Difference between pages "Genkernel Quick Start Tutorial" and "SFTP Only Access"

From Funtoo
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
Genkernel is a tool which help you to build a Linux kernel and deploy it along with a ramdisk image which contains all of the necessary modules to make the kernel being able to mount the different partitions of your harddrives in the VFS at the system startup.
+
== Context ==
  
== Concepts ==
+
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
 +
* does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
 +
* is able to transfer files back and forth on the box via SFTP
 +
* does not have access to a shell
  
TBC
+
Such a SFTP only access is easy to setup:
  
== Recompiling the Gentoo kernel sources from a SystemRescue CD chroot ==
+
# Assign a group (e.g. ''sftponly'') to users that must be restricted to a SFTP-only account
 +
# Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
 +
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
  
A second case that many Funtoo users will face to is to compile their own kernel when installing a brand new Funtoo instance from a stage 3 archive (the most common scenario is to boot the machine with SystemRescue CD).
+
== Quick start ==
  
{{Fancynote| If you want to use the System rescue CD sources provided by Funtoo {{Package|sys-kernel/sysrescue-std-sources}}, the philosophy remains exactly the same.}}
+
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
 
+
== First step emerging the required packages ==
+
 
+
The first step is to emerge:
+
 
+
# The Gentoo kernel sources: {{Package|sys-kernel/gentoo-sources}}
+
# Genkernel itself: {{Package|sys-kernel/genkernel}}
+
 
+
This is achieved by running the following:
+
 
<console>
 
<console>
###i## emerge sys-kernel/gentoo-sources sys-kernel/genkernel
+
###i## groupadd sftponly
 
</console>
 
</console>
  
Once the Gentoo kernel sources are deployed, you should find a directory named '''linux-''version''-gentoo''' (e.g. linux-2.6.39-gentoo) under ''<code>/usr/src</code>''. Update the ''<code>linux</code>'' symlink to point to this directory:
+
Next in the configuration of OpenSSH (located in <code>/etc/sshd/sshd_config</code>) locate:
<console>
+
{{File
###i## cd /usr/src
+
|/etc/sshd/sshd_config|<pre>
###i## rm linux
+
Subsystem      sftp    /usr/lib64/misc/sftp-server
###i## ln -s linux-2.6.39-gentoo linux
+
</pre>}}
</console>
+
and change it to:
  
== Second step: Grabbing and tweaking a configuration file ==
+
{{File
 +
|/etc/sshd/sshd_config|<pre>
 +
Subsystem      sftp    internal-sftp
 +
</pre>}}
  
How to start your kernel configuration? Simply by using the same configuration template the running System Rescue CD kernel had been built with! Before chrooting in your Funtoo instance, you did something like:
+
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file <code>/etc/sshd/sshd_config</code> the following statement:
  
<console>
+
{{File
###i## mount -o bind /proc /mnt/gentoo/proc
+
|/etc/sshd/sshd_config|<pre>
</console>
+
# Restricted users, no TCP connexions bouncing, no X tunneling.
Or:
+
Match group sftponly
<console>
+
        ChrootDirectory /home/%u
###i## mount -t proc none /mnt/gentoo/proc
+
        X11Forwarding no
</console>
+
        AllowTcpForwarding no
 
+
        ForceCommand internal-sftp
In your chroot environment (or from a System Rescue CD virtual terminal) if you look what ''<code>/proc</code>'' contains you will notice a file named ''<code>config.gz</code>'':
+
</pre>}}
 
+
<console>
+
###i## ls /proc
+
 
+
...
+
dr-xr-xr-x  7 root      root                    0 May 23 03:13 952
+
dr-xr-xr-x  7 root      root                    0 May 23 03:13 953
+
dr-xr-xr-x  7 root      root                    0 May 23 18:42 9834
+
...
+
-r--r--r--  1 root      root                16024 May 23 22:27 config.gz
+
-r--r--r--  1 root      root                    0 May 23 22:27 consoles
+
-r--r--r--  1 root      root                    0 May 23 22:27 cpuinfo
+
...
+
</console>
+
 
+
''<code>config.gz</code>'' holds the running kernel (System Rescue CD) configuration, just copy the unziped content into the Gentoo sources directory:
+
<console>
+
###i## cd /usr/src/linux
+
###i## zcat /proc/config.gz > .config
+
</console>
+
 
+
Next, run ''<code>make oldconfig</code>'' to set all newly added options:
+
<console>
+
###i## make oldconfig
+
</console>
+
 
+
Next, tweak the kernel configuration in the way you prefer (manually edition of the .config file, make nconfig, make menuconfig....) if you wish. You are not ready yet! A final step is required: '''you ''must'' either set CONFIG_INITRAMFS_SOURCE to a blank value (CONFIG_INITRAMFS_SOURCE="") either delete the statement in the .config file'''. Forgotting to do that will make Genkernel abort the compilation process with a message like:
+
<console>
+
/usr/src/linux-2.6.39-gentoo/scripts/gen_initramfs_list.sh: Cannot open '/var/tmp/genkernel/initramfs-2.6.32.14-std155-i386.cpio.gz'
+
make[1]: *** [usr/initramfs_data.cpio.lzma] Error 1
+
</console>
+
 
+
== Third step: Building and installing the kernel ==
+
 
+
This is simply achieved by:
+
<console>
+
###i## genkernel --no-mrproper all
+
</console>
+
  
The same remarks written in the [[Genkernel_Quick_Start_Tutorial#Third_step:_Building_and_installing_the_kernel|third paragraph]] of the first use case are still valid here.
+
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
 +
* a shell => ssh <code>login@host</code>
 +
* a kind of dedicated ftp daemon (sftp-server) => sftp <code>user@host</code>
  
[[Category:Kernel]]
+
[[Category:HOWTO]]

Revision as of 21:43, 28 January 2014

Context

In some cases, it can be useful to set up an access on your Funtoo box such as a user:

  • does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
  • is able to transfer files back and forth on the box via SFTP
  • does not have access to a shell

Such a SFTP only access is easy to setup:

  1. Assign a group (e.g. sftponly) to users that must be restricted to a SFTP-only account
  2. Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
  3. Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)

Quick start

First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:

# groupadd sftponly

Next in the configuration of OpenSSH (located in /etc/sshd/sshd_config) locate:

Subsystem      sftp    /usr/lib64/misc/sftp-server

and change it to:

Subsystem      sftp    internal-sftp

Now the $100 question: "how can OpenSSH can be told to restrict a user access to a simple sftp session?" Simple! Assuming that sftponly is the group you use for for your restricted users, just add to the file /etc/sshd/sshd_config the following statement:

# Restricted users, no TCP connexions bouncing, no X tunneling.
Match group sftponly
        ChrootDirectory /home/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:

  • a shell => ssh login@host
  • a kind of dedicated ftp daemon (sftp-server) => sftp user@host