Re: Enjaulando al sshd
Felipe Törnvall N. escribió:
On Thursday 19 January 2006 19:54, Pedro A. wrote:
Hola lista. Llevo ya algunos días tratando me meter al gatito en la
jaula (chiste malo). Estoy intentanto crear una máquina muy securizada y
uno de los requisitos que quiero cumplir es enjaular el demonio sshd en
un arbol de directorios. Por ejemplo no quiero que esté disponible el
comando rm.
Para ello he seguido el manual de esta web:
http://gcubo.org/documentacion/recetas/makejail y también he parcheado
con algunas cosas que he visto en esta otra web:
http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.e
n.html
El caso es que pese a haber seguido todas las instrucciones hay dos
cosas que no funcionan y que me tienen bloqueado.
1ª El sshd no lanza información contra el syslog, he cambiado la
opción recomendada en el fichero ksyslogd y he creado el enlace
simbolico en el directorio /dev/ del entorno chrooteado.
2ª El sshd, aunque arranca como servicio no me deja hacer login.
__________________________________________________________________________
ve a que usuarios tienes permitido acceder a tu ssh
por darte un ejemplo yo uso usuairos fantasmas y esos se loguean en cuentas
reales, quizas hiciste eso y no te diste cuenta.... chequea el conf del sshd
saludos !!!!!!!
¿Usuarios fantasmas? no se exactamente a que te refieres. En cualquier
caso, he vuelto a repetir el proceso en una instalación nueva y sigo
teniendo el mismo problema.
Al final de todo, cuanto intento hacer login me muestra este error:
Permission denied (publickey, keyboard-interactive)
Por lo que deduzco de esto lo que pasa es que el sshd enjaulado deniega
la autenticación tanto por llave pública como por contraseña, pero ¿por
qué?, la configuración es la misma del sistema al que si podía hacer login.
Adjunto los ficheros de configuración: sshd.py, sshd_config del entorno
enjaulado y finalmente el passwd del entorno enjaulado.
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication no
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
Subsystem sftp /usr/lib/sftp-server
UsePAM yes
# Makejail configuration file for sshd
#
# Created by Javier Fernandez-sanguino Peña <jfs@computer.org>
# Thu, 29 Aug 2002 23:44:51 +0200
#
chroot="/opt/Math"
forceCopy=["/etc/ssh/ssh_host*","/etc/ssh/sshd*","/etc/ssh/moduli",
"/etc/pam.conf","/etc/security/*","/etc/pam.d/ssh","/etc/pam.d/other",
"/etc/hosts","/etc/nsswitch.conf",
"/var/run/sshd","/lib/security/*",
"/etc/shells", "/etc/nologin","/etc/environment","/etc/motd",
"/etc/shadow","/etc/hosts*",
"/bin/*sh", "/lib/libnss*",
"/dev/pt*","/dev/ttyp[0-9]*"]
# Remove this if you want to make configuration changes *outside* of the
# chroot environment
# preserve=["/etc/","/home/","/dev/"]
# otherwise just do this:
preserve=["/dev/","/home"]
packages=["gcc","make","g77","fileutils","libg2c0","libg2c0-dev"]
# Besides the sshd user (needed after 3.4p1) any user which is going to
# be granted access to the ssh daemon should be added to 'users' and
# 'groups'.
userFiles=["/etc/passwd","/etc/shadow"]
groupFiles=["/etc/group","/etc/gshadow"]
users=["sshd","damaso"]
groups=["sshd","damaso"]
testCommandsInsideJail=["start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd"]
testCommandsOutsideJail=["ssh localhost"]
processNames=["sshd"]
# Changes to do to jail sshd:
# 1.- start makejail with this configuration file
# it might not be able to start the daemon since the daemon tries to
# access /dev/log (handled by syslogd)
#
# 2.- In init.d's startup script (/etc/init.d/sshd):
# replace "start-stop-daemon ..." with "chroot /var/chroot/sshd start-stop-daemon ..."
#
# 3.- configure syslog to also listen to the socket /var/chroot/sshd/dev/log,
# restart sysklogd.
# (for Debian) This can be done by changing the SYSLOGD option in
# /etc/init.d/syslogd to
# SYSLOGD="-p /dev/log -p /var/chroot/sshd/dev/log"
#
# 4.- Create the user directories under /home and copy their files there
#
# 5.- Users will not be able to do a single thing in the restricted environment
# besides running their shell. You will have to add some utilities
# to the chrooted environement. Try adding this to the configuration
# packages=["fileutils"]
# You can add any other Debian packages you want users to have access
# to.
#
# WARNING: this configuration file has only been slightly tested.
# It has not been thoroughly tested yet.
damaso:x:1000:1000:Pedro A. Dámaso,,,:/home/damaso:/bin/bash
sshd:x:101:65534::/var/run/sshd:/bin/false
Reply to: