为了不给各种仅使用ssh tunnel的人访问vps的信息,把SSH的chroot jail配好了。
准备工作
假定Chroot根目录为 /var/jail, 定义为
|
1 |
# JAILROOT=/var/jail |
添加用户组
|
1 |
# groupadd sshusers |
配置sshd_config
修改 /etc/ssh/sshd_config 添加下列配置
|
1 2 3 4 5 6 7 |
Match group sshusers ChrootDirectory /var/jail/ X11Forwarding yes AllowTcpForwarding yes GatewayPorts yes PermitOpen any PermitTunnel yes |
创建Jail
其实不创建也行,客户端ssh时开-N就好
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
/var/jail /var/jail/etc /var/jail/etc/nsswitch.conf /var/jail/etc/hosts /var/jail/etc/ld.so.cache /var/jail/etc/resolv.conf /var/jail/etc/ld.so.conf /var/jail/lib /var/jail/lib/x86_64-linux-gnu /var/jail/lib/x86_64-linux-gnu/libnss_dns.so.2 /var/jail/lib/x86_64-linux-gnu/libnss_hesiod.so.2 /var/jail/lib/x86_64-linux-gnu/libselinux.so.1 /var/jail/lib/x86_64-linux-gnu/libpthread.so.0 /var/jail/lib/x86_64-linux-gnu/libdl.so.2 /var/jail/lib/x86_64-linux-gnu/libattr.so.1 /var/jail/lib/x86_64-linux-gnu/libnss_files-2.19.so /var/jail/lib/x86_64-linux-gnu/liblzma.so.5 /var/jail/lib/x86_64-linux-gnu/libnss_compat-2.19.so /var/jail/lib/x86_64-linux-gnu/libc.so.6 /var/jail/lib/x86_64-linux-gnu/libpcre.so.3 /var/jail/lib/x86_64-linux-gnu/libnss_nisplus-2.19.so /var/jail/lib/x86_64-linux-gnu/libnss_compat.so.2 /var/jail/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 /var/jail/lib/x86_64-linux-gnu/libgcc_s.so.1 /var/jail/lib/x86_64-linux-gnu/libz.so.1 /var/jail/lib/x86_64-linux-gnu/libtinfo.so.5 /var/jail/lib/x86_64-linux-gnu/libresolv.so.2 /var/jail/lib/x86_64-linux-gnu/libnss_dns-2.19.so /var/jail/lib/x86_64-linux-gnu/libnss_nis.so.2 /var/jail/lib/x86_64-linux-gnu/libcom_err.so.2 /var/jail/lib/x86_64-linux-gnu/libkeyutils.so.1 /var/jail/lib/x86_64-linux-gnu/libnss_nis-2.19.so /var/jail/lib/x86_64-linux-gnu/libacl.so.1 /var/jail/lib/x86_64-linux-gnu/libnss_nisplus.so.2 /var/jail/lib/x86_64-linux-gnu/libm.so.6 /var/jail/lib/x86_64-linux-gnu/libnss_hesiod-2.19.so /var/jail/lib/x86_64-linux-gnu/libnss_files.so.2 /var/jail/usr /var/jail/usr/lib /var/jail/usr/lib/libbind9.so.90 /var/jail/usr/lib/x86_64-linux-gnu /var/jail/usr/lib/x86_64-linux-gnu/libkrb5support.so.0 /var/jail/usr/lib/x86_64-linux-gnu/libk5crypto.so.3 /var/jail/usr/lib/x86_64-linux-gnu/libGeoIP.so.1 /var/jail/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 /var/jail/usr/lib/x86_64-linux-gnu/libkrb5.so.3 /var/jail/usr/lib/x86_64-linux-gnu/libstdc++.so.6 /var/jail/usr/lib/x86_64-linux-gnu/libxml2.so.2 /var/jail/usr/lib/liblwres.so.90 /var/jail/usr/lib/libisccfg.so.90 /var/jail/usr/lib/libdns.so.100 /var/jail/usr/lib/libisc.so.95 /var/jail/usr/bin /var/jail/usr/bin/dig /var/jail/usr/bin/telnet /var/jail/dev /var/jail/dev/null /var/jail/home /var/jail/home/sskaje /var/jail/lib64 /var/jail/lib64/ld-linux-x86-64.so.2 /var/jail/bin /var/jail/bin/bash /var/jail/bin/ls /var/jail/bin/cat |
添加用户
|
1 2 3 4 |
# USERNAME=sskaje # usermod -G sshusers -a $USERNAME # mkdir $JAILROOT/home/$USERNAME # chown $USERNAME: $JAILROOT/home/$USERNAME |
SSH Chroot jails by @sskaje: https://sskaje.me/2015/05/ssh-chroot-jails/
Link to this post!