Shulou(Shulou.com)06/01 Report--

Many netizens have written a lot of articles about how ssh uses pam chroot to restrict the access of remote login users, but there are some problems that lead to non-normal use. After research, the author writes out the method of how ssh uses pam_chroot module to help you learn.

The PAM mechanism of the Linux system is not introduced here, only the implementation steps are given:

1. Make sure that the currently installed openssh supports pam and compiles with-- with-pam. If not at compile time-when with-pam wants to enable pam later, you need to modify the configuration file sshd_config and change the "UsePAM no" in the file to "UsePAM yes". If you restart ssh after enabling this option, you will get an error: "Unsupported option UsePAM". If you have-with-pam, you also need to install the library pam-devel, otherwise you will not find PAM.h when calling. / configure.

two。 Create user push, set password, you must set password, otherwise you can't log in.

3. Create the / tmp/test directory as the virtual root of the user push.

4. Copy / bin and / lib64 to / tmp/test, or copy the / lib directory if it is not a 64-bit system:

Cp-a / bin / tmp/test/ and cp-a / lib64 / tmp/test/

5. Copy the following script to the / home/test setting to be executed and run.

#! / bin/shCHROOT_DIR= "/ home/test" mkdir-p $CHROOT_DIR/ {dev,proc,dev/pts} mount proc $CHROOT_DIR/proc-t proc # this proc file system must be created. After logging in, users can see that there are many files / subdirectories in this directory, mount devpts $CHROOT_DIR/dev/pts-t devpts # devpts file system, providing an interface to access the terminal mknod $CHROOT_DIR/dev/ptmx c 5 2 # must have It is necessary for users to log in to use it as a master device as a pseudo terminal. Chmod 666 / dev/ptmxmkdir $CHROOT_DIR/ {home,home/push} # is essential, and the user directory chmod ugo+rw $CHROOT_DIR/home/pushmkdir lib64cp-a / lib64/* lib64/ # is essential to provide libraries needed for bash to run, as well as libraries required by other programs. # if these files are not available, login will not be affected However, login cannot run these commands mkdir bincp-a / bin/rmdir bin/cp-a / bin/rm bin/cp-a / bin/bash bin/cp-a / bin/mkdir bin/cp-a "/ bin/pwd" bin/cp-a / bin/ls bin/cp-a / bin/bash bin/# is required. After login, you must query the user information according to this file. Without this, there will be an error in sshd debugging: login_init_entry: Cannot find user "push" # this error indicates that the user .mkdir etccp-a / etc/passwd etc/ cannot be found

Add UsePAM yes. 6.openssh to the configuration file sshd_config.

7. Open the file / etc/pam.d/sshd and change it to the following:

Auth required pam_unix.so

Account required pam_unix.so

Session required pam_chroot.so

8. Open the file / etc/security/chroot.conf and add "push / home/test"

9. Restart sshd

Use the remote login tool to log in.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.