1353 lines
71 KiB
HTML
1353 lines
71 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
|
||
|
||
<html>
|
||
|
||
<head>
|
||
|
||
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
|
||
|
||
<title>Securing Debian Manual - Chroot environment for SSH</title>
|
||
|
||
<link href="index.en.html" rel="start">
|
||
<link href="ap-fw-security-update.en.html" rel="prev">
|
||
<link href="ap-chroot-apache-env.en.html" rel="next">
|
||
<link href="index.en.html#contents" rel="contents">
|
||
<link href="index.en.html#copyright" rel="copyright">
|
||
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
|
||
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
|
||
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
|
||
<link href="ch4.en.html" rel="chapter" title="4 After installation">
|
||
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
|
||
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
|
||
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
|
||
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
|
||
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
|
||
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
|
||
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
|
||
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
|
||
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
|
||
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
|
||
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
|
||
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
|
||
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
|
||
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
|
||
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
|
||
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
|
||
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
|
||
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
|
||
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
|
||
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
|
||
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
|
||
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
|
||
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
|
||
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
|
||
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
|
||
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
|
||
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
|
||
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
|
||
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
|
||
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
|
||
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
|
||
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
|
||
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
|
||
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
|
||
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
|
||
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
|
||
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
|
||
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
|
||
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
|
||
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
|
||
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
|
||
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
|
||
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
|
||
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
|
||
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
|
||
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
|
||
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
|
||
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
|
||
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
|
||
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
|
||
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
|
||
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
|
||
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
|
||
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
|
||
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
|
||
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
|
||
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
|
||
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
|
||
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
|
||
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
|
||
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
|
||
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
|
||
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
|
||
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
|
||
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
|
||
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
|
||
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
|
||
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
|
||
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
|
||
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
|
||
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
|
||
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
|
||
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
|
||
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
|
||
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
|
||
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
|
||
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
|
||
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
|
||
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
|
||
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
|
||
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
|
||
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
|
||
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
|
||
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
|
||
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
|
||
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
|
||
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
|
||
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
|
||
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
|
||
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas — what you could do">
|
||
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
|
||
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
|
||
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
|
||
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
|
||
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
|
||
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
|
||
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
|
||
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
|
||
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
|
||
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
|
||
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
|
||
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
|
||
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
|
||
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
|
||
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
|
||
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
|
||
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
|
||
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
|
||
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
|
||
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
|
||
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
|
||
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
|
||
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
|
||
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
|
||
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
|
||
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
|
||
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
|
||
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
|
||
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
|
||
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
|
||
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
|
||
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
|
||
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
|
||
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
|
||
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
|
||
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
|
||
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
|
||
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
|
||
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
|
||
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
|
||
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
|
||
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
|
||
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
|
||
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
|
||
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
|
||
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
|
||
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
|
||
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
|
||
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
|
||
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
|
||
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
|
||
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
|
||
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
|
||
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
|
||
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
|
||
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
|
||
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
|
||
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
|
||
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
|
||
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
|
||
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
|
||
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
|
||
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
|
||
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
|
||
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
|
||
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
|
||
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
|
||
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
|
||
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
|
||
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
|
||
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
|
||
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
|
||
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
|
||
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
|
||
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
|
||
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
|
||
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
|
||
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
|
||
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
|
||
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
|
||
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
|
||
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
|
||
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
|
||
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
|
||
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
|
||
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
|
||
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
|
||
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
|
||
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
|
||
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
|
||
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
|
||
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
|
||
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
|
||
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
|
||
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
|
||
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
|
||
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
|
||
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
|
||
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
|
||
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
|
||
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
|
||
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
|
||
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
|
||
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
|
||
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
|
||
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
|
||
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
|
||
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
|
||
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
|
||
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
|
||
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
|
||
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
|
||
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
|
||
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
|
||
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
|
||
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
|
||
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
|
||
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
|
||
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
|
||
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
|
||
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
|
||
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
|
||
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
|
||
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
|
||
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
|
||
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
|
||
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
|
||
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
|
||
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
|
||
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
|
||
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
|
||
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
|
||
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
|
||
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
|
||
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
|
||
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
|
||
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
|
||
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
|
||
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
|
||
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
|
||
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
|
||
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
|
||
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
|
||
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
|
||
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
|
||
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
|
||
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
|
||
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
|
||
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
|
||
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
|
||
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
|
||
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
|
||
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
|
||
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
|
||
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
|
||
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
|
||
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
|
||
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
|
||
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
|
||
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
|
||
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
|
||
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
|
||
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
|
||
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
|
||
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
|
||
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
|
||
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
|
||
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
|
||
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
|
||
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
|
||
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
|
||
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
|
||
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
|
||
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
|
||
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
|
||
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
|
||
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
|
||
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
|
||
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
|
||
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
|
||
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
|
||
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
|
||
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
|
||
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
|
||
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
|
||
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
|
||
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
|
||
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
|
||
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
|
||
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
|
||
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
|
||
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
|
||
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
|
||
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
|
||
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
|
||
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
|
||
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
|
||
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
|
||
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
|
||
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
|
||
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
|
||
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
|
||
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
|
||
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
|
||
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
|
||
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
|
||
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
|
||
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
|
||
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
|
||
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
|
||
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
|
||
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
|
||
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
|
||
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
|
||
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
|
||
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
|
||
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
|
||
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
|
||
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
|
||
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
|
||
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
|
||
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
|
||
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
|
||
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
|
||
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does "local (remote)" mean?">
|
||
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
|
||
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
|
||
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
|
||
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
|
||
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
|
||
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
|
||
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
|
||
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
|
||
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
|
||
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
|
||
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
|
||
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
|
||
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
|
||
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
|
||
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
|
||
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
|
||
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
|
||
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
|
||
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
|
||
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">
|
||
|
||
</head>
|
||
|
||
<body>
|
||
|
||
<p><a name="ap-chroot-ssh-env"></a></p>
|
||
<hr>
|
||
|
||
<p>
|
||
[ <a href="ap-fw-security-update.en.html">previous</a> ]
|
||
[ <a href="index.en.html#contents">Contents</a> ]
|
||
[ <a href="ch1.en.html">1</a> ]
|
||
[ <a href="ch2.en.html">2</a> ]
|
||
[ <a href="ch3.en.html">3</a> ]
|
||
[ <a href="ch4.en.html">4</a> ]
|
||
[ <a href="ch-sec-services.en.html">5</a> ]
|
||
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
||
[ <a href="ch7.en.html">7</a> ]
|
||
[ <a href="ch-sec-tools.en.html">8</a> ]
|
||
[ <a href="ch9.en.html">9</a> ]
|
||
[ <a href="ch10.en.html">10</a> ]
|
||
[ <a href="ch-after-compromise.en.html">11</a> ]
|
||
[ <a href="ch12.en.html">12</a> ]
|
||
[ <a href="ap-harden-step.en.html">A</a> ]
|
||
[ <a href="ap-checklist.en.html">B</a> ]
|
||
[ <a href="ap-snort-box.en.html">C</a> ]
|
||
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
||
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
||
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
||
[ G ]
|
||
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
||
[ <a href="ap-chroot-apache-env.en.html">next</a> ]
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<h1>
|
||
Securing Debian Manual
|
||
<br>Appendix G - <code>Chroot</code> environment for <code>SSH</code></h1>
|
||
|
||
<hr>
|
||
|
||
<p>
|
||
Creating a restricted environment for <code>SSH</code> is a tough job due to
|
||
its dependencies and the fact that, unlike other servers, <code>SSH</code>
|
||
provides a remote shell to users. Thus, you will also have to consider the
|
||
applications users will be allowed to use in the environment.
|
||
</p>
|
||
|
||
<p>
|
||
You have two options to setup a restricted remote shell:
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Chrooting the ssh users, by properly configuring the ssh daemon you can ask it
|
||
to chroot a user after authentication just before it is provided a shell. Each
|
||
user can have their own environment.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Chrooting the ssh server, since you chroot the ssh application itself all users
|
||
are chrooted to the defined environment.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<p>
|
||
The first option has the advantage of making it possible to have both
|
||
non-chrooted and chrooted users, if you don't introduce any setuid application
|
||
in the user's chroots it is more difficult to break out of it. However, you
|
||
might need to setup individual chroots for each user and it is more difficult
|
||
to setup (as it requires cooperation from the SSH server). The second option
|
||
is more easy to setup, and protects from an exploitation of the ssh server
|
||
itself (since it's also in the chroot) but it will have the limitation that all
|
||
users will share the same chroot environment (you cannot setup a per-user
|
||
chroot environment).
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<h2><a name="sG.1"></a>G.1 Chrooting the ssh users</h2>
|
||
|
||
<p>
|
||
You can setup the ssh server so that it will chroot a set of defined users into
|
||
a shell with a limited set of applications available.
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="sG.1.1"></a>G.1.1 Using <code>libpam-chroot</code></h3>
|
||
|
||
<p>
|
||
Probably the easiest way is to use the <code>libpam-chroot</code> package
|
||
provided in Debian. Once you install it you need to:
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Modify <code>/etc/pam.d/ssh</code> to use this PAM module, add as its last
|
||
line[<a href="footnotes.en.html#f86" name="fr86">86</a>]:
|
||
</p>
|
||
|
||
<pre>
|
||
session required pam_chroot.so
|
||
</pre>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
set a proper chroot environment for the user. You can try using the scripts
|
||
available at <code>/usr/share/doc/libpam-chroot/examples/</code>, use the
|
||
<code>makejail</code> [<a href="footnotes.en.html#f87" name="fr87">87</a>]
|
||
program or setup a minimum Debian environment with <code>debootstrap</code>.
|
||
Make sure the environment includes the needed devices [<a
|
||
href="footnotes.en.html#f88" name="fr88">88</a>].
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Configure <code>/etc/security/chroot.conf</code> so that the users you
|
||
determine are chrooted to the directory you setup previously. You might want
|
||
to have independent directories for different users so that they will not be
|
||
able to see neither the whole system nor each other's.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Configure SSH: Depending on your OpenSSH version the chroot environment might
|
||
work straight of the box or not. Since 3.6.1p2 the <em>do_pam_session()</em>
|
||
function is called after sshd has dropped privileges, since chroot() needs root
|
||
priviledges it will not work with Privilege separation on. In newer OpenSSH
|
||
versions, however, the PAM code has been modified and do_pam_session is called
|
||
before dropping priviledges so it will work even with Privilege separation is
|
||
on. If you have to disable it modify <code>/etc/ssh/sshd_config</code> like
|
||
this:
|
||
</p>
|
||
|
||
<pre>
|
||
UsePrivilegeSeparation no
|
||
</pre>
|
||
|
||
<p>
|
||
Notice that this will lower the security of your system since the OpenSSH
|
||
server will then run as <em>root</em> user. This means that if a remote attack
|
||
is found against OpenSSH an attacker will get <em>root</em> privileges instead
|
||
of <em>sshd</em>, thus compromising the whole system. [<a
|
||
href="footnotes.en.html#f89" name="fr89">89</a>]
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<p>
|
||
If you don't disable <em>Privilege Separation</em> you will need an
|
||
<code>/etc/passwd</code> which includes the user's UID inside the chroot for
|
||
<em>Privilege Separation</em> to work properly.
|
||
</p>
|
||
|
||
<p>
|
||
If you have <em>Privilege Separation</em> set to <strong>yes</strong> and your
|
||
OpenSSH version does not behave properly you will need to disable it. If you
|
||
don't, users that try to connect to your server and would be chrooted by this
|
||
module will see this:
|
||
</p>
|
||
|
||
<pre>
|
||
$ ssh -l user server
|
||
user@server's password:
|
||
Connection to server closed by remote host.
|
||
Connection to server closed.
|
||
</pre>
|
||
|
||
<p>
|
||
This is because the ssh daemon, which is running as 'sshd', is not be able to
|
||
make the chroot() system call. To disable Privilege separation you have to
|
||
modify the <code>/etc/ssh/sshd_config</code> configuration file as described
|
||
above.
|
||
</p>
|
||
|
||
<p>
|
||
Notice that if any of the following is missing the users will not be able to
|
||
logon to the chroot:
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
The <code>/proc</code> filesystem needs to be mounted in the users' chroot.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
The necessary <code>/dev/pts/</code> devices need to exist. If the files are
|
||
generated by your running kernel automatically then you have to manually create
|
||
them on the chroot's <code>/dev/</code>.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
The user's home directory has to exist in the chroot, otherwise the ssh daemon
|
||
will not continue.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<p>
|
||
You can debug all these issues if you use the <em>debug</em> keyword in the
|
||
<code>/etc/pam.d/ssh</code> PAM definition. If you encounter issues you might
|
||
find it useful to enable the debugging mode on the ssh client too.
|
||
</p>
|
||
|
||
<p>
|
||
Note: This information is also available (and maybe more up to date) in
|
||
<code>/usr/share/doc/libpam-chroot/README.Debian.gz</code>, please review it
|
||
for updated information before taking the above steps.
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="sG.1.2"></a>G.1.2 Patching the <code>ssh</code> server</h3>
|
||
|
||
<p>
|
||
Debian's <code>sshd</code> does not allow restriction of a user's movement
|
||
through the server, since it lacks the <code>chroot</code> function that the
|
||
commercial program <code>sshd2</code> includes (using 'ChrootGroups' or
|
||
'ChrootUsers', see <code>sshd2_config(5)</code>). However, there is a patch
|
||
available to add this functionality available from <code><a
|
||
href="http://chrootssh.sourceforge.net">ChrootSSH project</a></code> (requested
|
||
and available in <code><a href="http://bugs.debian.org/139047">Bug
|
||
#139047</a></code> in Debian). The patch may be included in future releases of
|
||
the OpenSSH package. Emmanuel Lacour has <code>ssh</code> deb packages for
|
||
<em>sarge</em> with this feature. They are available at <code><a
|
||
href="http://debian.home-dn.net/sarge/ssh/">http://debian.home-dn.net/sarge/ssh/</a></code>.
|
||
Notice that those might not be up to date so completing the compilation step is
|
||
recommended.
|
||
</p>
|
||
|
||
<p>
|
||
After applying the patch, modify <code>/etc/passwd</code> by changing the home
|
||
path of the users (with the special <samp>/./</samp> token):
|
||
</p>
|
||
|
||
<pre>
|
||
joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash
|
||
</pre>
|
||
|
||
<p>
|
||
This will restrict <em>both</em> remote shell access, as well as remote copy
|
||
through the <code>ssh</code> channel.
|
||
</p>
|
||
|
||
<p>
|
||
Make sure to have all the needed binaries and libraries in the
|
||
<code>chroot</code>'ed path for users. These files should be owned by root to
|
||
avoid tampering by the user (so as to exit the <code>chroot</code>'ed jailed).
|
||
A sample might include:
|
||
</p>
|
||
|
||
<pre>
|
||
./bin:
|
||
total 660
|
||
drwxr-xr-x 2 root root 4096 Mar 18 13:36 .
|
||
drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..
|
||
-r-xr-xr-x 1 root root 531160 Feb 6 22:36 bash
|
||
-r-xr-xr-x 1 root root 43916 Nov 29 13:19 ls
|
||
-r-xr-xr-x 1 root root 16684 Nov 29 13:19 mkdir
|
||
-rwxr-xr-x 1 root root 23960 Mar 18 13:36 more
|
||
-r-xr-xr-x 1 root root 9916 Jul 26 2001 pwd
|
||
-r-xr-xr-x 1 root root 24780 Nov 29 13:19 rm
|
||
lrwxrwxrwx 1 root root 4 Mar 30 16:29 sh -> bash
|
||
</pre>
|
||
|
||
<pre>
|
||
./etc:
|
||
total 24
|
||
drwxr-xr-x 2 root root 4096 Mar 15 16:13 .
|
||
drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..
|
||
-rw-r--r-- 1 root root 54 Mar 15 13:23 group
|
||
-rw-r--r-- 1 root root 428 Mar 15 15:56 hosts
|
||
-rw-r--r-- 1 root root 44 Mar 15 15:53 passwd
|
||
-rw-r--r-- 1 root root 52 Mar 15 13:23 shells
|
||
</pre>
|
||
|
||
<pre>
|
||
./lib:
|
||
total 1848
|
||
drwxr-xr-x 2 root root 4096 Mar 18 13:37 .
|
||
drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..
|
||
-rwxr-xr-x 1 root root 92511 Mar 15 12:49 ld-linux.so.2
|
||
-rwxr-xr-x 1 root root 1170812 Mar 15 12:49 libc.so.6
|
||
-rw-r--r-- 1 root root 20900 Mar 15 13:01 libcrypt.so.1
|
||
-rw-r--r-- 1 root root 9436 Mar 15 12:49 libdl.so.2
|
||
-rw-r--r-- 1 root root 248132 Mar 15 12:48 libncurses.so.5
|
||
-rw-r--r-- 1 root root 71332 Mar 15 13:00 libnsl.so.1
|
||
-rw-r--r-- 1 root root 34144 Mar 15 16:10
|
||
libnss_files.so.2
|
||
-rw-r--r-- 1 root root 29420 Mar 15 12:57 libpam.so.0
|
||
-rw-r--r-- 1 root root 105498 Mar 15 12:51 libpthread.so.0
|
||
-rw-r--r-- 1 root root 25596 Mar 15 12:51 librt.so.1
|
||
-rw-r--r-- 1 root root 7760 Mar 15 12:59 libutil.so.1
|
||
-rw-r--r-- 1 root root 24328 Mar 15 12:57 libwrap.so.0
|
||
</pre>
|
||
|
||
<pre>
|
||
./usr:
|
||
total 16
|
||
drwxr-xr-x 4 root root 4096 Mar 15 13:00 .
|
||
drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..
|
||
drwxr-xr-x 2 root root 4096 Mar 15 15:55 bin
|
||
drwxr-xr-x 2 root root 4096 Mar 15 15:37 lib
|
||
</pre>
|
||
|
||
<pre>
|
||
./usr/bin:
|
||
total 340
|
||
drwxr-xr-x 2 root root 4096 Mar 15 15:55 .
|
||
drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..
|
||
-rwxr-xr-x 1 root root 10332 Mar 15 15:55 env
|
||
-rwxr-xr-x 1 root root 13052 Mar 15 13:13 id
|
||
-r-xr-xr-x 1 root root 25432 Mar 15 12:40 scp
|
||
-rwxr-xr-x 1 root root 43768 Mar 15 15:15 sftp
|
||
-r-sr-xr-x 1 root root 218456 Mar 15 12:40 ssh
|
||
-rwxr-xr-x 1 root root 9692 Mar 15 13:17 tty
|
||
</pre>
|
||
|
||
<pre>
|
||
./usr/lib:
|
||
total 852
|
||
drwxr-xr-x 2 root root 4096 Mar 15 15:37 .
|
||
drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..
|
||
-rw-r--r-- 1 root root 771088 Mar 15 13:01
|
||
libcrypto.so.0.9.6
|
||
-rw-r--r-- 1 root root 54548 Mar 15 13:00 libz.so.1
|
||
-rwxr-xr-x 1 root root 23096 Mar 15 15:37 sftp-server
|
||
</pre>
|
||
|
||
<hr>
|
||
|
||
<h2><a name="sG.2"></a>G.2 Chrooting the ssh server</h2>
|
||
|
||
<p>
|
||
If you create a chroot which includes the SSH server files in, for example
|
||
<code>/var/chroot/ssh</code>, you would start the <code>ssh</code> server
|
||
<code>chroot</code>'ed with this command:
|
||
</p>
|
||
|
||
<pre>
|
||
# chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config
|
||
</pre>
|
||
|
||
<p>
|
||
That would make startup the <code>sshd</code> daemon inside the chroot. In
|
||
order to do that you have to first prepare the contents of the
|
||
<code>/var/chroot/ssh</code> directory so that it includes both the SSH server
|
||
and all the utilities that the users connecting to that server might need. If
|
||
you are doing this you should make certain that OpenSSH uses <em>Privilege
|
||
Separation</em> (which is the default) having the following line in the
|
||
configuration file <code>/etc/ssh/sshd_config</code>:
|
||
</p>
|
||
|
||
<pre>
|
||
UsePrivilegeSeparation yes
|
||
</pre>
|
||
|
||
<p>
|
||
That way the remote daemon will do as few things as possible as the root user
|
||
so even if there is a bug in it it will not compromise the chroot. Notice
|
||
that, unlike the case in which you setup a per-user chroot, the ssh daemon is
|
||
running in the same chroot as the users so there is at least one potential
|
||
process running as root which could break out of the chroot.
|
||
</p>
|
||
|
||
<p>
|
||
Notice, also, that in order for SSH to work in that location, the partition
|
||
where the chroot directory resides cannot be mounted with the <em>nodev</em>
|
||
option. If you use that option, then you will get the following error:
|
||
<em>PRNG is not seeded</em>, because <code>/dev/urandom</code> does not work in
|
||
the chroot.
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="sG.2.1"></a>G.2.1 Setup a minimal system (the really easy way)</h3>
|
||
|
||
<p>
|
||
You can use <code>debootstrap</code> to setup a minimal environment that just
|
||
includes the ssh server. In order to do this you just have to create a chroot
|
||
as described in the <code><a
|
||
href="http://www.debian.org/doc/manuals/reference/ch09#_chroot_system">chroot
|
||
section of the Debian Reference</a></code> document. This method is bound to
|
||
work (you will get all the necessary componentes for the chroot) but at the
|
||
cost of disk space (a minimal installation of Debian will amount to several
|
||
hundred megabytes). This minimal system might also include setuid files that a
|
||
user in the chroot could use to break out of the chroot if any of those could
|
||
be use for a privilege escalation.
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="sG.2.2"></a>G.2.2 Automatically making the environment (the easy way)</h3>
|
||
|
||
<p>
|
||
You can easily create a restricted environment with the <code>makejail</code>
|
||
package, since it automatically takes care of tracing the server daemon (with
|
||
<code>strace</code>), and makes it run under the restricted environment.
|
||
</p>
|
||
|
||
<p>
|
||
The advantage of programs that automatically generate <code>chroot</code>
|
||
environments is that they are capable of copying any package to the
|
||
<code>chroot</code> environment (even following the package's dependencies and
|
||
making sure it's complete). Thus, providing user applications is easier.
|
||
</p>
|
||
|
||
<p>
|
||
To set up the environment using <code>makejail</code>'s provided examples, just
|
||
create <code>/var/chroot/sshd</code> and use the command:
|
||
</p>
|
||
|
||
<pre>
|
||
# makejail /usr/share/doc/makejail/examples/sshd.py
|
||
</pre>
|
||
|
||
<p>
|
||
This will setup the chroot in the <code>/var/chroot/sshd</code> directory.
|
||
Notice that this chroot will not fully work unless you:
|
||
</p>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Mount the <em>procfs</em> filesystem in <code>/var/chroot/sshd/proc</code>.
|
||
<code>Makejail</code> will mount it for you but if the system reboots you need
|
||
to remount it running:
|
||
</p>
|
||
|
||
<pre>
|
||
# mount -t proc proc /var/chroot/sshd/proc
|
||
</pre>
|
||
|
||
<p>
|
||
You can also have it be mounted automatically by editing
|
||
<code>/etc/fstab</code> and including this line:
|
||
</p>
|
||
|
||
<pre>
|
||
proc-ssh /var/chroot/sshd/proc proc none 0 0
|
||
</pre>
|
||
</li>
|
||
</ul>
|
||
<ul>
|
||
<li>
|
||
<p>
|
||
Have syslog listen to the device <code>/dev/log</code> inside the chroot. In
|
||
order to do this you have modify <code>/etc/default/syslogd</code> and add
|
||
<em>-a /var/chroot/sshd/dev/log</em> to the <strong>SYSLOGD</strong> variable
|
||
definition.
|
||
</p>
|
||
</li>
|
||
</ul>
|
||
|
||
<p>
|
||
Read the sample file to see what other changes need to be made to the
|
||
environment. Some of these changes, such as copying user's home directories,
|
||
cannot be done automatically. Also, limit the exposure of sensitive
|
||
information by only copying the data from a given number of users from the
|
||
files <code>/etc/shadow</code> or <code>/etc/group</code>. Notice that if you
|
||
are using Privilege Separation the <em>sshd</em> user needs to exist in those
|
||
files.
|
||
</p>
|
||
|
||
<p>
|
||
The following sample environment has been (slightly) tested in Debian 3.0 and
|
||
is built with the configuration file provided in the package and includes the
|
||
<code>fileutils</code> package:
|
||
</p>
|
||
|
||
<pre>
|
||
.
|
||
|-- bin
|
||
| |-- ash
|
||
| |-- bash
|
||
| |-- chgrp
|
||
| |-- chmod
|
||
| |-- chown
|
||
| |-- cp
|
||
| |-- csh -> /etc/alternatives/csh
|
||
| |-- dd
|
||
| |-- df
|
||
| |-- dir
|
||
| |-- fdflush
|
||
| |-- ksh
|
||
| |-- ln
|
||
| |-- ls
|
||
| |-- mkdir
|
||
| |-- mknod
|
||
| |-- mv
|
||
| |-- rbash -> bash
|
||
| |-- rm
|
||
| |-- rmdir
|
||
| |-- sh -> bash
|
||
| |-- sync
|
||
| |-- tcsh
|
||
| |-- touch
|
||
| |-- vdir
|
||
| |-- zsh -> /etc/alternatives/zsh
|
||
| `-- zsh4
|
||
|-- dev
|
||
| |-- null
|
||
| |-- ptmx
|
||
| |-- pts
|
||
| |-- ptya0
|
||
(...)
|
||
| |-- tty
|
||
| |-- tty0
|
||
(...)
|
||
| `-- urandom
|
||
|-- etc
|
||
| |-- alternatives
|
||
| | |-- csh -> /bin/tcsh
|
||
| | `-- zsh -> /bin/zsh4
|
||
| |-- environment
|
||
| |-- hosts
|
||
| |-- hosts.allow
|
||
| |-- hosts.deny
|
||
| |-- ld.so.conf
|
||
| |-- localtime -> /usr/share/zoneinfo/Europe/Madrid
|
||
| |-- motd
|
||
| |-- nsswitch.conf
|
||
| |-- pam.conf
|
||
| |-- pam.d
|
||
| | |-- other
|
||
| | `-- ssh
|
||
| |-- passwd
|
||
| |-- resolv.conf
|
||
| |-- security
|
||
| | |-- access.conf
|
||
| | |-- chroot.conf
|
||
| | |-- group.conf
|
||
| | |-- limits.conf
|
||
| | |-- pam_env.conf
|
||
| | `-- time.conf
|
||
| |-- shadow
|
||
| |-- shells
|
||
| `-- ssh
|
||
| |-- moduli
|
||
| |-- ssh_host_dsa_key
|
||
| |-- ssh_host_dsa_key.pub
|
||
| |-- ssh_host_rsa_key
|
||
| |-- ssh_host_rsa_key.pub
|
||
| `-- sshd_config
|
||
|-- home
|
||
| `-- userX
|
||
|-- lib
|
||
| |-- ld-2.2.5.so
|
||
| |-- ld-linux.so.2 -> ld-2.2.5.so
|
||
| |-- libc-2.2.5.so
|
||
| |-- libc.so.6 -> libc-2.2.5.so
|
||
| |-- libcap.so.1 -> libcap.so.1.10
|
||
| |-- libcap.so.1.10
|
||
| |-- libcrypt-2.2.5.so
|
||
| |-- libcrypt.so.1 -> libcrypt-2.2.5.so
|
||
| |-- libdl-2.2.5.so
|
||
| |-- libdl.so.2 -> libdl-2.2.5.so
|
||
| |-- libm-2.2.5.so
|
||
| |-- libm.so.6 -> libm-2.2.5.so
|
||
| |-- libncurses.so.5 -> libncurses.so.5.2
|
||
| |-- libncurses.so.5.2
|
||
| |-- libnsl-2.2.5.so
|
||
| |-- libnsl.so.1 -> libnsl-2.2.5.so
|
||
| |-- libnss_compat-2.2.5.so
|
||
| |-- libnss_compat.so.2 -> libnss_compat-2.2.5.so
|
||
| |-- libnss_db-2.2.so
|
||
| |-- libnss_db.so.2 -> libnss_db-2.2.so
|
||
| |-- libnss_dns-2.2.5.so
|
||
| |-- libnss_dns.so.2 -> libnss_dns-2.2.5.so
|
||
| |-- libnss_files-2.2.5.so
|
||
| |-- libnss_files.so.2 -> libnss_files-2.2.5.so
|
||
| |-- libnss_hesiod-2.2.5.so
|
||
| |-- libnss_hesiod.so.2 -> libnss_hesiod-2.2.5.so
|
||
| |-- libnss_nis-2.2.5.so
|
||
| |-- libnss_nis.so.2 -> libnss_nis-2.2.5.so
|
||
| |-- libnss_nisplus-2.2.5.so
|
||
| |-- libnss_nisplus.so.2 -> libnss_nisplus-2.2.5.so
|
||
| |-- libpam.so.0 -> libpam.so.0.72
|
||
| |-- libpam.so.0.72
|
||
| |-- libpthread-0.9.so
|
||
| |-- libpthread.so.0 -> libpthread-0.9.so
|
||
| |-- libresolv-2.2.5.so
|
||
| |-- libresolv.so.2 -> libresolv-2.2.5.so
|
||
| |-- librt-2.2.5.so
|
||
| |-- librt.so.1 -> librt-2.2.5.so
|
||
| |-- libutil-2.2.5.so
|
||
| |-- libutil.so.1 -> libutil-2.2.5.so
|
||
| |-- libwrap.so.0 -> libwrap.so.0.7.6
|
||
| |-- libwrap.so.0.7.6
|
||
| `-- security
|
||
| |-- pam_access.so
|
||
| |-- pam_chroot.so
|
||
| |-- pam_deny.so
|
||
| |-- pam_env.so
|
||
| |-- pam_filter.so
|
||
| |-- pam_ftp.so
|
||
| |-- pam_group.so
|
||
| |-- pam_issue.so
|
||
| |-- pam_lastlog.so
|
||
| |-- pam_limits.so
|
||
| |-- pam_listfile.so
|
||
| |-- pam_mail.so
|
||
| |-- pam_mkhomedir.so
|
||
| |-- pam_motd.so
|
||
| |-- pam_nologin.so
|
||
| |-- pam_permit.so
|
||
| |-- pam_rhosts_auth.so
|
||
| |-- pam_rootok.so
|
||
| |-- pam_securetty.so
|
||
| |-- pam_shells.so
|
||
| |-- pam_stress.so
|
||
| |-- pam_tally.so
|
||
| |-- pam_time.so
|
||
| |-- pam_unix.so
|
||
| |-- pam_unix_acct.so -> pam_unix.so
|
||
| |-- pam_unix_auth.so -> pam_unix.so
|
||
| |-- pam_unix_passwd.so -> pam_unix.so
|
||
| |-- pam_unix_session.so -> pam_unix.so
|
||
| |-- pam_userdb.so
|
||
| |-- pam_warn.so
|
||
| `-- pam_wheel.so
|
||
|-- sbin
|
||
| `-- start-stop-daemon
|
||
|-- usr
|
||
| |-- bin
|
||
| | |-- dircolors
|
||
| | |-- du
|
||
| | |-- install
|
||
| | |-- link
|
||
| | |-- mkfifo
|
||
| | |-- shred
|
||
| | |-- touch -> /bin/touch
|
||
| | `-- unlink
|
||
| |-- lib
|
||
| | |-- libcrypto.so.0.9.6
|
||
| | |-- libdb3.so.3 -> libdb3.so.3.0.2
|
||
| | |-- libdb3.so.3.0.2
|
||
| | |-- libz.so.1 -> libz.so.1.1.4
|
||
| | `-- libz.so.1.1.4
|
||
| |-- sbin
|
||
| | `-- sshd
|
||
| `-- share
|
||
| |-- locale
|
||
| | `-- es
|
||
| | |-- LC_MESSAGES
|
||
| | | |-- fileutils.mo
|
||
| | | |-- libc.mo
|
||
| | | `-- sh-utils.mo
|
||
| | `-- LC_TIME -> LC_MESSAGES
|
||
| `-- zoneinfo
|
||
| `-- Europe
|
||
| `-- Madrid
|
||
`-- var
|
||
`-- run
|
||
|-- sshd
|
||
`-- sshd.pid
|
||
|
||
27 directories, 733 files
|
||
</pre>
|
||
|
||
<p>
|
||
For Debian release 3.1 you have to make sure that the environment includes also
|
||
the common files for PAM. The following files need to be copied over to the
|
||
chroot if <code>makejail</code> did not do it for you:
|
||
</p>
|
||
|
||
<pre>
|
||
$ ls /etc/pam.d/common-*
|
||
/etc/pam.d/common-account /etc/pam.d/common-password
|
||
/etc/pam.d/common-auth /etc/pam.d/common-session
|
||
</pre>
|
||
|
||
<hr>
|
||
|
||
<h3><a name="sG.2.3"></a>G.2.3 Manually creating the environment (the hard way)</h3>
|
||
|
||
<p>
|
||
It is possible to create an environment, using a trial-and-error method, by
|
||
monitoring the <code>sshd</code> server traces and log files in order to
|
||
determine the necessary files. The following environment, contributed by Jos<6F>
|
||
Luis Ledesma, is a sample listing of files in a <code>chroot</code> environment
|
||
for <code>ssh</code> in Debian woody (3.0): [<a href="footnotes.en.html#f90"
|
||
name="fr90">90</a>]
|
||
</p>
|
||
|
||
<pre>
|
||
.:
|
||
total 36
|
||
drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./
|
||
drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/
|
||
drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/
|
||
drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/
|
||
./bin:
|
||
total 8368
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./
|
||
drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
|
||
-rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p*
|
||
-rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash*
|
||
-rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph*
|
||
-rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp*
|
||
-rwxr-xr-x 1 root root 6956 Jun 3 13:46 env*
|
||
-rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps*
|
||
-rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter*
|
||
-rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover*
|
||
-rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail*
|
||
-rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm*
|
||
-rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat*
|
||
-rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep*
|
||
-rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph*
|
||
-rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs*
|
||
-rwxr-xr-x 1 root root 10420 Jun 3 13:46 id*
|
||
-rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd*
|
||
-rwxr-xr-x 1 root root 111386 Jun 4 11:46 less*
|
||
-r-xr-xr-x 1 root root 26168 Jun 3 13:45 login*
|
||
-rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls*
|
||
-rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir*
|
||
-rwxr-xr-x 1 root root 24780 Jun 3 13:45 more*
|
||
-rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb*
|
||
-rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd*
|
||
-rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm*
|
||
-rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html*
|
||
-rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex*
|
||
-rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man*
|
||
-rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text*
|
||
-rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage*
|
||
-rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker*
|
||
-rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect*
|
||
-r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps*
|
||
-rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct*
|
||
-rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd*
|
||
-rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr*
|
||
-rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm*
|
||
-rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir*
|
||
-rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p*
|
||
-rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp*
|
||
-rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax*
|
||
-rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage*
|
||
-rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp*
|
||
-rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh*
|
||
-rws--x--x 1 root root 744500 Jun 3 13:46 slogin*
|
||
-rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain*
|
||
-rws--x--x 1 root root 744500 Jun 3 13:46 ssh*
|
||
-rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add*
|
||
-rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent*
|
||
-rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen*
|
||
-rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan*
|
||
-rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa*
|
||
-rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace*
|
||
-rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph*
|
||
-rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail*
|
||
-rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty*
|
||
-rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd*
|
||
-rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi*
|
||
-rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami*
|
||
./dev:
|
||
total 8
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./
|
||
drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
|
||
crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom
|
||
./etc:
|
||
total 208
|
||
drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./
|
||
drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
|
||
-rw------- 1 root root 0 Jun 4 11:46 .pwd.lock
|
||
-rw-r--r-- 1 root root 653 Jun 3 13:46 group
|
||
-rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf
|
||
-rw-r--r-- 1 root root 857 Jun 4 12:04 hosts
|
||
-rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache
|
||
-rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf
|
||
-rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~
|
||
-rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli
|
||
-rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/
|
||
-rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf
|
||
-rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd
|
||
-rw-r--r-- 1 root root 7228 Jun 3 13:48 profile
|
||
-rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols
|
||
-rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf
|
||
drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/
|
||
-rw-r----- 1 root root 1178 Jun 4 11:51 shadow
|
||
-rw------- 1 root root 80 Jun 4 11:45 shadow-
|
||
-rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old
|
||
-rw-r--r-- 1 root root 161 Jun 3 13:46 shells
|
||
-rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config
|
||
-rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key
|
||
-rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub
|
||
-rw------- 1 root root 527 Jun 3 13:46 ssh_host_key
|
||
-rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub
|
||
-rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key
|
||
-rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub
|
||
-rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config
|
||
./etc/pam.d:
|
||
total 24
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./
|
||
drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../
|
||
lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -> sshd
|
||
-rw-r--r-- 1 root root 318 Jun 3 13:46 passwd
|
||
-rw-r--r-- 1 root root 546 Jun 4 11:36 ssh
|
||
-rw-r--r-- 1 root root 479 Jun 4 12:02 sshd
|
||
-rw-r--r-- 1 root root 370 Jun 3 13:46 su
|
||
./etc/security:
|
||
total 32
|
||
drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./
|
||
drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../
|
||
-rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf
|
||
-rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf
|
||
-rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf
|
||
-rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf
|
||
-rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf
|
||
-rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf
|
||
./lib:
|
||
total 8316
|
||
drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./
|
||
drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
|
||
-rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm
|
||
-rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd
|
||
-rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi
|
||
-rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2*
|
||
-rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6*
|
||
lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -> libcrack.so.2.7*
|
||
lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -> libcrack.so.2.7*
|
||
-rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7*
|
||
-rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1*
|
||
-rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2*
|
||
-rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0*
|
||
lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -> libncurses.so.4.2*
|
||
-rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2*
|
||
lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -> libncurses.so.5.0*
|
||
-rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0*
|
||
-rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1*
|
||
-rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1*
|
||
-rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2*
|
||
-rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1*
|
||
-rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2*
|
||
-rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2*
|
||
-rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1*
|
||
-rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2*
|
||
-rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1*
|
||
-rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2*
|
||
-rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2*
|
||
lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -> libpam.so.0.72*
|
||
-rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72*
|
||
lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 ->
|
||
libpam_misc.so.0.72*
|
||
-rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72*
|
||
lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -> libpamc.so.0.72*
|
||
-rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72*
|
||
-rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0*
|
||
-rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1*
|
||
-rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a*
|
||
lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -> libz.so.1.1.3*
|
||
lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -> libz.so.1.1.3*
|
||
-rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3*
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/
|
||
./lib/security:
|
||
total 668
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./
|
||
drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../
|
||
-rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so*
|
||
-rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so*
|
||
-rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so*
|
||
-rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so*
|
||
-rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so*
|
||
-rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so*
|
||
-rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so*
|
||
-rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so*
|
||
-rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so*
|
||
-rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so*
|
||
-rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so*
|
||
-rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so*
|
||
-rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so*
|
||
-rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so*
|
||
-rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so*
|
||
-rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so*
|
||
-rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so*
|
||
-rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so*
|
||
-rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so*
|
||
-rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so*
|
||
-rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so*
|
||
-rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so*
|
||
-rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so*
|
||
-rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so*
|
||
-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so*
|
||
-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so*
|
||
-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so*
|
||
-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so*
|
||
-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so*
|
||
-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so*
|
||
-rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so*
|
||
-rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so*
|
||
-rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so*
|
||
./sbin:
|
||
total 3132
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./
|
||
drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
|
||
-rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest*
|
||
-rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest*
|
||
-rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest*
|
||
-rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig*
|
||
-rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname*
|
||
-rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay*
|
||
-rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend*
|
||
-rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem*
|
||
-rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats*
|
||
-rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server*
|
||
-rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd*
|
||
-rwxr-xr-x 1 root root 30750 Jun 4 11:46 su*
|
||
-rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest*
|
||
-rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest*
|
||
-rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest*
|
||
./tmp:
|
||
total 8
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./
|
||
drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
|
||
./usr:
|
||
total 8
|
||
drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./
|
||
drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
|
||
lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -> ../bin//
|
||
lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -> ../lib//
|
||
lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -> ../sbin//
|
||
</pre>
|
||
|
||
<hr>
|
||
|
||
<p>
|
||
[ <a href="ap-fw-security-update.en.html">previous</a> ]
|
||
[ <a href="index.en.html#contents">Contents</a> ]
|
||
[ <a href="ch1.en.html">1</a> ]
|
||
[ <a href="ch2.en.html">2</a> ]
|
||
[ <a href="ch3.en.html">3</a> ]
|
||
[ <a href="ch4.en.html">4</a> ]
|
||
[ <a href="ch-sec-services.en.html">5</a> ]
|
||
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
||
[ <a href="ch7.en.html">7</a> ]
|
||
[ <a href="ch-sec-tools.en.html">8</a> ]
|
||
[ <a href="ch9.en.html">9</a> ]
|
||
[ <a href="ch10.en.html">10</a> ]
|
||
[ <a href="ch-after-compromise.en.html">11</a> ]
|
||
[ <a href="ch12.en.html">12</a> ]
|
||
[ <a href="ap-harden-step.en.html">A</a> ]
|
||
[ <a href="ap-checklist.en.html">B</a> ]
|
||
[ <a href="ap-snort-box.en.html">C</a> ]
|
||
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
||
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
||
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
||
[ G ]
|
||
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
||
[ <a href="ap-chroot-apache-env.en.html">next</a> ]
|
||
</p>
|
||
|
||
<hr>
|
||
|
||
<p>
|
||
Securing Debian Manual
|
||
</p>
|
||
|
||
<address>
|
||
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
|
||
<br>
|
||
Javier Fernández-Sanguino Peña <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
|
||
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
|
||
<br>
|
||
</address>
|
||
<hr>
|
||
|
||
</body>
|
||
|
||
</html>
|
||
|