linux:nologin-rsync-only

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
linux:nologin-rsync-only [2017/11/08 10:07] michaellinux:nologin-rsync-only [2017/11/08 10:26] (current) michael
Line 4: Line 4:
 <WRAP center box 100%> <WRAP center box 100%>
 ===== Möglichkeit 1 - Konfiguration / Umsetzung mit Skript ===== ===== Möglichkeit 1 - Konfiguration / Umsetzung mit Skript =====
-<wrap em>Achtung: Es wird dringend empfohlen, die Möglichkeit 2 umzusetzen, da Möglichkeit 1 nicht 100% sicher ist.</wrap>+<wrap em>Achtung: __Es wird dringend empfohlen, die Möglichkeit 2 umzusetzen, da Möglichkeit 1 nicht zu 100% sicher ist.__</wrap>
  
   - ''Create a new user (pfrsync) as future rsync User:'' <code># useradd pfrsync</code>   - ''Create a new user (pfrsync) as future rsync User:'' <code># useradd pfrsync</code>
Line 71: Line 71:
        PasswordAuthentication yes        PasswordAuthentication yes
        ForceCommand /home/pfrsync/check_command.sh        ForceCommand /home/pfrsync/check_command.sh
- </sxh> **NOTE**: The sshd stanza can be adjusted in three basic modes:+ </sxh>
  
-  * Keep in mind: There is no need, to create an Group, if just one user should be able to have Access. In this case replace "Match group pfrsynconly" with "Match user pfrsync"+  * **Keep in mind:** There is no need, to create an Group, if just one user should be able to have Access. In this case replace "Match group pfrsynconly" with "Match user pfrsync"
  
 ---- ----
Line 89: Line 89:
 <WRAP center box 100%> <WRAP center box 100%>
 ===== Möglichkeit 2 - Konfiguration / Umsetzung mit Lshell ===== ===== Möglichkeit 2 - Konfiguration / Umsetzung mit Lshell =====
-<wrap em>Sichere und unumgehbare Varante durch Restrictet Shell!</wrap>+<wrap em>__Sichere und unumgehbare Varante durch Restrictet Shell!__</wrap>
  
   - ''Create a new user (pfrsync) as future rsync User:'' <code># useradd pfrsync</code>   - ''Create a new user (pfrsync) as future rsync User:'' <code># useradd pfrsync</code>
-  - ''Add a new group (pfrsynconly) and add the user to that group:'' <code># groupadd pfrsynconly +  - ''Install lshell Package and add the user to it'group:'' <code># yum install lshell 
-# usermod -g pfrsynconly pfrsync</code>+# usermod -aG lshell pfrsync</code>
   - ''Set password for the pfrsync user.'' <code> # passwd pfrsync</code>   - ''Set password for the pfrsync user.'' <code> # passwd pfrsync</code>
-  - ''Create check_command Skript and set correct permissions as follows:'' <code># touch /home/pfrsync/check_command.sh +  - ''Replace default Shell for User "pfrsync" and make nessesary configuration changes:'' <code># chsh -s /usr/bin/lshell pfrsync 
-chmod +x /home/pfrsync/check_command.sh + 
-chown pfrsync:pfrsynconly /home/pfrsync/check_command.sh+vim /etc/lshell.conf</code> <sxh bash; first-line: 1;># lshell.py configuration file 
 +# 
 +# $Idlshell.conf,v 1.27 2010-10-18 19:05:17 ghantoos Exp $
  
-# vim /home/pfrsync/check_command.sh</code> <sxh bash; first-line1;>#!/bin/bash +[global] 
-case $SSH_ORIGINAL_COMMAND in +logpath         : /var/log/lshell/ 
- 'rsync'*) +loglevel        
-    $SSH_ORIGINAL_COMMAND +#syslogname      : myapp 
-    ;; + 
- *+[default] 
-    echo "Access Denied+allowed         : ['ls','cd','ll'
-    ;; +forbidden       : [';', '&', '|','`','>','<', '$(', '${'
-esac+##  number of warnings when user enters a forbidden value before getting 
 +##  exited from lshell, set to -1 to disable. 
 +warning_counter : 2 
 +aliases         : {'ll':'ls -l', 'vim':'rvim'
 + 
 +##  list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.) 
 +#overssh         : ['ls', 'rsync'
 + 
 +##  logging strictness. If set to 1, any unknown command is considered as 
 +##  forbidden, and user's warning counter is decreased. If set to 0, command is 
 +##  considered as unknown, and user is only warned (i.e. *** unknown synthax
 +strict          : 0 
 + 
 +##  force files sent through scp to a specific directory 
 +#scpforce        : '/home/bla/uploads/' 
 + 
 +##  history file maximum size 
 +#history_size     : 100 
 + 
 +##  set history file name (default is /home/%u/.lhistory
 +#history_file     : "/home/%u/.lshell_history
 + 
 +[pfrsync] 
 +path            : ['/var/lib/pulp', '/home/pfrsync'
 +home_path       : '/var/lib/pulp' 
 +overssh         : ['ls', 'rsync'
 +##  define the script to run at user login 
 +#login_script     : "/path/to/myscript.sh"
  </sxh>  </sxh>
   - ''Modify /etc/ssh/sshd_config as following:'' <code> # vim /etc/ssh/sshd_config </code> <sxh bash; first-line: 1; highlight: [41-47];>#   - ''Modify /etc/ssh/sshd_config as following:'' <code> # vim /etc/ssh/sshd_config </code> <sxh bash; first-line: 1; highlight: [41-47];>#
Line 149: Line 178:
 AllowAgentForwarding yes AllowAgentForwarding yes
  
-Match group pfrsynconly +Match group pfrsync
-       #ChrootDirectory /var/lib/pulp+
        X11Forwarding no        X11Forwarding no
        AllowTcpForwarding no        AllowTcpForwarding no
        AllowAgentForwarding no        AllowAgentForwarding no
        PasswordAuthentication yes        PasswordAuthentication yes
-       ForceCommand /home/pfrsync/check_command.sh + </sxh>
- </sxh> **NOTE**: The sshd stanza can be adjusted in three basic modes:+
  
-  * Keep in mind: There is no need, to create an Group, if just one user should be able to have Access. In this case replace "Match group pfrsynconly" with "Match user pfrsync"+  * <wrap em>Keep in mind:</wrap> There is no need, to create an Group, if just one user should be able to have Access. In this case replace "Match group pfrsynconly" with "Match user pfrsync"
  
 ---- ----
Line 167: Line 194:
 # systemctl restart sshd # systemctl restart sshd
 </code> </code>
 +
 </WRAP> </WRAP>
  
  
 +----
 +
 +===== Weiteres: =====
  
 +  * ''**[[linux:lshell|Restrict SSH Access for User with LShell (Limited Shell)]]**''
  • linux/nologin-rsync-only.1510132027.txt.gz
  • Last modified: 2017/11/08 10:07
  • by michael