如何在 Amazon Linux 中使用 scp chroot 账户?

如何在 Amazon Linux 中使用 scp chroot 账户?

我需要设置一个 scp 服务器。供应商将通过 scp(而不是 sftp)将文件上传到该服务器。虽然 sftp 的配置很容易,但我使用 scp 时却非常吃力。网上有一些针对其他操作系统的说明和操作方法。我尝试遵循这些说明,但总是收到错误消息:

scp phpinfo.php [email protected]:/subdir/
/home/abc/bin/bash: Permission denied
lost connection

...日志中没有进一步的提示:

Oct  3 23:16:13 ip-10-2-4-121 sshd[30945]: Accepted password for abc from 1.2.3.4 port 57248 ssh2
Oct  3 23:16:13 ip-10-2-4-121 sshd[30945]: pam_unix(sshd:session): session opened for user abc by (uid=0)
Oct  3 23:16:13 ip-10-2-4-121 sshd[30945]: Received disconnect from 1.2.3.4 port 57248:11: disconnected by user [postauth]
Oct  3 23:16:13 ip-10-2-4-121 sshd[30945]: Disconnected from 1.2.3.4 port 57248 [postauth]
Oct  3 23:16:13 ip-10-2-4-121 sshd[30945]: pam_unix(sshd:session): session closed for user abc

我的/etc/ssh/sshd_config被​​修改如下:

#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp    

Match Group sftp
  ChrootDirectory %h
#  ForceCommand internal-sftp
  AllowTcpForwarding no

...如果我想允许 scp 访问,我认为 ForceCommand 不是必需的。

目录中的权限/home

[root@ip-10-2-4-121 abc]# ls -al /home
total 16
drwxr-xr-x  4 root     root     4096 Oct  3 21:42 .
dr-xr-xr-x 25 root     root     4096 Oct  3 20:08 ..
drwx------  9 root     root     4096 Oct  3 23:12 abc
drwx------  4 ec2-user ec2-user 4096 Oct  3 21:43 ec2-user

我也尝试复制一些依赖项,但我不知道如何找出需要复制的文件。https://www.wilderssecurity.com/threads/how-to-copy-only-needed-libraries-to-a-chroot.329486/给了我一个提示,我已经尝试过了:

cp --parents `ldd /bin/bash | cut -d " " -f 3` /home/abc
cp --parents `ldd /usr/bin/scp | cut -d " " -f 3` /home/abc
cp --parents `ldd /usr/libexec/openssh/sftp-server | cut -d " " -f 3` /home/abc

我的目录结构如下/home/abc

.
├── bin
│   └── bash
├── dev
│   ├── null
│   ├── random
│   ├── tty
│   └── zero
├── etc
│   ├── group
│   ├── ld.so.cache
│   ├── ld.so.conf
│   ├── ld.so.conf.d
│   │   └── kernel-4.9.51-10.52.amzn1.x86_64.conf
│   └── passwd
├── lib
├── lib64
│   ├── ld-linux-x86-64.so.2
│   ├── libcrypto.so.10
│   ├── libcrypt.so.1
│   ├── libc.so.6
│   ├── libdl.so.2
│   ├── libfreebl3.so
│   ├── liblber-2.4.so.2
│   ├── libldap-2.4.so.2
│   ├── libnspr4.so
│   ├── libnss3.so
│   ├── libnssutil3.so
│   ├── libplc4.so
│   ├── libplds4.so
│   ├── libpthread.so.0
│   ├── libresolv.so.2
│   ├── librt.so.1
│   ├── libsasl2.so.2
│   ├── libsmime3.so
│   ├── libssl3.so
│   ├── libtic.so.5
│   ├── libtinfo.so.5
│   ├── libutil.so.1
│   └── libz.so.1
├── subdir
└── usr
    ├── bin
    │   └── scp
    ├── lib
    ├── lib64
    │   ├── libnss3.so
    │   ├── libnssutil3.so
    │   ├── libsasl2.so.2
    │   ├── libsmime3.so
    │   └── libssl3.so
    └── libexec
        └── openssh
            └── sftp-server

我进一步修改了/etc/passwd

...
abc:x:501:501::/home/abc:/home/abc/bin/bash

任何帮助是极大的赞赏。

答案1

我遗漏了一些进一步的依赖项和权限。这是如何从空白的 amazon linux ec2 实例创建 chrooted、启用 ssh 和 scp 的用户:

#!/bin/bash

#
# This script creates a chrooted user, scp enabled, on an Amazon Linux aws instance
#
# 2017-10-05
#

# change username and password here:
username="abc"
password="123456"

# create groups
groupadd sftp

# create chrooted user
useradd -m $username -G sftp
echo $username:$password | chpasswd

# enable password authentication in sshd
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before_chroot
cat /etc/ssh/sshd_config | sed -e "s/PasswordAuthentication no/PasswordAuthentication yes/" > /etc/ssh/temp_sshd_config
mv -f /etc/ssh/temp_sshd_config /etc/ssh/sshd_config

# disable default sftp subsystem configuration in sshd
sed -e '/Subsystem sftp/ s/^#*/#/' -i /etc/ssh/sshd_config

# add sftp subsystem configuration to sshd
echo "Subsystem sftp internal-sftp" >> /etc/ssh/sshd_config
echo "Match Group sftp" >> /etc/ssh/sshd_config
echo "    ChrootDirectory %h" >> /etc/ssh/sshd_config
echo "    AllowTcpForwarding no" >> /etc/ssh/sshd_config

# restart ssh service
/etc/init.d/sshd restart

# create the chrooted directory structure
mkdir /home/$username/bin
mkdir /home/$username/dir
mkdir /home/$username/usr
mkdir /home/$username/usr/bin
mkdir /home/$username/usr/libexec
mkdir /home/$username/usr/libexec/openssh
mkdir /home/$username/lib/
mkdir /home/$username/etc
mkdir /home/$username/dev
mkdir /home/$username/dev/pts

# copy all dependencies
cp --parents `ldd /bin/bash | cut -d " " -f 3` /home/$username
cp --parents `ldd /usr/bin/scp | cut -d " " -f 3` /home/$username
cp --parents `ldd /usr/libexec/openssh/sftp-server | cut -d " " -f 3` /home/$username
cp --parents `ldd /bin/ls | cut -d " " -f 3` /home/$username/
cp /usr/lib64/libnss3.so /home/$username/lib64/
cp /usr/lib64/libtic.so.5 /home/$username/lib64/
cp /lib64/ld-linux-x86-64.so.2 /home/$username/lib64/
cp /usr/lib64/libssl3.so /home/$username/lib64/
cp /bin/bash /home/$username/bin/
cp /usr/bin/scp /home/$username/usr/bin/scp
cp /usr/libexec/openssh/sftp-server /home/$username/usr/libexec/openssh/
cp /bin/ls /home/$username/bin/
cp /lib64/libnss* /home/$username/lib64/
cp /usr/lib64/libnss* /home/$username/usr/lib64/
cp --parents `find . -type f -exec ldd '{}' \; | awk '{print $3}' | sort | uniq | grep -v '('` /home/$username/
cp -vf /etc/{passwd,group} /home/$username/etc/
cp -r /etc/ld.so* /home/$username/etc/

# create non-files
mknod -m 666 /home/$username/dev/null c 1 3
mknod -m 666 /home/$username/dev/tty c 5 0
mknod -m 666 /home/$username/dev/zero c 1 5
mknod -m 666 /home/$username/dev/random c 1 8
mount --bind /dev/pts /home/$username/dev/pts

# get the directory permissions right
chown $username.$username /home/$username/. -R
chmod 0755 /home/$username/bin
chmod 0666 /home/$username/.bashrc
chown root.root /home/$username
chmod 0755 /home/$username

https://gist.github.com/kmddevdani/b7687a74dacb250eda7b8e2f65f1c906

相关内容