aix:chroot_sftp
Table of Contents
Chrooted stfp on ftpserver
Introduction
Le but de ce document est de définir les procédures de création d’un environnement sécurisé se trouvant sur un serveur standard, de manière à ce qu’un utilisateur extérieur puisse déposer et récupérer des fichiers dans une arborescence particulière, sans lui donner accès à l’ensemble de la machine.
Pour cela une arborescence chrootée a été crée, dans laquelle on démarre un serveur SSH, sur un port particulier, en autorisant uniquement des utilisateurs définis dans cet environement restreind à venir se connecter en sftp.
Les connections de type ssh ne sont pas autorisées.
Chroot configuration
chroot files
Ci-dessous, la liste des fichiers dans le répertoire Chrooté : /sftp Les répertoires sont les suivants : home dev etc unix usr var
Les fichiers présents dans « var » et « usr » sont copiés depuis les fichiers sources du « / » « unix » est un lien symbolique vers le kernel « dev » contient entre autre random qui est le générateur de chiffres aléatoires nécessaire à sshd, on le créé avec la commande : mknod random c 32 0 « data » est la home directory du user qui va se connecter en sftp (avec les bon droits) « etc » est customisé, le fichier passwd ne contient que le user sshd (nécéssaire pour ssh) et le user qui va se connecter en sftp. Les autres fichiers sont aussi customisés pour contenir le minimum nécessaire (remote login disable…)
4149 4 drwxr-xr-x 7 root system 4096 Jan 21 15:50 . 4151 1 drwxr-xr-x 4 root system 256 Jan 21 12:01 ./etc 4824 1 -rw-r--r-- 1 root security 74 Jan 21 12:00 ./etc/group 4828 4 drwxr-xr-x 2 root system 4096 Jan 21 15:37 ./etc/security 4829 1 -rw-r----- 1 root security 83 Jan 21 15:20 ./etc/security/group 21348 45 -rw-r----- 1 root system 45360 Jan 21 14:29 ./etc/security/failedlogin 21349 4 -rw-r--r-- 1 root system 3872 Jan 14 12:31 ./etc/security/passwd 21355 2 -rw-r----- 1 root security 1248 Jan 21 15:17 ./etc/security/limits 21356 5 -rw-r----- 1 root security 5059 Jan 21 15:19 ./etc/security/login.cfg 21362 1 -rw-r----- 1 root security 807 Jan 21 14:29 ./etc/security/portlog 21367 4 -rw-r----- 1 root security 3530 Feb 4 2009 ./etc/security/pwdalg.cfg 21368 4 -rw------- 1 root system 4096 Jan 14 12:30 ./etc/security/pwdhist.dir 21369 7 -rw------- 1 root system 7168 Jan 14 12:31 ./etc/security/pwdhist.pag 21375 1 -rw-r----- 1 root security 601 Jan 21 15:16 ./etc/security/user 4823 1 -rw-r--r-- 1 root security 78 Jan 21 15:41 ./etc/passwd 4819 1 drwxr-xr-x 2 root system 256 Jan 14 14:42 ./etc/ssh 4820 4 -rw-r--r-- 1 root system 3449 Jan 21 15:39 ./etc/ssh/sshd_config 4830 1 -rw------- 1 root system 672 Feb 5 2009 ./etc/ssh/ssh_host_dsa_key 4831 1 -rw-r--r-- 1 root system 590 Feb 5 2009 ./etc/ssh/ssh_host_dsa_key.pub 4834 1 -rw------- 1 root system 963 Feb 5 2009 ./etc/ssh/ssh_host_key 4835 1 -rw-r--r-- 1 root system 627 Feb 5 2009 ./etc/ssh/ssh_host_key.pub 4836 2 -rw------- 1 root system 1675 Feb 5 2009 ./etc/ssh/ssh_host_rsa_key 4837 1 -rw-r--r-- 1 root system 382 Feb 5 2009 ./etc/ssh/ssh_host_rsa_key.pub 4779 1 drwxrwxr-x 3 root system 256 Jan 21 11:42 ./dev 4787 4 drwxr-xr-x 2 root system 4096 Jan 14 13:37 ./dev/pts 4802 0 crw--w---- 1 root security 22, 0 Jan 14 13:37 ./dev/pts/0 4803 0 crw-rw-rw- 1 root system 22, 1 Jan 14 13:37 ./dev/pts/1 4804 0 crw-rw-rw- 1 root system 22, 2 Jan 14 13:37 ./dev/pts/2 4805 0 crw-rw-rw- 1 root system 22, 3 Jan 14 13:37 ./dev/pts/3 4806 0 crw-rw-rw- 1 root system 22, 4 Jan 14 13:37 ./dev/pts/4 4807 0 crw-rw-rw- 1 root system 22, 5 Jan 14 13:37 ./dev/pts/5 4808 0 crw-rw-rw- 1 root system 22, 6 Jan 14 13:37 ./dev/pts/6 4809 0 crw-rw-rw- 1 root system 22, 7 Jan 14 13:37 ./dev/pts/7 4810 0 crw-rw-rw- 1 root system 22, 8 Jan 14 13:37 ./dev/pts/8 4811 0 crw-rw-rw- 1 root system 22, 9 Jan 14 13:37 ./dev/pts/9 4812 0 crw-rw-rw- 1 root system 22, 10 Jan 14 13:37 ./dev/pts/10 4798 0 crw-rw-rw- 1 root system 1, 0 Jan 14 13:32 ./dev/tty 4799 0 crw-rw-rw- 1 root system 2, 2 Jan 21 15:47 ./dev/null 4801 0 crw-rw-rw- 1 root system 2, 3 Jan 14 13:32 ./dev/zero 21347 0 crw-r--r-- 1 root system 32, 0 Jan 21 11:42 ./dev/random 4163 1 drwxrwx--- 4 1530 grpftp 256 Jan 21 15:45 ./home 87670 1 drwxrwx--- 2 1530 grpftp 256 Jan 21 12:07 ./home/source 87671 1 drwxrwx--- 2 1530 grpftp 256 Jan 21 15:48 ./home/target 4784 1 lrwxrwxrwx 1 root system 21 Jan 14 12:49 ./unix -> /usr/lib/boot/unix_64 114707 1 drwxr-xr-x 9 root system 256 Jan 21 15:11 ./usr 114922 1 drwxr-xr-x 2 bin bin 256 Jan 21 15:41 ./usr/bin 114935 283 -r-xr-xr-x 1 bin bin 289032 Sep 27 2008 ./usr/bin/ksh 114936 4 -rwxr-xr-x 1 root system 4082 May 28 2009 ./usr/bin/c_rehash 114937 727 -r-xr-xr-x 1 root system 744006 Nov 17 10:41 ./usr/bin/openssl64 114938 663 -r-xr-xr-x 1 root system 678462 Nov 17 10:41 ./usr/bin/openssl 114939 283 -r-xr-xr-x 1 bin bin 289032 Sep 27 2008 ./usr/bin/rksh 114940 1 drwxr-xr-x 3 bin bin 256 Jan 21 12:58 ./usr/include 114941 4 drwxr-xr-x 2 root system 4096 Jan 12 13:49 ./usr/include/openssl 114942 7 -rw-r--r-- 1 root system 6914 Jun 15 2009 ./usr/include/openssl/aes.h 114943 49 -rw-r--r-- 1 root system 49969 Jun 15 2009 ./usr/include/openssl/asn1.h 114944 20 -rw-r--r-- 1 root system 20188 May 28 2009 ./usr/include/openssl/asn1_mac.h 114945 29 -rw-r--r-- 1 root system 29305 Jun 15 2009 ./usr/include/openssl/asn1t.h 114946 32 -rw-r--r-- 1 root system 32054 May 28 2009 ./usr/include/openssl/bio.h 114947 7 -rw-r--r-- 1 root system 6405 Jun 15 2009 ./usr/include/openssl/blowfish.h 114948 34 -rw-r--r-- 1 root system 34794 Jun 15 2009 ./usr/include/openssl/bn.h 114949 6 -rw-r--r-- 1 root system 5797 May 28 2009 ./usr/include/openssl/buffer.h 114950 6 -rw-r--r-- 1 root system 5685 Jun 15 2009 ./usr/include/openssl/cast.h 114951 4 -rw-r--r-- 1 root system 3210 May 28 2009 ./usr/include/openssl/comp.h 114952 11 -rw-r--r-- 1 root system 10716 May 28 2009 ./usr/include/openssl/conf.h 114953 6 -rw-r--r-- 1 root system 5312 May 28 2009 ./usr/include/openssl/conf_api.h 114954 25 -rw-r--r-- 1 root system 25449 Jun 15 2009 ./usr/include/openssl/crypto.h 114955 12 -rw-r--r-- 1 root system 11968 May 28 2009 ./usr/include/openssl/des.h 114956 20 -rw-r--r-- 1 root system 19470 May 28 2009 ./usr/include/openssl/des_old.h 114957 10 -rw-r--r-- 1 root system 9886 Jun 15 2009 ./usr/include/openssl/dh.h 114958 13 -rw-r--r-- 1 root system 12906 Jun 15 2009 ./usr/include/openssl/dsa.h 114959 18 -rw-r--r-- 1 root system 17484 May 28 2009 ./usr/include/openssl/dso.h 114960 8 -rw-r--r-- 1 root system 7555 Jun 15 2009 ./usr/include/openssl/dtls1.h 114961 11 -rw-r--r-- 1 root system 10864 May 28 2009 ./usr/include/openssl/e_os2.h 114962 2 -rw-r--r-- 1 root system 1772 May 28 2009 ./usr/include/openssl/ebcdic.h 114963 39 -rw-r--r-- 1 root system 39767 Jun 15 2009 ./usr/include/openssl/engine.h 114964 14 -rw-r--r-- 1 root system 14185 Jun 15 2009 ./usr/include/openssl/err.h 114965 39 -rw-r--r-- 1 root system 39866 Jun 15 2009 ./usr/include/openssl/evp.h 114966 6 -rw-r--r-- 1 root system 5661 Jun 15 2009 ./usr/include/openssl/hmac.h 114967 9 -rw-r--r-- 1 root system 8874 May 28 2009 ./usr/include/openssl/krb5_asn.h 114968 7 -rw-r--r-- 1 root system 7159 May 28 2009 ./usr/include/openssl/kssl.h 114969 9 -rw-r--r-- 1 root system 8661 May 28 2009 ./usr/include/openssl/lhash.h 114970 6 -rw-r--r-- 1 root system 5190 Jun 15 2009 ./usr/include/openssl/md2.h 114971 6 -rw-r--r-- 1 root system 5954 Jun 15 2009 ./usr/include/openssl/md4.h 114972 6 -rw-r--r-- 1 root system 5954 Jun 15 2009 ./usr/include/openssl/md5.h 114973 127 -rw-r--r-- 1 root system 129383 Jun 15 2009 ./usr/include/openssl/obj_mac.h 114974 34 -rw-r--r-- 1 root system 34628 May 28 2009 ./usr/include/openssl/objects.h 114975 25 -rw-r--r-- 1 root system 25296 May 28 2009 ./usr/include/openssl/ocsp.h 114976 9 -rw-r--r-- 1 root system 8833 Jun 15 2009 ./usr/include/openssl/opensslconf.h 114977 5 -rw-r--r-- 1 root system 4983 Jun 15 2009 ./usr/include/openssl/opensslv.h 114978 8 -rw-r--r-- 1 root system 7946 Jun 15 2009 ./usr/include/openssl/ossl_typ.h 114979 29 -rw-r--r-- 1 root system 29481 Jun 15 2009 ./usr/include/openssl/pem.h 114980 4 -rw-r--r-- 1 root system 4095 May 28 2009 ./usr/include/openssl/pem2.h 114981 14 -rw-r--r-- 1 root system 13907 Jun 15 2009 ./usr/include/openssl/pkcs12.h 114982 18 -rw-r--r-- 1 root system 17565 May 28 2009 ./usr/include/openssl/pkcs7.h 114983 8 -rw-r--r-- 1 root system 7445 Jun 15 2009 ./usr/include/openssl/pq_compat.h 114984 5 -rw-r--r-- 1 root system 4781 Nov 17 10:41 ./usr/include/openssl/pqueue.h 114985 8 -rw-r--r-- 1 root system 7474 Jun 15 2009 ./usr/include/openssl/rand.h 114986 6 -rw-r--r-- 1 root system 5637 Jun 15 2009 ./usr/include/openssl/rc2.h 114987 5 -rw-r--r-- 1 root system 5042 Jun 15 2009 ./usr/include/openssl/rc4.h 114988 6 -rw-r--r-- 1 root system 5588 Jun 15 2009 ./usr/include/openssl/ripemd.h 114989 21 -rw-r--r-- 1 root system 20803 Jun 15 2009 ./usr/include/openssl/rsa.h 114990 139 -rw-r--r-- 1 root system 141833 Jun 15 2009 ./usr/include/openssl/safestack.h 114991 9 -rw-r--r-- 1 root system 8622 Jun 15 2009 ./usr/include/openssl/sha.h 114992 84 -rw-r--r-- 1 root system 85518 Jun 15 2009 ./usr/include/openssl/ssl.h 114993 12 -rw-r--r-- 1 root system 11948 May 28 2009 ./usr/include/openssl/ssl2.h 114994 5 -rw-r--r-- 1 root system 4976 May 28 2009 ./usr/include/openssl/ssl23.h 114995 24 -rw-r--r-- 1 root system 23776 May 28 2009 ./usr/include/openssl/ssl3.h 114996 6 -rw-r--r-- 1 root system 5650 May 28 2009 ./usr/include/openssl/stack.h 114997 28 -rw-r--r-- 1 root system 27713 May 28 2009 ./usr/include/openssl/store.h 114998 22 -rw-r--r-- 1 root system 21926 Jun 15 2009 ./usr/include/openssl/symhacks.h 114999 21 -rw-r--r-- 1 root system 20622 May 28 2009 ./usr/include/openssl/tls1.h 115000 6 -rw-r--r-- 1 root system 5349 May 28 2009 ./usr/include/openssl/tmdiff.h 115001 6 -rw-r--r-- 1 root system 5532 May 28 2009 ./usr/include/openssl/txt_db.h 115002 18 -rw-r--r-- 1 root system 17650 May 28 2009 ./usr/include/openssl/ui.h 115003 5 -rw-r--r-- 1 root system 4671 May 28 2009 ./usr/include/openssl/ui_compat.h 115004 49 -rw-r--r-- 1 root system 49674 May 28 2009 ./usr/include/openssl/x509.h 115005 22 -rw-r--r-- 1 root system 22014 May 28 2009 ./usr/include/openssl/x509_vfy.h 115006 31 -rw-r--r-- 1 root system 31319 Jun 15 2009 ./usr/include/openssl/x509v3.h 115007 4 drwxr-xr-x 3 bin bin 4096 Jan 21 15:10 ./usr/lib 115008 8294 -r--r--r-- 1 bin bin 8492763 May 23 2008 ./usr/lib/libC.a 115009 4 -r--r--r-- 1 bin bin 3528 Feb 4 2009 ./usr/lib/lib.b 115010 20 -rw-r--r-- 1 bin bin 19498 Sep 26 2007 ./usr/lib/libXevie.a 115011 124 -rw-r--r-- 1 bin bin 126228 Sep 26 2007 ./usr/lib/libXdmcp.a 115012 28 -rw-r--r-- 1 bin bin 28025 Sep 26 2007 ./usr/lib/libXdamage.a 115013 193 -rw-r--r-- 1 bin bin 197464 May 9 2008 ./usr/lib/libXcursor.a 115014 1687 -rw-r--r-- 1 bin bin 1726986 Feb 6 2008 ./usr/lib/libXaw.a 115015 278 -r-xr-xr-x 1 bin bin 284016 Feb 4 2009 ./usr/lib/libHBAAPI.a 115016 38 -rw-r--r-- 1 bin bin 38490 Feb 4 2009 ./usr/lib/libXau.a 115017 67 -r-xr-xr-x 1 root system 68199 Jan 16 2009 ./usr/lib/libXApi.a 115018 4525 -rw-r--r-- 1 bin bin 4633164 Feb 4 2009 ./usr/lib/libX11.a 115019 849 -rw-r--r-- 1 bin bin 869283 Feb 4 2009 ./usr/lib/libMrm.a 115020 86 -r--r--r-- 1 bin bin 87488 Jan 30 2008 ./usr/lib/libPW.a 115021 787 -r-xr-xr-x 1 root system 805860 Jan 16 2009 ./usr/lib/libPiIMG.a 115022 714 -r-xr-xr-x 1 root system 730494 Jan 16 2009 ./usr/lib/libPiJ2SNP.a 115023 155 -rw-r--r-- 1 bin bin 158106 Feb 4 2009 ./usr/lib/libSM.a 115024 557 -r--r--r-- 1 bin system 569804 Feb 4 2009 ./usr/lib/libSpmi.a 115025 1923 -rw-r--r-- 1 bin bin 1968632 Feb 4 2009 ./usr/lib/libUil.a 115026 1241 -r-xr-xr-x 1 bin bin 1270343 Nov 14 2008 ./usr/lib/libIbBaseLibMT.a 115027 77 -r--r--r-- 1 bin bin 78841 Feb 4 2009 ./usr/lib/libIM.a 115028 354 -rw-r--r-- 1 bin bin 362154 Feb 4 2009 ./usr/lib/libICE.a 115029 4 -r-xr-xr-x 1 root system 3294 Jan 16 2009 ./usr/lib/libDsmStub54.a 115030 8 -r-xr-xr-x 1 root system 7254 Jan 16 2009 ./usr/lib/libDsmStub.a 115031 8294 -r--r--r-- 1 bin bin 8492763 May 23 2008 ./usr/lib/libC_r.a 115032 5124 -r--r--r-- 1 bin bin 5246501 May 23 2008 ./usr/lib/libC128_r.a 115033 5124 -r--r--r-- 1 bin bin 5246501 May 23 2008 ./usr/lib/libC128.a 115034 92 -rw-r--r-- 1 bin bin 93769 Sep 26 2007 ./usr/lib/libXtst.a 115035 1596 -rw-r--r-- 1 bin bin 1634296 Jan 9 2008 ./usr/lib/libXt.a 115036 165 -rw-r--r-- 1 bin bin 168900 May 9 2008 ./usr/lib/libXrender.a 115037 273 -rw-r--r-- 1 bin bin 279498 Jan 9 2008 ./usr/lib/libXpm.a 115038 156 -rw-r--r-- 1 bin bin 159523 Jan 9 2008 ./usr/lib/libXp.a 115039 436 -rw-r--r-- 1 bin bin 446330 Feb 6 2008 ./usr/lib/libXmu.a 115040 10876 -rw-r--r-- 1 bin bin 11136979 Feb 4 2009 ./usr/lib/libXm.a 115041 162 -rw-r--r-- 1 bin bin 165046 Sep 26 2007 ./usr/lib/libXi.a 115042 2082 -rw-r--r-- 1 bin bin 2131380 Feb 4 2009 ./usr/lib/libXfont.a 115043 85 -rw-r--r-- 1 bin bin 86795 Sep 26 2007 ./usr/lib/libXfixes.a 115044 561 -rw-r--r-- 1 bin bin 573747 Sep 26 2007 ./usr/lib/libXext.a 115045 379 -r--r--r-- 1 bin bin 387595 Feb 4 2009 ./usr/lib/libaacct.a 115046 24 -r--r--r-- 1 bin system 23696 Feb 4 2009 ./usr/lib/libarm.a 115047 29 -r--r--r-- 1 bin system 29064 Feb 4 2009 ./usr/lib/libarm2.a 115048 295 -r-xr-xr-x 1 bin bin 301317 Feb 4 2009 ./usr/lib/libarm4.a 115049 222 -r--r--r-- 1 bin bin 226741 Feb 4 2009 ./usr/lib/libasl.a 115050 12 -r--r--r-- 1 root system 11710 Feb 4 2009 ./usr/lib/libauthm.a 115051 72 -r-xr-xr-x 1 bin bin 73644 Feb 4 2009 ./usr/lib/libbind.a 115052 1187 -r-xr-xr-x 1 bin bin 1215088 Aug 28 2008 ./usr/lib/libbind_isc9.a 115053 1724 -r--r--r-- 1 bin bin 1765149 Feb 10 2009 ./usr/lib/libblas.a 115054 67 -r-xr-xr-x 1 bin bin 68158 Feb 4 2009 ./usr/lib/libbsd.a 115055 67 -r-xr-xr-x 1 bin bin 68158 Feb 4 2009 ./usr/lib/libbsd_r.a 115056 155 -rw-r--r-- 1 root system 158493 Mar 25 2008 ./usr/lib/libbz2.a 115057 10779 -r-xr-xr-x 1 bin bin 11037388 Feb 4 2009 ./usr/lib/libc.a 115058 81 -r-xr-xr-x 1 bin bin 82263 Feb 4 2009 ./usr/lib/libc128.a 115059 10779 -r-xr-xr-x 1 bin bin 11037388 Feb 4 2009 ./usr/lib/libc_r.a 115060 10779 -r-xr-xr-x 1 bin bin 11037388 Feb 4 2009 ./usr/lib/libc_t.a 115061 72 -r-xr-xr-x 1 bin bin 72897 Feb 4 2009 ./usr/lib/libcdebug.a 115062 254 -r--r--r-- 1 bin bin 259629 Feb 4 2009 ./usr/lib/libcfg.a 115063 237 -r-xr-xr-x 1 bin bin 241882 Feb 4 2009 ./usr/lib/libcfgiscsi.a 115064 492 -r-xr-xr-x 1 bin bin 503791 Feb 4 2009 ./usr/lib/libcfgscsi.a 115065 213 -r-xr-xr-x 1 bin bin 218068 Feb 4 2009 ./usr/lib/libcorcfg.a 115066 12 -r-xr-xr-x 1 bin bin 11493 Feb 4 2009 ./usr/lib/libcrypt.a 115067 4927 -r-xr-xr-x 1 root system 5044508 Nov 17 10:41 ./usr/lib/libcrypto.a 115068 44 -r--r--r-- 1 root system 44277 Mar 5 2008 ./usr/lib/libcsm_clog.a 115069 38 -r--r--r-- 1 bin bin 38120 Aug 22 2007 ./usr/lib/libcsys.a 115070 20 -r--r--r-- 1 bin bin 19504 Feb 4 2009 ./usr/lib/libdbm.a 115071 224 -r--r--r-- 1 bin bin 229079 Feb 4 2009 ./usr/lib/libdecNumber.a 115072 21 -r-x------ 1 root system 21198 Aug 22 2007 ./usr/lib/libdfapiu.a 115073 45 -r--r--r-- 1 root system 45197 Feb 4 2009 ./usr/lib/libdhcp6.a 115074 488 -r--r--r-- 1 root system 499331 Feb 4 2009 ./usr/lib/libdiag.a 115075 6 -r-xr-xr-x 1 bin bin 5248 Feb 4 2009 ./usr/lib/libdl.a 115076 5201 -r--r--r-- 1 root system 5324913 Feb 4 2009 ./usr/lib/libdns.a 115077 5201 -r--r--r-- 1 root system 5324913 Feb 4 2009 ./usr/lib/libdns_nonsecure.a 115078 5314 -r--r--r-- 1 root system 5441174 Feb 4 2009 ./usr/lib/libdns_secure.a 115079 167 -r--r--r-- 1 root system 170364 Feb 4 2009 ./usr/lib/libdpi20.a 115080 91 -r--r--r-- 1 bin bin 92921 Feb 4 2009 ./usr/lib/libdr_chrp.a 115081 228 -rw-r--r-- 1 bin bin 233381 Feb 4 2009 ./usr/lib/libfontenc.a 115082 67 -r--r--r-- 1 bin bin 68435 Feb 4 2009 ./usr/lib/libfrca.a 115083 26 -r--r--r-- 1 bin system 26417 Apr 23 2008 ./usr/lib/libjpa.a 115084 28 -r--r--r-- 1 bin system 28650 Apr 23 2008 ./usr/lib/libjpa64.a 115085 99 -rw-r--r-- 1 bin bin 101254 Feb 6 2008 ./usr/lib/libkap.a 115086 730 -rwxr-xr-x 1 root system 747243 Mar 10 2009 ./usr/lib/libksba.a 115087 104 -r-xr-xr-x 1 bin bin 105483 Feb 4 2009 ./usr/lib/libpam.a 115088 720 -r--r--r-- 1 bin system 736267 Feb 4 2009 ./usr/lib/libptools.a 115089 15 -r--r--r-- 1 bin bin 15312 Feb 4 2009 ./usr/lib/libpthreads_compat.a 115090 1220 -r--r--r-- 1 bin bin 1249084 Sep 27 2008 ./usr/lib/libpthreads.a 115091 1220 -r--r--r-- 1 bin bin 1249084 Sep 27 2008 ./usr/lib/libpthread.a 115092 1210 -r--r--r-- 1 bin bin 1238443 Feb 4 2009 ./usr/lib/libpthdebug.a 115093 1 -rwxr-xr-x 1 root system 763 Mar 28 2008 ./usr/lib/libpth.la 115094 267 -rwxr-xr-x 1 root system 273087 Mar 28 2008 ./usr/lib/libpth.a 115095 90 -r--r--r-- 1 root system 91677 Feb 4 2009 ./usr/lib/libpsa.a 115096 181 -r--r--r-- 1 bin bin 184334 Sep 23 2008 ./usr/lib/libprm.a 115097 94 -rw-r--r-- 1 bin bin 95619 Feb 6 2008 ./usr/lib/libpp.a 115098 421 -r--r--r-- 1 bin bin 430713 Feb 4 2009 ./usr/lib/libposixtrace.a 115099 764 -r--r--r-- 1 root system 782217 Feb 4 2009 ./usr/lib/libpmapi.a 115100 318 -r--r--r-- 1 bin bin 325103 Feb 4 2009 ./usr/lib/libperfstat.a 115101 42 -r--r--r-- 1 root system 42691 Feb 4 2009 ./usr/lib/libpdiag.a 115102 1 -r--r--r-- 1 bin bin 886 Feb 23 2008 ./usr/lib/libpcap.exp 115103 899 -r--r--r-- 1 bin bin 920304 Feb 4 2009 ./usr/lib/libpcap.a 115104 88 -r--r--r-- 1 bin bin 89356 Feb 4 2009 ./usr/lib/libpapi.a 115105 266 -rwxr-xr-x 1 root system 271724 Jan 3 2008 ./usr/lib/libz.a 115106 4 dr-xr-xr-x 2 bin bin 4096 Jan 21 15:09 ./usr/lib/security 115107 20 -r-xr-xr-x 1 root system 19524 Dec 30 2007 ./usr/lib/security/CC_EVALify.sh 115108 2 -rw-r--r-- 1 root security 1703 Feb 4 2009 ./usr/lib/security/methods.cfg 115109 102 -r--r--r-- 1 root security 103848 Sep 27 2008 ./usr/lib/security/KRB5_64 115110 94 -r--r--r-- 1 root security 95732 Sep 27 2008 ./usr/lib/security/KRB5 115111 102 -r--r--r-- 1 root security 103850 Sep 27 2008 ./usr/lib/security/KRB5A_64 115112 94 -r--r--r-- 1 root security 95732 Sep 27 2008 ./usr/lib/security/KRB5A 115113 89 -r--r--r-- 1 root security 90944 Nov 14 2008 ./usr/lib/security/LDAP 115114 94 -r--r--r-- 1 root security 95938 Nov 14 2008 ./usr/lib/security/LDAP64 115115 298 -r--r--r-- 1 root security 305136 Sep 27 2008 ./usr/lib/security/LOCAL 115116 335 -r--r--r-- 1 root security 342454 Sep 27 2008 ./usr/lib/security/LOCAL64 115117 303 -r--r--r-- 1 root security 310264 Aug 1 2008 ./usr/lib/security/sblowfish 115118 310 -r--r--r-- 1 root security 316776 Aug 1 2008 ./usr/lib/security/sblowfish_64 115119 295 -r--r--r-- 1 root security 301632 Aug 1 2008 ./usr/lib/security/smd5 115120 301 -r--r--r-- 1 root security 307516 Aug 1 2008 ./usr/lib/security/smd5_64 115121 297 -r--r--r-- 1 root security 303272 Aug 1 2008 ./usr/lib/security/ssha 115122 302 -r--r--r-- 1 root security 309228 Aug 1 2008 ./usr/lib/security/ssha_64 115123 8 -r--r--r-- 1 root security 7820 Feb 4 2009 ./usr/lib/security/PAM 115124 10 -r-xr-xr-x 1 root system 9412 Apr 17 2008 ./usr/lib/security/NIS 115125 11 -r-xr-xr-x 1 root system 10418 Apr 17 2008 ./usr/lib/security/NIS_64 115126 1 drwxr-xr-x 3 root system 256 Jan 12 15:17 ./usr/local 115127 1 drwxr-xr-x 2 root system 256 Jan 21 17:43 ./usr/local/etc 115128 1 -rw-r--r-- 1 root system 7 Feb 18 17:49 ./usr/local/etc/sshd.pid 115129 1 dr-x------ 2 root system 256 Aug 1 2008 ./usr/openssh 115130 0 -r-------- 1 root system 0 Jul 11 2008 ./usr/openssh/README 115131 0 -r-------- 1 root system 0 Jul 11 2008 ./usr/openssh/license_ssh.txt 115132 1 drwxr-xr-x 2 root system 256 Jan 12 13:49 ./usr/openssl 115133 0 -r-------- 1 root system 0 May 28 2009 ./usr/openssl/LICENSE 115134 0 -r-------- 1 root system 0 Jun 15 2009 ./usr/openssl/README 115135 1 drwxr-xr-x 2 bin bin 256 Jan 21 12:53 ./usr/sbin 115136 786 -r-xr-xr-x 1 root system 804157 Aug 1 2008 ./usr/sbin/sftp-server 115137 1887 -r-xr-xr-x 1 root system 1931824 Aug 1 2008 ./usr/sbin/sshd 94450 4 drwxr-xr-x 4 root system 4096 Feb 18 17:33 ./var 94451 1 drwxr-xr-x 2 root system 256 Feb 18 16:41 ./var/empty 114693 1 drwxr-xr-x 5 root system 256 Feb 18 16:40 ./var/ssl 114694 10 -rw-r--r-- 1 root system 9825 Feb 5 2009 ./var/ssl/openssl.cnf.rpmorig 114695 10 -rw-r--r-- 1 root system 9374 Jan 16 2009 ./var/ssl/openssl.cnf 114696 1 drwxr-xr-x 2 root system 256 Feb 18 16:40 ./var/ssl/misc 114697 6 -rwxr-xr-x 1 root system 5679 Feb 18 16:40 ./var/ssl/misc/CA.pl 114698 4 -rwxr-xr-x 1 root system 3758 Feb 18 16:40 ./var/ssl/misc/CA.sh 114699 1 -rwxr-xr-x 1 root system 119 Feb 18 16:40 ./var/ssl/misc/c_hash 114700 1 -rwxr-xr-x 1 root system 152 Feb 18 16:40 ./var/ssl/misc/c_info 114701 1 -rwxr-xr-x 1 root system 112 Feb 18 16:40 ./var/ssl/misc/c_issuer 114932 1 -rwxr-xr-x 1 root system 110 Feb 18 16:40 ./var/ssl/misc/c_name 114933 1 drwxr-xr-x 2 root system 256 Jan 16 2009 ./var/ssl/certs 114934 1 drwxr-x--- 2 root system 256 Jan 16 2009 ./var/ssl/private
Start chrooted sshd
Le script de démarrage et d’arrêt de sshd se trouve dans /etc/rc.d/init.d (standard) Le démarrage et l’arrêt de fait automatiquement dans /etc/rc.d/rc2.d
Le ssh standard démarre sur le port 22, alors que le sshd démarre en environnement chroot sur le port 222 (à ajuster dans le script et dans le fichier $CHROOT_PATH/etc/ssh/sshd_config si nécessaire)
[root@sftpserver]/etc/rc.d/rc2.d# ll total 16 0 drwxr-xr-x 2 root system 256 Jan 21 17:05 . 4 drwxr-xr-x 11 root system 4096 Feb 4 2009 .. 0 lrwxrwxrwx 1 root system 21 Jan 21 17:05 K90sshd_cust -> ../init.d/sshd_cust.sh 4 -r-xr-xr-x 1 root system 307 Jan 12 13:49 Ksshd 4 -r-x------ 1 root system 2317 Feb 4 2009 Kwpars 0 lrwxrwxrwx 1 root system 21 Jan 21 17:05 S10sshd_cust -> ../init.d/sshd_cust.sh 4 -r-xr-xr-x 1 root system 308 Jan 12 13:49 Ssshd
Script de démarrage : sshd_cust.sh
#!/bin/ksh ################################################## # name: sshd_cust.sh # purpose: script that will start or stop the sshd daemon. ################################################## PORT=222 CHROOT_PATH=/sftp case "$1" in start ) chroot $CHROOT_PATH /usr/sbin/sshd -p $PORT ;; stop ) kill `cat $CHROOT_PATH/usr/local/etc/sshd.pid` ;; * ) echo "Usage: $0 (start | stop)" exit 1
Add a new user to the chrooted environment
De manière à sécuriser un maximum l’environnement CHrooté, les commandes standard AIX ne sont pas présentes dans l’arborescence $CHROOT_PATH. (# chroot $CHROOT_PATH /usr/bin/ksh) Il ne faut donc pas utiliser l’environnement CHrooté pour la creation du user et de son password.
La solution la plus facile est de créer un utilisateur dans la partition AIX de base, générer un mot de passe, puis de copier l’entrée du user (group, passord…) et de l’ajouter dans les fichiers de l’arborescence $CHROOT_PATH.
Ne pas oublier de supprimer ensuite le user de la partition AIX de base, car ce user ne doit exister que dans l’environnement CHrooté.
Les paramètres de customisation des users sont à adapter dans les répertoires $CHROOT_PATH/etc et $CHROOT_PATH/etc/security
Ajouter au fichier $CHROOT_PATH/etc/ssh/sshd_config le paragraphe ci-dessous avec le nom du user, puis redémarrer sshd. On peut aussi utiliser « Match Group <group> »
Match User test1
X11Forwarding no
AllowTcpForwarding no
ForceCommand /usr/sbin/sftp-server
Change the user's password
Ne pas utiliser la commade « passwd », car le compte utilisateur ne sera pas mis à jour.
Générer le mot de passe sur un serveur de test, et recopier les champs du fichier passwd et lastupdate de /etc/security/passwd dans
[root@sftpsever]/sftpserver/etc/security# cat passwd sshd: password = * userftp: password = {ssha256}06$bn5WV5WWRvtdSX5c$IbFEK2y/ihtqu2MYIoHDPON5/n3PzBQ.A4 lastupdate = 1263468698 flags =
Upgrade OS or OpenSSH
Quand une mise à jour de l’OS est réalisée, il faut impérativement régénérer les binaires et librairies du répertoire chrooté à partir de l’OS de base. Pour cela on peut stopper le ssh chrooté et lancer le script ci-dessous, puis relancer ssh.
sync_chroot.sh
- sync_chroot.sh
#!/bin/ksh ################################################## #@(#) Copy binaries and library from /usr and /var to /sftp # version 1.0 23-02-2010 Manu ################################################## CHROOT_PATH=/sftp logpath=/var/log logname=$logpath/sync_chroot.log ################################ # Main ################################ main () { date test -e $logpath/list_file_chroot.txt && rm $logpath/list_file_chroot.txt for dir in var usr bin do #rsync -v -u -r --existing /$dir $CHROOT_PATH/$i cd $CHROOT_PATH/$dir find . > $logpath/list_file_chroot.txt cat $logpath/list_file_chroot.txt | sed -n '2,$p' > $logpath/list_file_chroot1.txt cd /$dir tar -cvhf $CHROOT_PATH/$dir/bintmp.tar -L $logpath/list_file_chroot1.txt cd $CHROOT_PATH/$dir tar -xvf $CHROOT_PATH/$dir/bintmp.tar $CHROOT_PATH/$dir rm $CHROOT_PATH/$dir/bintmp.tar done rm $logpath/list_file_chroot1.txt $logpath/list_file_chroot.txt } main 2>&1 | tee $logname
Pour le passage en openssh 5.4, il faut ajouter:
cp /usr/lib/libssl.a /sftp/usr/lib cp /usr/lib/libmlsenc.a /sftp/usr/lib cp /usr/lib/libmls.a /sftp/usr/lib cp /usr/lib/libodm.a /sftp/usr/lib cp /usr/lib/libpam.a /sftp/usr/lib cd /sftp/dev mknod urandom c 32 1
Debug and test:
chroot /sftp /bin/ksh /usr/sbin/sshd -dd
Annex
sshd_config
[root@sftpserver]/sftp/etc/ssh# cat sshd_config
# $OpenBSD: sshd_config,v 1.77 2008/02/08 23:24:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
KerberosOrLocalPasswd no
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Match User usersftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand /usr/sbin/sftp-server
Match User test1
X11Forwarding no
AllowTcpForwarding no
ForceCommand /usr/sbin/sftp-server
AIX ERROR: PRNG IS NOT SEEDED
It was a long time ago since I have dealt with this message so I had to scratch my head for a moment or two. After taking care of the business, I decided to make it into the post so when I see it again, I will just search my blog for answers.
Step 1: check permissions on random numbers generators, the ”other” must have ”read” access to these devices:
#ls -l /dev/random crw-r----- 1 root system 39, 0 Jan 22 10:48 /dev/random #ls -l /dev/urandom crw-r----- 1 root system 39, 1 Jan 22 10:48 /dev/urandom #chmod o+r /dev/random; chmod o+r /dev/urandom
If /dev/random doesn’t exist anymore, look for the ID into the ODM
# odmget CuDvDr | grep –p random CuDvDr: resource = "ddins" value1 = "random" value2 = "39" -> ID value3 = ""
Step 2:
stop/startsrc -s sshd
If these two steps do not allow users to use ssh and the same message is produced:
Step 3:
stopsrc -s sshd
Step 4:
rm -rf /dev/random rm -rf /dev/urandom mknod /dev/random c 39 0 mknod /dev/urandom c 39 1 randomctl -l
Step 5:
check permissions and start sshd
PROBLEME DE LOGIN SFTP
Si on ne peut pas se connecter en SFTP sur sftpserver
[root@labotest]/root# sftp -oPort=222 testsrv@sftpserver …………..failed
ATTENTION : Ne pas utiliser les commandes AIX standard, car les modifications ne seront pas prises en compte dans le repertoire chrooté
Vérifier le fichier lastlog, et mettre le paramètre unsuccessful_login_count à 0
[root@sftpserver]/sftp/etc/security# vi lastlog userftp: time_last_login = 1290609729 tty_last_login = ssh host_last_login = 10.10.10.6 unsuccessful_login_count = 141 time_last_unsuccessful_login = 1290676803 tty_last_unsuccessful_login = ssh host_last_unsuccessful_login = 10.10.10.5
Vérifier que le compte userftp ne soit pas locké, sinon modifier le parameter account_locked pour le user
[root@sftpserver]/sftp/etc/security# cat user default: admin = false login = true su = false daemon = true rlogin = false sugroups = ALL admgroups = ttys = ALL auth1 = SYSTEM auth2 = NONE tpath = nosak umask = 022 expires = 0 SYSTEM = "compat" logintimes = pwdwarntime = 5 account_locked = false loginretries = 5 histexpire = 13 histsize = 24 minage = 1 maxage = 0 maxexpired = 13 minalpha = 2 minother = 2 minlen = 10 mindiff = 2 maxrepeats = 4 dictionlist = pwdchecks = default_roles = sshd: admin = false account_locked = true login = false rlogin = false usersftp: admin = false maxage = 0
aix/chroot_sftp.txt · Last modified: 2021/01/01 21:21 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
