linux:nologin-rsync-only

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
linux:nologin-rsync-only [2017/11/07 13:56] michaellinux:nologin-rsync-only [2017/11/08 10:26] (current) michael
Line 3: Line 3:
  
 <WRAP center box 100%> <WRAP center box 100%>
-===== Konfiguration ===== +===== Möglichkeit 1 - Konfiguration / Umsetzung mit Skript ===== 
-  - ''Create a new user (sftptestand make their shell /sbin/nologin:'' <code># useradd -s /sbin/nologin sftptest</code> +<wrap em>Achtung: __Es wird dringend empfohlen, die Möglichkeit 2 umzusetzen, da Möglichkeit 1 nicht zu 100% sicher ist.__</wrap> 
-  - ''Add a new group (sftponly) and add the user to that group:'' <code># groupadd sftponly + 
-# usermod -g sftponly sftptest</code> +  - ''Create a new user (pfrsyncas future rsync User:'' <code># useradd pfrsync</code> 
-  - ''Change permissions of the users home dir to be as follows:'' <code># chown root:root /home/sftptest +  - ''Add a new group (pfrsynconly) and add the user to that group:'' <code># groupadd pfrsynconly 
-# chmod 755 /home/sftptest </code> +# usermod -g pfrsynconly pfrsync</code> 
-  - ''Make a directory for the user (sftptest) to be able to scp to (a destination directory):'' <code># mkdir /home/sftptest/incoming +  - ''Set password for the pfrsync user.'' <code>passwd pfrsync</code> 
-# chown sftptest:sftptest /home/sftptest/incoming </code> +  - ''Create check_command Skript and set correct permissions as follows:'' <code># touch /home/pfrsync/check_command.sh 
-  - ''Set the password for the sftptest user.'' <code> # passwd sftptest </code+# chmod +x /home/pfrsync/check_command.sh 
-  - ''Add the following to /etc/ssh/sshd_config:'' <code> # vim /etc/ssh/sshd_config </code> <sxh bash; first-line: 1>#+# chown pfrsync:pfrsynconly /home/pfrsync/check_command.sh 
 + 
 +# vim /home/pfrsync/check_command.sh</code> <sxh bash; first-line: 1;>#!/bin/bash 
 +case $SSH_ORIGINAL_COMMAND in 
 + 'rsync'*) 
 +    $SSH_ORIGINAL_COMMAND 
 +    ;; 
 + *) 
 +    echo "Access Denied" 
 +    ;; 
 +esac 
 + </sxh
 +  - ''Modify /etc/ssh/sshd_config as following:'' <code> # vim /etc/ssh/sshd_config </code> <sxh bash; first-line: 1; highlight: [41-47];>#
 # sshd_config managed by puppet, do not edit by hand! # sshd_config managed by puppet, do not edit by hand!
 # #
Line 59: Line 71:
        PasswordAuthentication yes        PasswordAuthentication yes
        ForceCommand /home/pfrsync/check_command.sh        ForceCommand /home/pfrsync/check_command.sh
- </sxh> **NOTE**: The sshd stanza can be adjusted in three basic modes: + </sxh> 
-  * Using the **''%h''** directive to lock each user into their own home directory (see above example) + 
-  * Or using a single hardcoded directory name ->  ''ChrootDirectory /home/user/'' +  * **Keep in mind:** There is no need, to create an Group, if just one user should be able to have Access. In this case replace "Match group pfrsynconly" with "Match user pfrsync" 
-  * Keep in mind: There is no need, to create an Group, if just one user should be able to have Access. In this case replace "Match group sftponly" with "Match user sftptest"+ 
 +---- 
 + 
 +<wrap em>After all changes, restart sshd!</wrap> 
 + 
 +<code> 
 +# systemctl restart sshd 
 +</code>
 </WRAP> </WRAP>
 +
 +
 +----
 +
 +<WRAP center box 100%>
 +===== Möglichkeit 2 - Konfiguration / Umsetzung mit Lshell =====
 +<wrap em>__Sichere und unumgehbare Varante durch Restrictet Shell!__</wrap>
 +
 +  - ''Create a new user (pfrsync) as future rsync User:'' <code># useradd pfrsync</code>
 +  - ''Install lshell Package and add the user to it's group:'' <code># yum install lshell
 +# usermod -aG lshell pfrsync</code>
 +  - ''Set password for the pfrsync user.'' <code> # passwd pfrsync</code>
 +  - ''Replace default Shell for User "pfrsync" and make nessesary configuration changes:'' <code># chsh -s /usr/bin/lshell pfrsync
 +
 +# vim /etc/lshell.conf</code> <sxh bash; first-line: 1;># lshell.py configuration file
 +#
 +# $Id: lshell.conf,v 1.27 2010-10-18 19:05:17 ghantoos Exp $
 +
 +[global]
 +logpath         : /var/log/lshell/
 +loglevel        : 2
 +#syslogname      : myapp
 +
 +[default]
 +allowed         : ['ls','cd','ll']
 +forbidden       : [';', '&', '|','`','>','<', '$(', '${']
 +##  number of warnings when user enters a forbidden value before getting
 +##  exited from lshell, set to -1 to disable.
 +warning_counter : 2
 +aliases         : {'ll':'ls -l', 'vim':'rvim'}
 +
 +##  list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)
 +#overssh         : ['ls', 'rsync']
 +
 +##  logging strictness. If set to 1, any unknown command is considered as
 +##  forbidden, and user's warning counter is decreased. If set to 0, command is
 +##  considered as unknown, and user is only warned (i.e. *** unknown synthax)
 +strict          : 0
 +
 +##  force files sent through scp to a specific directory
 +#scpforce        : '/home/bla/uploads/'
 +
 +##  history file maximum size
 +#history_size     : 100
 +
 +##  set history file name (default is /home/%u/.lhistory)
 +#history_file     : "/home/%u/.lshell_history"
 +
 +[pfrsync]
 +path            : ['/var/lib/pulp', '/home/pfrsync']
 +home_path       : '/var/lib/pulp'
 +overssh         : ['ls', 'rsync']
 +##  define the script to run at user login
 +#login_script     : "/path/to/myscript.sh"
 + </sxh>
 +  - ''Modify /etc/ssh/sshd_config as following:'' <code> # vim /etc/ssh/sshd_config </code> <sxh bash; first-line: 1; highlight: [41-47];>#
 +# sshd_config managed by puppet, do not edit by hand!
 +#
 +
 +Port 22
 +ListenAddress 172.31.130.28
 +Protocol 2
 +HostKey /etc/ssh/ssh_host_rsa_key
 +HostKey /etc/ssh/ssh_host_ecdsa_key
 +LoginGraceTime 2m
 +
 +PermitRootLogin no
 +StrictModes yes
 +DSAAuthentication yes
 +AuthorizedKeysFile /etc/ssh/authorized_keys/%u
 +HostbasedAuthentication no
 +IgnoreRhosts yes
 +PasswordAuthentication no
 +PermitEmptyPasswords no
 +
 +ChallengeResponseAuthentication no
 +UsePAM yes
 +
 +X11Forwarding yes
 +UsePrivilegeSeparation yes
 +
 +Subsystem       sftp    /usr/libexec/openssh/sftp-server
 +ClientAliveInterval 60
 +ClientAliveCountMax 5
 +AllowTcpForwarding yes
 +
 +LogLevel INFO
 +MaxAuthTries 4
 +PermitUserEnvironment no
 +Ciphers aes128-ctr,aes192-ctr,aes256-ctr
 +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
 +MACs hmac-sha2-256,hmac-sha2-512
 +PubkeyAuthentication yes
 +AllowAgentForwarding yes
 +
 +Match group pfrsync
 +       X11Forwarding no
 +       AllowTcpForwarding no
 +       AllowAgentForwarding no
 +       PasswordAuthentication yes
 + </sxh>
 +
 +  * <wrap em>Keep in mind:</wrap> There is no need, to create an Group, if just one user should be able to have Access. In this case replace "Match group pfrsynconly" with "Match user pfrsync"
 +
 +----
  
 <wrap em>After all changes, restart sshd!</wrap> <wrap em>After all changes, restart sshd!</wrap>
Line 71: Line 195:
 </code> </code>
  
 +</WRAP>
 +
 +
 +----
 +
 +===== Weiteres: =====
 +
 +  * ''**[[linux:lshell|Restrict SSH Access for User with LShell (Limited Shell)]]**''
  • linux/nologin-rsync-only.1510059404.txt.gz
  • Last modified: 2017/11/07 13:56
  • by michael