User Tools

This is an old revision of the document!

ssh

ssh github

Host github.com
	HostName github.com
	User git
	IdentityFile ~/.ssh/github

ssh chroot

Sources

Make home folder

mkdir /home/chroot

Copy library files

#!/bin/bash

cd /home/chroot
mkdir -p {bin,dev,lib,lib64}
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 0666 dev/{null,zero}
 
TMPFILE1=./temp1
TMPFILE2=./temp2
 
APPS="
 /usr/bin/whoami
 /bin/uname
 /usr/bin/groups
 /bin/bash
 /bin/cp
 /bin/ls
 /bin/mkdir
 /bin/mv
 /bin/rm
 /bin/rmdir
 /usr/bin/id
 /usr/bin/rsync
 /usr/bin/scp
 /usr/bin/wget
 /usr/bin/vim
 /usr/bin/vi
 /bin/cat
 /bin/less
 /usr/bin/tail
 /usr/bin/clear
 /bin/chmod
 /bin/sh
  /bin/grep
  /bin/gzip
  /bin/gunzip 
  /bin/more
  /bin/pwd
  /bin/ping
  /bin/ps
  /bin/uname
  /bin/sed
  /usr/bin/env
  /usr/bin/host
  /usr/bin/less
  /usr/bin/nslookup
  /usr/bin/dircolors"
 
for app in $APPS;  do
    if [ -x $app ]; then
        app_path=`dirname $app`
        if ! [ -d .$app_path ]; then
            mkdir -p .$app_path
        fi
        cp -p $app .$app
        ldd $app >> ${TMPFILE1}
    fi
done
 
for libs in `cat ${TMPFILE1}`; do
    frst_char="`echo $libs | cut -c1`"
    if [ "$frst_char" = "/" ]; then
        echo "$libs" >> ${TMPFILE2}
    fi
done
 
for lib in `cat ${TMPFILE2}`; do
        mkdir -p .`dirname $lib` > /dev/null 2>&1
        cp $lib .$lib
done
 
cp -r /lib/terminfo ./lib/
 
rm -f $TMPFILE1
rm -f $TMPFILE2

Move the user's files to the jail

mv /home/myuser /home/chroot/home/

ln -s /home/chroot/home/myuser /home/myuser

Change the perms on this folder

chmod 700 /home/chroot/home/myuser

Set the config in /etc/ssh/sshd_config

Load the internal sftp server

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
The difference between both is that the internal sftp server does not need to copy binary files to the jail.

Define a rule for the user (or group)

# we are matching the user but this can be a group also
Match User myuser
  ChrootDirectory /home/chroot
  AllowTCPForwarding no
  X11Forwarding no
Match

Then we need to define an environment.

to prevent having an invite like : I have no name!@machine, we need to define some environment variables.

ssh tunnels

Local / Remote

  • A = 4321
  • B = 127.0.0.1
  • C = 3306
  • D = me@myserver.com

ssh -N -L 4321:127.0.0.1:3306 me@myserver.com
The command is calling on port A the machine B that is connected to machine D that connects to machine B on port C.

  • -N = quiet mode (no ssh console)
  • -L = local mode (inverse is -R as remote)

Then we can use : 

mysql -h 127.0.0.1 -P 4444 -u user -p mybase

Dynamic

ssh -N -D 4321 me@myserver.com
Then we can configure the proxy clients to use SOCKS with 127.0.0.1 as host and 4321 as port.

sshfs

Source 

# aptitude install fuse fuse-utils sshfs


sshfs login@server:/home/login/ /mnt/tmp/

umount : 

fusermount -u /mnt/tmp/

Example scripts

#!/bin/bash

# check if params
if [ $# -lt 2 ];then
  echo "Usage : sshmnt <ssh alias> <folder name>"
  exit;
fi

if [ ! -d ~/mnt/$2 ]; then
  echo "no ~/mnt/$2 folder found. creating it"
  mkdir -p ~/mnt/$2
  if [ $? -eq 0 ]; then
    exit 1;
  fi
fi

sshfs $1 ~/mnt/$2


#!/bin/bash

# check if params
if [ $# -lt 1 ];then
  echo "Usage : sshmnt <folder name>"
  exit;
fi

if [ ! -d ~/mnt/$1 ]; then
  echo "no ~/mnt/$2 folder found."
fi

fusermount -u ~/mnt/$1

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also, you acknowledge that you have read and understand our Privacy Policy. If you do not agree, please leave the website.

More information