Grz*_*cki 2 chroot login ssh authentication pam
如何ssh使用空密码创建正确的安全帐户以运行受信任的二进制文件?我想为随机用户制作一种“虚拟 ssh Kiosk”,同时限制 ssh“伪用户”后面的“演示应用程序”。
通过“安全”,我的意思是“为随机访问者运行演示应用程序的服务器是安全的”。基本上以类似于 https 服务网站的方式为 ssh 帐户后面的应用程序提供服务。
(为了这个问题,我们假设我们信任/bin/cat或/usr/bin/cat- 取决于服务器的系统,请检查您的which echo)
在处理https://goo.gl/TjhrWd 时,我遇到了将密码设为空的问题。PAM 拒绝它。
这是我在为用户设置密码时使用和工作的配置cat- 它也在https://goo.gl/TjhrWd 中描述:
# below configured on Ubuntu Server 14.04 LTS
addgroup catonly
CHROOT=/var/chroot/cat
# now let's make pseudo-shell binary, executing your ForceCommand (check source)
# you can use bash as default shell instead, I prefer sth less bloated.
cd /tmp
wget 'https://gist.githubusercontent.com/gwpl/abcbc74c2bf377945a49097237edfb9b/raw/1993e8acc4bd66329959b1a658fcce4296d2a80c/only_exec_command.c'
gcc only_exec_command.c -static -o only_exec_command
mkdir -p "$CHROOT"/{bin,lib,lib64,dev/pts,home/cat}
chown root:root /var/chroot "$CHROOT"
# dependig on distro it might be /usr/bin/cat -> check with `which cat`
useradd -d /home/cat -s /bin/only_exec_command -M -N -g catonly cat
passwd -d cat
# Let's make chroot
cp /tmp/only_exec_command "$CHROOT"/bin/
cp /bin/cat "$CHROOT"/bin/
mknod -m 666 "$CHROOT"/dev/null c 1 3
ldd /bin/cat # tells us which libraries to copy
cp /lib/x86_64-linux-gnu/libc.so.6 "$CHROOT"/lib
cp /lib64/ld-linux-x86-64.so.2 "$CHROOT"/lib64
chown cat:catonly "$CHROOT"/home/cat
chown root:root /var/chroot/cat /var/chroot /var
$ $EDITOR /etc/ssh/sshd_config # add:
Match user cat
ChrootDirectory /var/chroot/cat
X11Forwarding no
AllowTcpForwarding no
# dependig on distro it might be /usr/bin/cat -> check with `which cat`
ForceCommand /bin/cat
PasswordAuthentication yes
PermitEmptyPasswords yes
但是尝试ssh,导致要求输入密码,并在拒绝中提供空结果:
ssh echo@1.2.3.4
echo@1.2.3.4's password:
Permission denied, please try again.
在调试模式下运行的服务器端,日志中没有什么有趣的,让我引用服务器端的部分,在登录时,输入空密码后:
/usr/sbin/sshd -ddd -p 1234
(...)
debug1: userauth-request for user echo service ssh-connection method password [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug3: mm_auth_password entering [preauth]
debug3: mm_request_send entering: type 12 [preauth]
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
debug3: mm_request_receive_expect entering: type 13 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 12
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication failed for echo: Authentication failure
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 13
Failed password for echo from 192.168.1.1 port 43816 ssh2
debug3: mm_auth_password: user not authenticated [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
您还需要PAM说明您希望允许空密码。有一些过时的教程描述了这一点。但简而言之:
sudo sed -i 's/nullok_secure/nullok/' /etc/pam.d/common-auth
应该做的工作。