I've stolen some ideas from DrKK's Definitive Guide to Installing OwnCloud in FreeNAS (or FreeBSD)
- Start with the latest version of FreeNAS. I'll leave it up to you to figure that part out.
- Create a standard jail, choose Advanced mode, make sure the IP is valid, and uncheck "VIMAGE"
- Log into the jail via "jls" and "jexec"
jls
sudo jexec access csh - Remove all installed packages that aren't the pkg command:
pkg info | awk '$1 !~ /^pkg-/ {print $1}' | xargs pkg remove -y - Update installed files using the pkg command:
pkg update
pkg upgrade -ypkg will likely update itself. - Install bash and openssh-portable via the pkg command:
pkg install -y bash openssh-portable
- Move the old /etc/ssh directory to a safe place and create a symlink to /usr/local/etc
mv /etc/ssh /etc/oldssh
ln -s /usr/local/etc/ssh /etc/sshNOTE: this step is purely for convenience and is not necessary but may avoid confusion since the native ssh files won't be used. - Make sure your /usr/local/etc/sshd_config contains at least the following:
Port 22
AllowGroups user
AddressFamily inet
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
PermitUserEnvironment yes - Enable the openssh sshd and start it:
echo openssh_enable=YES >> /etc/rc.conf
service openssh start - Verify that openssh is listening on port 22:
sockstat -l4 | grep 22 - Create the users' restricted bin directory:
mkdir -m 555 /home
mkdir -m 0711 /home/bin
chown root:wheel /home/bin
This creates the directory owned by root and without read permission for the users. - You can create symlinks in here for commands that the users will be allowed to run in their restricted shell. I prefer to take this a step farther - since it's only a jump box, its only purpose is to ssh in, and ssh on to another system. I further restrict this by creating a shell script wrapper around the ssh command which restricts the hosts that the user can login to from the jump box.
If you have half a clue, you'll wonder how this prevents them from ssh'ing to another host when they get to one that they are allowed access to, and the answer is, if they have the permissions on that host - it doesn't. So it's not a fantastic level of security, but I wanted to see if I could do it. You'll also notice that you need to create a file /home/bin/sshauth.cfg which has the format of "username ALL" or "username host1 host2 ..." which dictates access. - Symlink in the "logger" command to the /home/bin directory:
ln -s /usr/bin/logger /home/bin - Create the user group "user" (as called out in the sshd_config above) so the users can log in:
pw groupadd user - Create the users with each home directory under /home, with the shell /usr/local/bin/rbash, no password based authentication, and the group created in the previous step.
adduser - Change to the user's home directory and remove all the dot files
cd /home/user
rm .??* - Create the following .bash_profile in the user's home directory:
export PATH=/home/bin
FROM=${SSH_CLIENT%% *}
logger -p user.warn -t USER_LOGIN "User $LOGNAME logged in from $FROM"
export HISTFILE=/dev/null
[[ $TERM == xterm* ]] && echo -ne "\033]0;JAIL-$HOSTNAME\007"
PS1="\!-$HOSTNAME\$ " - The file permissions should be set, but confirm:
chmod 644 .bash_profile
chown root:wheel .bash_profile - Create the ssh directory and give it to the user:
mkdir -m 700 .ssh
chown user:user .ssh - Install the user's authorized_keys file in the ssh directory, and make sure the permissions are right:
chown user:user .ssh/authorized_keys
chmod 600 .ssh/authorized_keys - Your user should be able to login at this point, and do nothing beyond what you've given them access to in the /home/bin directory.
No comments:
Post a Comment