HP-UX sftp 계정 chroot 적용

SFTP 만을 사용 하는 계정에 chroot 적용 하는 방법입니다..

일단 테스트한 서버는 11iV2 PA 에 Secure Shell A.05.60.002 입니다.

host1:/opt/ssh/utils>swlist -l bundle |grep -i secure

  OpenSSL                       A.00.09.07m.042 Secure Network Communications Protocol 

  T1471AA                       A.05.60.002    HP-UX Secure Shell 

host1:/opt/ssh/utils>ll

total 144

-r-xr-xr-x   1 bin        bin           1090 Sep 18 15:44 cpfiles_chroot_migrate.sh

-r-xr-xr-x   1 bin        bin           1678 Sep 18 15:45 sftponly

-r-x------   1 root       sys          43544 Sep 18 15:46 ssh_chroot_setup.sh

-r-xr-xr-x   1 bin        bin           1323 Sep 18 15:47 ssh_keyscan.sh

1. sftp 사용할 계정 생성

host1:/opt/ssh/utils>useradd -m -d /home/sftpest -k /etc/skel -s /bin/sh sftptest

2. 생성한 계정 chroot 적용

host1:/opt/ssh/utils>sh ssh_chroot_setup.sh

 Please wait. Chroot setup now checks for necessary files on the system 

 

 Note: /etc/nsswitch.conf not found 

 Completed...Press return key to continue... [엔터]

     HP SECURE SHELL: CHROOT ENVIRONMENT SETUP - MAIN MENU

         -----------------------------------------------------

         Select one of the option below

         1.Configure a chroot enviroment

         2.Exit

         Enter your choice : 1 [엔터]

         Chroot setup

        ---------------

         User name (Maximum eight chars) : sftptest

         chroot setup checks for user details 

         Enter the new root directory for sftptest with absolute path (or press return for default(/newroot)): /home/sftptest

         ---------------------------------

         Select chroot secure shell option

         ----------------------------------

         1 sftp

         2 ssh & sftp & scp

         press return key to skip this step 

         Option : 1 [엔터]

         chroot setup for sftp operations

         IMPORTANT NOTE:

         This setup will make sure that sftp works in your chroot environment

         It should not be interpreted as a restrictive sftp-only Shell.

         This setup simply copies the files required for sftp to the appropriate directories under the newroot.

         Now configuring the chroot environment for sftp ...finished

         Summary 

         --------

         Chroot-ed user : sftptest  

         Chroot-ed user's new root directory : /home/sftptest 

         Secure Shell configuration : SFTP

         press Return key [엔터]

         HP SECURE SHELL: CHROOT ENVIRONMENT SETUP - MAIN MENU

         -----------------------------------------------------

         Select one of the option below

         1.Configure a chroot enviroment

         2.Exit

         Enter your choice : 2 [엔터]

3. sftp 용 shell copy

host1:/opt/ssh/utils>cp sftponly /opt/ssh/etc
host1:/opt/ssh/utils>chown bin;bin /opt/ssh/etc/sftponly
host1:/opt/ssh/utils>chmod 755 /opt/ssh/etc/sftponly

4. sftp 계정 shell 변경

host1:/opt/ssh/utils>vi /etc/passwd

[변경전]
sftptest:*:121:20:chrooted user:/home/sftptest/./home/sftptest:/bin/sh
[변경후]
sftptest:*:121:20:chrooted user:/home/sftptest/./home/sftptest:/opt/ssh/etc/sftponly

5. chroot 디렉토리 권한 변경

host1:/home/sftptest>mkdir opt/ssh/etc 

host1:/home/sftptest>chmod 555 opt/ssh/etc

host1:/home/sftptest>chown bin:bin opt/ssh/etc

host1:/home/sftptest>cp /opt/ssh/etc/sftponly opt/ssh/etc

host1:/home/sftptest>chmod 555 opt/ssh/etc/sftponly

host1:/home/sftptest>chown bin:bin opt/ssh/etc/sftponly

host1:/home/sftptest>chmod 555 ./*

host1:/home/sftptest>chown bin:bin ./*

host1:/home>chown sftptest:users sftptest

6. 완료후 TEST

host1:/home>sftp sftptest@localhost                                     

Password: 

Connected to localhost.

sftp> ls

sftp> pwd

Remote working directory: /home/sftptest

sftp> cd /

sftp> pwd

Remote working directory: /

sftp> ls

bin   dev   etc   home  opt   sbin  usr   var   

sftp> ls -al [ / 임에도 불구하고 아까 만들어놓은 파일만 보입니다. ]

drwxr-xr-x   10 sftptest users        8192 Feb 22 13:05 .

drwxr-xr-x   10 sftptest users        8192 Feb 22 13:05 ..

-r--r--r--    1 sftptest users         831 Feb 22 13:04 .cshrc

-r--r--r--    1 sftptest users         347 Feb 22 13:04 .exrc

-r--r--r--    1 sftptest users         333 Feb 22 13:04 .login

-r--r--r--    1 sftptest users         438 Feb 22 13:04 .profile

-rw-------    1 sftptest users           2 Feb 22 13:05 .sh_history

dr-xr-xr-x    2 bin      bin            96 Feb 22 13:06 bin

dr-xr-xr-x    2 bin      bin            96 Feb 22 13:06 dev

dr-xr-xr-x    2 bin      bin            96 Feb 22 13:06 etc

dr-xr-xr-x    3 bin      bin            96 Feb 22 13:05 home

dr-xr-xr-x    4 bin      bin            96 Feb 22 13:05 opt

dr-xr-xr-x    2 bin      bin            96 Feb 22 13:05 sbin

dr-xr-xr-x    5 bin      bin            96 Feb 22 13:05 usr

dr-xr-xr-x    3 bin      bin            96 Feb 22 13:05 var