scponly是什麼
scponly : Restricted shell for ssh based file services
我可以用在什麼地方
今天假如我開放讓某個人可以ssh,但目的只是要抓檔案,我就可以用scponly來限制這個使用者只能抓,而無法登入主機操作了
環境 : server
CentOS release 5.7 (Final)
2.6.18-274.el5 #1 SMP Fri Jul 22 04:49:12 EDT 2011 i686 i686 i386 GNU/Linux
怎麼安裝
yum install scponly
# 如果沒有可以試著用 atomic 或 rpmforge
怎麼使用
新增使用者,把它的shell指定scponly
useradd -d /home/scp -s /usr/bin/scponly scp
打開scponly 的debug模式
echo 7 > /etc/scponly/debuglevel
使用一client 試著ssh登入,但被拒絕了
[root@client ~]# ssh scp@server
scp@server’s password:
Last login: Thu Jan 19 13:39:04 2012 from client
scponly[8695]: 1 arguments in total.
scponly[8695]: arg 0 is -scponly
scponly[8695]: opened log at LOG_AUTHPRIV, opts 0x00000029
scponly[8695]: determined USER is “scp” from environment
scponly[8695]: retrieved home directory of “/home/scp” for user “scp”
scponly[8695]: setting uid to 10004
scponly[8695]: entering WinSCP compatibility mode [username: scp(10004), IP/port: client 39168 22]WinSCP: this is end-of-file:0
WinSCP: this is end-of-file:0
# 這裡不會自動跳出,一直enter的話,只會一直出現WinSCP: this is end-of-file:0,所以這裡我就解讀為無法ssh登入了
如果我只用scp
[root@client ~]# scp scp@server:/etc/passwd ./
scp@server’s password:
scponly[8842]: 3 arguments in total.
scponly[8842]: arg 0 is scponly
scponly[8842]: arg 1 is -c
scponly[8842]: arg 2 is scp -f /etc/passwd
scponly[8842]: opened log at LOG_AUTHPRIV, opts 0x00000029
scponly[8842]: determined USER is “scp” from environment
scponly[8842]: retrieved home directory of “/home/scp” for user “scp”
scponly[8842]: setting uid to 10004
scponly[8842]: processing request: “scp -f /etc/passwd”
scponly[8842]: Using getopt processing for cmd /usr/bin/scp
(username: scp(10004), IP/port: client 39169 22)
scponly[8842]: getopt processing returned ‘f’ (username: scp(10004), IP/port: client 39169 22)
scponly[8842]: running: /usr/bin/scp -f /etc/passwd (username: scp(10004), IP/port: client 39169 22)
scponly[8842]: about to exec “/usr/bin/scp” (username: scp(10004), IP/port: client 39169 22)
passwd
# 成功將passwd複製過來
passwd檔的資訊
-rw-r–r– 1 root root 2642 1月 19 13:43 passwd
scponly還提供chroot功能
只要把 shell從 scponly 換成 scponlyc (路徑也不同喔)
usermod -s /usr/sbin/scponlyc scp
如果再scp的話
[root@client ~]# scp scp@server:/etc/passwd ./
scp@server’s password:
scponly[10458]: chrooted binary in place, will chroot()
scponly[10458]: 3 arguments in total.
scponly[10458]: arg 0 is scponlyc
scponly[10458]: arg 1 is -c
scponly[10458]: arg 2 is scp -f /etc/passwd
scponly[10458]: opened log at LOG_AUTHPRIV, opts 0x00000029
scponly[10458]: determined USER is “scp” from environment
scponly[10458]: retrieved home directory of “/home/scp” for user “scp”
scponly[10458]: chroot dir not owned by root: /home/scp
# 它就跟你說scp這個使用者無法複製/home/scp以外的檔案
ps : 不用debug模式時可以把 /etc/scponly/debuglevel 清空就好
——
補: 遇到 chroot的問題,無法用scp傳到server也無法傳到 client,應該是chroot少了東西,就是該有的目錄及檔案 (bin,etc,dev等等)
我用 tarball 下載來編譯安裝
./configure --enable-winscp-compat --enable-sftp-logging-compat --enable-scp-compat --enable-rsync-compat --enable-chrooted-binary --enable-passwd-compat --enable-quota-compat --with-sftp-server --disable-wildcards --disable-gftp-compat make make install
再把 scponlyc 放到 shells
echo '/usr/local/sbin/scponlyc' >> /etc/shells
利用taball裡的工具來建立使用者
make jail
# 預設帳號是scponly ,可以自行更換
# 會要定義一個可寫入的目錄 (incoming),它會放在 /home/scponly/incoming (owner是scponly)
# 再輸入密碼
使用者建好了
# finger scponly
Login: scponly Name: (null)
Directory: /home/scponly Shell: /usr/local/sbin/scponlyc
Last login 四 1月 19 15:28 (CST) on pts/2 from 10.10.10.135
No mail.
No Plan.
目錄長這樣子
# ll /home/scponly/
總計 24
drwxr-xr-x 2 root root 4096 1月 19 15:31 bin
drwxr-xr-x 2 root root 4096 1月 19 15:25 etc
drwxr-xr-x 2 scponly scponly 4096 1月 19 15:38 incoming
drwxr-xr-x 2 root root 4096 1月 19 15:25 lib
drwxr-xr-x 5 root root 4096 1月 19 15:25 usr
# 建立 /dev/null,不然會說找不到 /dev/null
mkdir /home/scponly/dev
cp -rp /dev/null /home/scponly/dev
使用ssh登入,確認不行
我再用sftp登入,可以 ,這是在chroot的環境喔
sftp> ls -al
drwxr-xr-x 8 0 0 4096 Jan 19 07:32 .
drwxr-xr-x 8 0 0 4096 Jan 19 07:32 ..
drwxr-xr-x 2 0 0 4096 Jan 19 07:31 bin
drwxr-xr-x 2 0 0 4096 Jan 19 07:32 dev
drwxr-xr-x 2 0 0 4096 Jan 19 07:25 etc
drwxr-xr-x 2 scponly 10005 4096 Jan 19 07:38 incoming
drwxr-xr-x 2 0 0 4096 Jan 19 07:25 lib
drwxr-xr-x 5 0 0 4096 Jan 19 07:25 usr
我測試 ls ../ 或是 ls ../../,皆不會看到chroot 以外的東西 (/home/scponly/)
sftp> ls ../
../bin ../dev ../etc ../incoming ../lib ../usr
sftp> ls ../../
../../bin ../../dev ../../etc ../../incoming ../../lib ../../usr
~~~我用
scp scponly@server:/incoming/123 ./ 或 sftp xxx scponly@server:/incoming/ 皆 OK
留言
mkdir /home/xxx/dev && mknod -m 666 /home/xxx/dev/null c 1 3
Q: 問題 scponly[23192]: failed: /usr/libexec/openssh/sftp-server with error No such file or directory(2) (username: scponly(10019), IP/port: 10.10.10.63 49977 22) A:解決 cp /lib64/ld-linux-x86-64.so.* /home/XXX/lib64/ cp /lib64/libnss_files.so.2 /home/XXX/usr/lib64/ # 注意 copy 過去的檔是不是 link,如果是也要把 link 的實檔也 copy 過去 Q: helper.c:233:6: error: #elif with no expression A: vi helper.c 把第 233 行 #elif 改成 #else 參考 : http://uzuki05.hateblo.jp/entry/20110126/1296044644 Q: make jail 遇到 i cant find your equivalent of ld.so A: ln -s /lib64/ld-linux-x86-64.so.2 /lib/ld.so # 如果沒有 lib64/ld-linux-x86-64.so.2 就裝 glibc