Difference between pages "Squid" and "SFTP Only Access"

From Funtoo
(Difference between pages)
Jump to: navigation, search
(The Squid Proxy Server)
 
(Quick start)
 
Line 1: Line 1:
== The Squid Proxy Server ==
+
== Context ==
  
'''This is a quick and dirty howto about getting Squid up und running in 5min...'''
+
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
 +
* does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
 +
* is able to transfer files back and forth on the box via SFTP
 +
* does not have access to a shell
  
What benefits one may get from using an anonymous proxy server? Well, I would say many things but the most important one is that you can browse the web anonymously without exposing your IP, location etc.. out there. Anyhow, even though I usually use OpenVPN or PPTP for safe browsing and such things, having a private anonymous proxy server in your toolbox is a nice thing.
+
Such a SFTP only access is easy to setup:
Furthermore, a cache is speeding up you daily internet connection with repeating objects getting out of the cache instead of downloading it again. Advanced filtering technics (Antivirus, Content, Ad-Blocks, etc) are also possible.
+
  
Please start always by refreshing your portage tree, like:
+
# Assign a group (e.g. ''sftponly'') to users that must be restricted to a SFTP-only account
 +
# Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
 +
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
  
<console>
+
== Quick start ==
###i## emerge --sync
+
</console>
+
next, we search the portage tree for {{Package|net-proxy/squid}}:
+
<console>
+
###i## emerge --search squid
+
=> net-analyzer/squid-graph
+
=> net-analyzer/squidsites
+
=> net-analyzer/squidview
+
=> net-proxy/squid
+
=> net-proxy/squidclamav
+
=> net-proxy/squidguard
+
=> sec-policy/selinux-squid
+
</console>
+
  
Next, we emerge ''<code>squid</code>'' using:
+
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
 
<console>
 
<console>
###i## emerge -av net-proxy/squid
+
###i## groupadd sftponly
 
</console>
 
</console>
  
Once it got installed, since this squid proxy setup will be using authentication to authenticate users via the ‘ncsa_auth‘ helper, we need to know the location of this helper so we can use it in our squid.confconfiguration file. To find this I’ll be using a tool named as ‘qfile‘ which is shipped in ‘app-portage/portage-utils‘.
+
Next in the configuration of OpenSSH (located in <code>/etc/sshd/sshd_config</code>) locate:
 +
{{File
 +
|/etc/sshd/sshd_config|<pre>
 +
Subsystem      sftp    /usr/lib64/misc/sftp-server
 +
</pre>}}
 +
and change it to:
  
# qfile ncsa_auth
+
{{File
net-proxy/squid (/usr/libexec/squid/ncsa_auth)
+
|/etc/sshd/sshd_config|<pre>
 +
Subsystem      sftp    internal-sftp
 +
</pre>}}
  
ok, so the auth helper is located in ‘/usr/libexec/squid/ncsa_auth’ so let’s setup Squid’s configuration file (/etc/squid/squid.conf). Make sure you change ‘XXX.XX.XX.XXX’ with your actual server’s IP address and edit anything else you want to suit your needs.
+
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file <code>/etc/sshd/sshd_config</code> the following statement:
 
+
 
+
<console>
+
###i## cp /etc/squid/squid.conf{,_orig} && \cat > /etc/squid/squid.conf <<EOF
+
auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwd
+
auth_param basic children 5
+
auth_param basic realm please login?
+
auth_param basic credentialsttl 2 hours
+
auth_param basic casesensitive off
+
acl ncsa_users proxy_auth REQUIRED
+
http_access allow ncsa_users
+
acl manager proto cache_object
+
acl localhost src 127.0.0.1/32 ::1
+
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
+
acl localnet src 10.0.0.0/8   
+
# RFC 1918 possible internal network
+
acl localnet src 172.16.0.0/12 
+
# RFC 1918 possible internal network
+
acl localnet src 192.168.0.0/16
+
# RFC 1918 possible internal network
+
acl localnet src fc00::/7     
+
# RFC 4193 local private network range
+
acl localnet src fe80::/10     
+
# RFC 4291 link-local (directly plugged) machines
+
acl SSL_ports port 443
+
acl Safe_ports port 80          # http
+
acl Safe_ports port 21          # ftp
+
acl Safe_ports port 443        # https
+
acl Safe_ports port 70          # gopher
+
acl Safe_ports port 210        # wais
+
acl Safe_ports port 1025-65535  # unregistered ports
+
acl Safe_ports port 280        # http-mgmt
+
acl Safe_ports port 488        # gss-http
+
acl Safe_ports port 591        # filemaker
+
acl Safe_ports port 777        # multiling http
+
acl Safe_ports port 901        # SWAT
+
acl CONNECT method CONNECT
+
http_access allow manager localhost
+
http_access deny manager
+
http_access deny !Safe_ports
+
http_access deny CONNECT !SSL_ports
+
http_access allow localnet
+
http_access allow localhost
+
http_access allow localhost
+
http_access deny all
+
http_port 2222
+
coredump_dir /var/cache/squid
+
refresh_pattern ^ftp:          1440    20%    10080
+
refresh_pattern ^gopher:        1440    0%      1440
+
refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
+
refresh_pattern .              0      20%    4320
+
icp_access allow localnet
+
icp_access deny all
+
acl ip1 myip XXX.XX.XX.XXX
+
tcp_outgoing_address XXX.XX.XX.XXX ip1
+
cache_mgr mail@maiwald.tk
+
cache_mem 128 MB
+
visible_hostname ViruSzZ
+
maximum_object_size 20 MB
+
cache_dir ufs /var/cache/squid 512 32 512
+
 
+
forwarded_for off
+
request_header_access Allow allow all
+
request_header_access Authorization allow all
+
request_header_access WWW-Authenticate allow all
+
request_header_access Proxy-Authorization allow all
+
request_header_access Proxy-Authenticate allow all
+
request_header_access Cache-Control allow all
+
request_header_access Content-Encoding allow all
+
request_header_access Content-Length allow all
+
request_header_access Content-Type allow all
+
request_header_access Date allow all
+
request_header_access Expires allow all
+
request_header_access Host allow all
+
request_header_access If-Modified-Since allow all
+
request_header_access Last-Modified allow all
+
request_header_access Location allow all
+
request_header_access Pragma allow all
+
request_header_access Accept allow all
+
request_header_access Accept-Charset allow all
+
request_header_access Accept-Encoding allow all
+
request_header_access Accept-Language allow all
+
request_header_access Content-Language allow all
+
request_header_access Mime-Version allow all
+
request_header_access Retry-After allow all
+
request_header_access Title allow all
+
request_header_access Connection allow all
+
request_header_access Proxy-Connection allow all
+
request_header_access User-Agent allow all
+
request_header_access Cookie allow all
+
request_header_access All deny all
+
shutdown_lifetime 3 seconds
+
EOF
+
</console>
+
  
proceed with creating the ‘/etc/squid/passwd’ file and adding your user by executing:
+
{{File
# htpasswd -c /etc/squid/passwd your_user
+
|/etc/sshd/sshd_config|<pre>
(note that you need to omit the ‘-c’ switch when adding another user to the file)
+
# Restricted users, no TCP connexions bouncing, no X tunneling.
 +
Match group sftponly
 +
        ChrootDirectory /home/%u
 +
        X11Forwarding no
 +
        AllowTcpForwarding no
 +
        ForceCommand internal-sftp
 +
</pre>}}
  
then do a <code># squid -z</code> to create the cache direcory.
+
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
Finally, restart your squid server and check if it’s actually listening using:
+
* a shell => ssh <code>login@host</code>
# /etc/init.d/squid restart
+
* a kind of dedicated ftp daemon (sftp-server) => sftp <code>user@host</code>
# netstat -tunlp | grep 2222
+
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      482/(squid)
+
if you like it to start on your system’s start-up, then you can execute:
+
# rc-update add squid default
+
To test it, for example I use Opera for this so I just go to ‘Settings → Preferences → Advanced → Network → Proxy Servers’ and set the browser to use the proxy server we just created.
+
  
 +
{{Note}}TBC
  
 
[[Category:HOWTO]]
 
[[Category:HOWTO]]

Revision as of 23:44, 14 January 2014

Context

In some cases, it can be useful to set up an access on your Funtoo box such as a user:

  • does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
  • is able to transfer files back and forth on the box via SFTP
  • does not have access to a shell

Such a SFTP only access is easy to setup:

  1. Assign a group (e.g. sftponly) to users that must be restricted to a SFTP-only account
  2. Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
  3. Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)

Quick start

First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:

# groupadd sftponly

Next in the configuration of OpenSSH (located in /etc/sshd/sshd_config) locate:

Subsystem      sftp    /usr/lib64/misc/sftp-server

and change it to:

Subsystem      sftp    internal-sftp

Now the $100 question: "how can OpenSSH can be told to restrict a user access to a simple sftp session?" Simple! Assuming that sftponly is the group you use for for your restricted users, just add to the file /etc/sshd/sshd_config the following statement:

# Restricted users, no TCP connexions bouncing, no X tunneling.
Match group sftponly
        ChrootDirectory /home/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:

  • a shell => ssh login@host
  • a kind of dedicated ftp daemon (sftp-server) => sftp user@host

Note Note: TBC