory under the / home/share_conext directory and modify the directory permission control

Mkdir / home/share_conext/write/chown sshuser:sshuser / home/share_conext/writechmod 777 / home/share_conext/write

At this point, you can log in using sftp and upload or download files.

Verify in vsan-test1

Sftp sshuser@172.16.6.11

Verify the download function

Generate two files under / home/share_conext/write/ in pool-test

Vi / home/share_conext/write/helloworld.pyvi / home/share_conext/write/hehe.txtls / home/share_conext/write/

Switch to vsan-test

Get write/helloworld.py / home/ # specifies the directory where files are stored

View

Verify upload function

Create a startd.py in / home/ just now

Reconnect

Sftp sshuser@172.16.6.11put / home/startd.py / write/ # because the root directory at this time is share_conext/, it can be written directly as / write/

Switch to the pool-test virtual machine to view the file you just uploaded

So far all the configuration has been completed!

Note: some content reference links http://blog.csdn.net/akeyile2010/article/details/50751834, http://blog.sina.com.cn/s/blog_67e34ceb01013m3v.html, http://jingyan.baidu.com/article/fa4125acf068c328ac7092d8.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.