portforward only key based chroot ssh access without a shell for the user under 64 Bit 
/etc/ssh/sshd_config:
...
Match user USER
PasswordAuthentication no
AllowTcpForwarding yes
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
ChrootDirectory /home/USER

But if the client needs a login shell this failed.

Well you could tell the client to not use a login shell:

ssh -N -L2222:IP:22 USER@SERVER

putty: SSH / Protocol Option enable "Don't start a shell or command at all"

or use an own loginshell where the user only can press return to disconnect:

sudo useradd USER -d /home/USER -s /bin/bash
sudo mkdir /home/USER
sudo chown USER:USER /home/USER
sudo su USER
cd
touch .hushlogin (is used to not display motd's)
mkdir .ssh
chmod 0700 .ssh
cd .ssh
ssh-keygen -t rsa -b 4096
mv id_rsa.pub authorized_keys
exit
sudo passwd -d USER
sudo chown root:root /home/USER (for sshd chroot)
sudo cp own_loginshell /home/USER/

move /home/USER/.ssh/id_rsa out to your test account and test with "ssh -i id_rsa USER@IP"

I had some troubles with a chrooted environment:


/etc/passwd USER:x:ID:ID::/home/USER:/own_loginshell

.hushlogin is NOT working and motd with last login is shown!
pam.d/sshd is running all scripts in /etc/update-motd.d.

Solution move .hushlogin to /home/USER/home/USER

To hide motd and have no delays at login we could add an exception in pam.d/sshd for our user USER

session [default=2 success=ignore] pam_succeed_if.so quiet user != USER

before

session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

/etc/passwd USER:x:ID:ID::/:/own_loginshell

.hushlogin is working but before sshd is doing a chroot it checks the key against
authorized_keys based on our homedir (is / for chroot) wee need to

add "AuthorizedKeysFile /home/USER/.ssh/authorized_keys" to sshd_config

Compiling


For 64Bit there is something different to 32Bit and with my studies i compiled with

gcc -s -Os -nostdlib -ffreestanding own_loginshell.c -o own_loginshell

#> chroot /ROOTDIR ./own_loginshell
chroot: failed to run command ‘./own_loginshell’: No such file or directory

With

#> strace chroot /ROOTDIR ./own_loginshell

you only see

execve("./own_loginshell", ["./own_loginshell"], 0x7fff17d94fe8 /* 24 vars */) = -1 ENOENT (No such file or directory)

But with the help of "readelf -l own_loginshell" you see

[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]

You have to copy /lib64/ld-linux-x86-64.so.2 to CHROOT/lib64/

Or compile with "-static"

own_loginshell.c:
/*
simple program to print to stdout and read from stdin without libc for x86-64

taken from https://hero.handmade.network/forums/code-discussion/t/861-compiling_without_libc_on_linux

gcc -s -Os -nostdlib -ffreestanding -static own_loginshell.c -o own_loginshell
*/

#include <stddef.h>
#include <syscall.h>

static void exit(int code)
{
__asm__ __volatile__(
"syscall"
:
: "a"(__NR_exit)
: "cc", "rcx", "r11", "memory");
__builtin_unreachable(); // syscall above never returns
}

// returns negative value for error (for example, if error is EINVAL, then -EINVAL is returned)
static int write(int fd, const void *buf, size_t size)
{
long result;
__asm__ __volatile__(
"syscall"
: "=a"(result)
: "0"(__NR_write), "D"(fd), "S"(buf), "d"(size)
: "cc", "rcx", "r11", "memory");
return result;
}

static int read(int fd, char *buf, size_t size)
{
long result;
__asm__ __volatile__(
"syscall"
: "=a"(result)
: "0"(__NR_read), "D"(fd), "S"(buf), "d"(size)
: "cc", "rcx", "r11", "memory");
return result;
}

void _start()
{
char text[] = "press enter to close connection";

// for this example let's ignore result of write
// but you should really handle it
// 1 is stdout file handle
write(1, text, sizeof(text) - 1);
read(0, text, 1);

exit(0);
}


[ view entry ] ( 835 views )   |  print article
ssh otp 
Install oathtool.
sudo apt-get install oathtool libpam-oath

Generate a secret.
export HEX_SECRET=$(head -10 /dev/urandom | md5sum | cut -b 1-30)

Generate the TOTP details, 6 digits long.
oathtool --verbose --totp $HEX_SECRET

Enter the base32 secret in Android FreeOTP.

Create and populate the /etc/security/users.oath file.
sudo bash -c "echo HOTP/T30 $USER - $HEX_SECRET >> /etc/security/users.oath"
sudo chmod 0600 /etc/security/users.oath

Forget the secret!
unset HEX_SECRET

prefix /etc/pam.d/sshd with
auth sufficient pam_oath.so usersfile=/etc/security/users.oath window=10 digits=6

Allow this in sshd and restart.
sudo sed -Ei -e 's/(ChallengeResponseAuthentication) no/\1 yes/' /etc/ssh/sshd_config
sudo service ssh restart

Test with
ssh localhost

You should see:
One-time password (OATH) for `USER':

To avoid otp for some users prefix /etc/pam.d/sshd with
auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2


[ view entry ] ( 1358 views )   |  print article
sftp and port forward only login 
I need a ssh login for restricted portforward but without a shell for the user.

This got realized with /etc/ssh/sshd_config:
...
Subsystem sftp internal-sftp

Match user USER
PasswordAuthentication yes
AllowAgentForwarding no
X11Forwarding no
ForceCommand internal-sftp
PermitOpen localhost:22
ChrootDirectory /home/USER

"PermitOpen"restricts portforward to localhost:22 (remote port forward is not restricted)

But if the client needs a login shell this failes.

Well you could tell the client to not use a login shell:

ssh -N -L2222:IP:22 USER@SERVER

putty: SSH / Protocol Option enable "Don't start a shell or command at all"

or use an own loginshell where the user can only press return to disconnect:

/etc/ssh/sshd_config:
...
Subsystem sftp internal-sftp

Match user USER
PasswordAuthentication yes
AllowAgentForwarding no
X11Forwarding no
PermitOpen 127.0.0.1:2222
ChrootDirectory /home/USER

sudo touch /home/USER/.hushlogin
sudo cp own_loginshell /home/USER/
/etc/passwd:USER:x:ID:ID::/:/own_loginshell

own_loginshell.c:
/*
simple program to print to stdout and read from stdin without libc

taken from http://crazychenz.com/archives/107
(http://stackoverflow.com/questions/2548486/compiling-without-libc)

modified 2011 by Peter Holik (peter@holik.at)

gcc -nostdlib -nostartfiles -fno-builtin own_loginshell.c -o own_loginshell
*/

/* Types - I've defined these just to match the kernel's macros, typedefs, and structs */
typedef unsigned int size_t;

/* Syscalls */
exit(int error_code) {
/* The asm call is a GCC thing that allows us to put assembly
* inline with our C code. This particular use is the extended version,
* which provides a very clean and easy way to map variables in
* our code with registers in the assembly code.
*/
asm("int $0x80"
: // no output registers
: "a" (1), "b" (error_code)
);
}

size_t read(unsigned int fd, char * buf, size_t count) {
size_t ret;
/* In this call, we have a return value, which know will be
* of type size_t, so we put the value of %eax into ret.
*/
asm("int $0x80"
: "=a" (ret)
: "a" (3), "b" (fd), "c" (buf), "d" (count)
);
return ret;
}

size_t write(unsigned int fd, const char * buf, size_t count) {
size_t ret;
asm("int $0x80"
: "=a" (ret)
: "a" (4), "b" (fd), "c" (buf), "d" (count)
);
return ret;
}

/* Notice that there is no main in this code, that is because
* main is not _really_ required. All that is _really_ required
* is the entry point for Linux to execute. I'd suggest
* always using a main() for compatibility reasons.
*/
void _start() {
char *buf = "press enter to close connection";

write(1, buf, 31);
read(0, buf, 1);
exit(0);
}


[ view entry ] ( 2717 views )   |  print article
chrooted sftp only 
useradd -s /bin/false -m SFTPUSER
mkdir /home/SFTPUSER/.ssh
ssh-keygen -t rsa -b 2048 -N '' -f /home/SFTPUSER/.ssh/id_rsa
chown -R SFTPUSER:SFTPUSER /home/SFTPUSER/.ssh
chmod 600 /home/SFTPUSER/.ssh/id_rsa

/etc/ssh/sshd_config:
Subsystem       sftp    internal-sftp

Match user SFTPUSER
PasswordAuthentication no
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot
chown root:root /chroot
mkdir /chroot/SFTPUSERDIR
chown SFTPUSER:SFTPUSER /chroot/SFTPUSERDIR

echo "put FILENAME" | \
sftp -oIdentityFile=/home/SFTPUSER/.ssh/id_rsa \
-oTCPKeepAlive=no -oServerAliveInterval=15 \
SFTPUSER@localhost:SFTPUSERDIR


[ view entry ] ( 2171 views )   |  print article
secure rsync to only one directory 
I want to rsync to a remote host to a given directory.

local-host:
ssh-keygen -t rsa
keyfilename: ~/.ssh/rsync
ssh-copy-id -i .ssh/rsync rsyncuser@remote-host

rsync files with ssh:
rsync -vaHxr --delete \
-e "ssh -i ~/.ssh/rsync -c arcfour -o Compression=no -x" \
LOCALDIR rsyncuser@remote-host:

remote-host

/home/rsyncuser/.ssh/authorized_keys:
from="192.168.0.2,",command="/home/rsyncuser/validate-rsync.sh",
no-pty,no-agent-forwarding,no-port-forwarding
ssh-dss 012345678...
limit access with from (optional).
On sucessfully ssh login command is executed.
Read More...

[ view entry ] ( 2227 views )   |  print article

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Next> Last>>