Ƙuntata Samun Mai Amfani na SSH zuwa Takaitaccen Bayani Ta Amfani da Chrooted Jail

Akwai dalilai da yawa don taƙaita zaman mai amfani na SSH zuwa takamaiman jagorar, musamman akan sabar gidan yanar gizo, amma tabbataccen tsaro shine tsarin. Domin kulle masu amfani da SSH a cikin wani kundin adireshi, zamu iya amfani da tsarin chroot.

canza tushen (chroot) a cikin tsarin Unix irin su Linux, hanya ce ta raba takamaiman ayyukan masu amfani da sauran tsarin Linux; yana canza bayanan tushen tushen tsarin tsarin mai amfani na yanzu da tsarin yaran sa tare da sabon kundin adireshi mai suna chrooted jail.

A cikin wannan koyawa, za mu nuna muku yadda ake hana mai amfani da SSH damar zuwa wani littafin da aka bayar a cikin Linux. Lura cewa za mu gudanar da duk umarnin azaman tushen, yi amfani da umarnin sudo idan kun shiga cikin uwar garken azaman mai amfani na yau da kullun.

Mataki 1: Ƙirƙiri SSH Chroot Jail

1. Fara da ƙirƙirar gidan yarin chroot ta amfani da umarnin mkdir da ke ƙasa:

# mkdir -p /home/test

2. Na gaba, gano fayilolin da ake buƙata, bisa ga shafin sshd_config, zaɓin ChrootDirectory yana ƙayyadad da sunan hanyar directory don chroot zuwa bayan tantancewa. Dole ne kundin adireshin ya ƙunshi mahimman fayiloli da kundayen adireshi don tallafawa zaman mai amfani.

Don zaman ma'amala, wannan yana buƙatar aƙalla harsashi, yawanci sh, da asali /dev nodes kamar null, zero, stdin, stdout, stderr, da na'urorin tty:

# ls -l /dev/{null,zero,stdin,stdout,stderr,random,tty}

3. Yanzu, ƙirƙirar fayilolin /dev kamar haka ta amfani da umarnin mknod. A cikin umarnin da ke ƙasa, ana amfani da alamar -m don tantance raƙuman izini na fayil, c yana nufin fayil ɗin haruffa kuma lambobi biyu manya ne da ƙananan lambobi waɗanda fayilolin ke nunawa. .

# mkdir -p /home/test/dev/		
# cd /home/test/dev/
# mknod -m 666 null c 1 3
# mknod -m 666 tty c 5 0
# mknod -m 666 zero c 1 5
# mknod -m 666 random c 1 8

4. Bayan haka, saita izinin da ya dace akan gidan yarin chroot. Lura cewa gidan yarin chroot da kundin adireshi da ƙananan bayanai dole ne ya zama mallakar tushen mai amfani, kuma ba kowane mai amfani ko rukuni na yau da kullun ya rubuta shi ba:

# chown root:root /home/test
# chmod 0755 /home/test
# ls -ld /home/test

Mataki 2: Saita Interactive Shell don SSH Chroot Jail

5. Da farko, ƙirƙiri kundin adireshi na bin sannan a kwafi fayilolin /bin/bash cikin kundin adireshin bin kamar haka:

# mkdir -p /home/test/bin
# cp -v /bin/bash /home/test/bin/

6. Yanzu, gano bash da ake buƙata shared libs, kamar yadda a ƙasa kuma kwafi su cikin kundin adireshi lib:

# ldd /bin/bash
# mkdir -p /home/test/lib64
# cp -v /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /home/test/lib64/

Mataki 3: Ƙirƙiri kuma Sanya Mai amfani na SSH

7. Yanzu, ƙirƙiri mai amfani da SSH tare da umarnin useradd kuma saita amintaccen kalmar sirri don mai amfani:

# useradd tecmint
# passwd tecmint

8. Ƙirƙiri kundin tsarin tsarin tsare-tsare na gidan yarin chroot, /home/test/etc sannan a kwafi fayilolin asusun da aka sabunta (/etc/passwd da /etc/group) cikin wannan kundin adireshi kamar haka:

# mkdir /home/test/etc
# cp -vf /etc/{passwd,group} /home/test/etc/

Lura: Duk lokacin da kuka ƙara ƙarin masu amfani da SSH zuwa tsarin, kuna buƙatar kwafin fayilolin da aka sabunta a cikin kundin adireshi /gida/gwaji/da sauransu.

Mataki 4: Sanya SSH don Amfani da Chroot Jail

9. Yanzu, buɗe fayil ɗin sshd_config.

# vi /etc/ssh/sshd_config

kuma ƙara/gyara layin da ke ƙasa a cikin fayil ɗin.

#define username to apply chroot jail to
Match User tecmint
#specify chroot jail
ChrootDirectory /home/test

Ajiye fayil ɗin kuma fita, kuma sake kunna ayyukan SSHD:

# systemctl restart sshd
OR
# service sshd restart

Mataki 5: Gwajin SSH tare da Chroot Jail

10. A wannan lokacin, gwada idan saitin gidan yarin chroot yana aiki kamar yadda aka zata:

# ssh [email 
-bash-4.1$ ls
-bash-4.1$ date
-bash-4.1$ uname

Daga hoton da ke sama, muna iya ganin cewa an kulle mai amfani da SSH a cikin kurkukun da aka kulle, kuma ba zai iya gudanar da kowane umarni na waje (ls, kwanan wata, sunan da sauransu).

Mai amfani zai iya aiwatar da bash kawai da umarnin da aka gina shi kamar (pwd, tarihi, echo da sauransu) kamar yadda aka gani a ƙasa:

# ssh [email 
-bash-4.1$ pwd
-bash-4.1$ echo "Tecmint - Fastest Growing Linux Site"
-bash-4.1$ history

Mataki 6. Ƙirƙiri Littafin Gida na Mai amfani na SSH kuma Ƙara Dokokin Linux

11. Daga mataki na baya, zamu iya lura cewa an kulle mai amfani a cikin tushen directory, za mu iya ƙirƙirar kundin gida don mai amfani da SSH kamar haka (yi wannan ga duk masu amfani da gaba):

# mkdir -p /home/test/home/tecmint
# chown -R tecmint:tecmint /home/test/home/tecmint
# chmod -R 0700 /home/test/home/tecmint

12. Na gaba, shigar da wasu umarni masu amfani kamar ls, date, mkdir a cikin kundin adireshin bin:

# cp -v /bin/ls /home/test/bin/
# cp -v /bin/date /home/test/bin/
# cp -v /bin/mkdir /home/test/bin/

13. Bayan haka, duba ɗakunan karatu da aka raba don umarnin da ke sama kuma a tura su cikin kundin ɗakunan karatu na gidan yari da aka yanke:

# ldd /bin/ls
# cp -v /lib64/{libselinux.so.1,libcap.so.2,libacl.so.1,libc.so.6,libpcre.so.1,libdl.so.2,ld-linux-x86-64.so.2,libattr.so.1,libpthread.so.0} /home/test/lib64/

Mataki 7. Gwajin SFTP tare da Chroot Jail

14. Yi gwajin ƙarshe ta amfani da sftp; duba idan umarnin da kuka shigar yanzu suna aiki.

Ƙara layin da ke ƙasa a cikin fayil ɗin /etc/ssh/sshd_config:

#Enable sftp to chrooted jail 
ForceCommand internal-sftp

Ajiye fayil ɗin kuma fita. Sa'an nan kuma sake kunna ayyukan SSD:

# systemctl restart sshd
OR
# service sshd restart

15. Yanzu, gwada amfani da SSH, za ku sami kuskure mai zuwa:

# ssh [email 

Gwada amfani da SFTP kamar haka:

# sftp [email 

Shi ke nan a yanzu!. A cikin wannan labarin, mun nuna muku yadda ake takurawa mai amfani da SSH a cikin wani littafin da aka bayar (jail ɗin da aka yanke) a cikin Linux. Yi amfani da sashin sharhi da ke ƙasa don ba mu ra'ayoyinku game da wannan jagorar.