Bienvenue sur le site admin-sys

sftp limitÃ© Ã un dossier

Jerome ROBERT — 2017-07-05T11:27:12Z

Configuration sftp limitÃ© Ã un dossier

HypothÃ¨se :

Le rÃ©pertoire pour le transfere est : /home/transfere/sftponlyUser

Action :

mkdir -p /home/transfere/sftponlyUser/upload /home/transfere/sftponlyUser/download groupadd sftponly useradd -d /home/transfere/sftponlyUser -g sftponly -m sftponlyUser chmod 750 /home/transfere chown root:sftponly /home/transfere chown root:sftponly /home/transfere/sftponlyUser chmod 750 /home/transfere/sftponlyUser chown sftponlyUser:sftponly /home/transfere/sftponlyUser/upload /home/transfere/sftponlyUser/download

L'utilisateur ne pourra pas Ã©crire Ã sa racine mais dans download et upload

Ajout dans le fichier /etc/ssh/sshd_config

Si gestion par groupe :

Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no

Si gestion par utilisateur :

Match User sftponlyUser ChrootDirectory /home/transfere/sftponlyUser ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no

Relancer le service SSH

service sshd restart

Lien utils

Jerome ROBERT — 2009-04-22T15:07:24Z

http://www.scssi.gouv.fr/

Le Service Central de la Sécurité des Systèmes d'Information (SCSSI), organisme public de certification et de conseil évalue les procédés de protection cryptologiques, les produits et systèmes relevant des technologies de l'information, les procédés de protection contre les signaux parasites compromettants et procède aux agréments matériels liés à ce domaine sensible.

http://www.ossir.org/

Observatoire de la Sécurité des Systèmes d'Information & des Réseaux

http://www.securite.org/

Sécurité.Org est un site web français dont le contenu est axé principalement autour de la sécurité informatique, la sécurité des réseaux en environnement IP, la cryptographie et Linux.

http://xtream.online.fr/project/securite.html

Tout ce qu'un administrateur réseau devrait savoir quant à la sécurité sur internet notamment comment la mettre en oeuvre, les problèmes liés à la sécurité, etc.

http://securinet.free.fr/

Découvrez ce qu'il est nécessaire de savoir sur la sécurité sur Internet : piratage, attaques, logiciels, emails non sollicités, spam, virus, cryptologie.

http://www.firewall-net.com/

Firewall net est un guide pour l'installation et la configuration d'un firewall pour Windows, Mac et Linux. Il à l'usage de tous, débutants et confirmés.

Configuration de ssh

Jerome ROBERT — 2009-04-22T15:00:16Z

Configuration de ssh pour ce connecter sans mots de passe lors d'une connexion
de LINUX1 (redhat 7.2) vers adminunix (redhat 9 )

[root@LINUX1 root]# cd
[root@LINUX1 root]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa) :
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase) : azerty
Enter same passphrase again : azerty
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is :
12:8b:0b:f0:3d:d6:04:ff:3e:db:a9:75:ab:47:41:cc root@LINUX1
[root@LINUX1 root]#

[root@LINUX1 root]# cd .ssh/
[root@LINUX1 .ssh]# ls -a
. .. id_rsa id_rsa.pub
[root@LINUX1 .ssh]#

[root@LINUX1 .ssh]# scp id_rsa.pub root@adminunix :/root/.ssh/authorized_keys
root@adminunix's password :root
id_rsa.pub 100% |*******************************************************************|
221 00:00
[root@LINUX1 .ssh]#
[root@LINUX1 .ssh]# scp id_rsa.pub root@adminunix :/root/.ssh/authorized_keys2
root@adminunix's password :root
id_rsa.pub 100% |*******************************************************************|
221 00:00
[root@LINUX1 .ssh]#

[root@LINUX1 .ssh]# ssh adminunix
Enter passphrase for key '/root/.ssh/id_rsa' : azerty
Last login : Tue Jun 24 22:57:51 2003
[root@adminunix root]# uname -a
Linux adminunix 2.4.20-13.9 #1 Mon May 12 10:55:37 EDT 2003 i686 i686 i386
GNU/Linux
[root@adminunix root]# exit
Connection to adminunix closed.
[root@LINUX1 .ssh]
[root@LINUX1 .ssh]# chmod a+x lance.sh
[root@LINUX1 .ssh]# ./lance.sh
Need passphrase for /root/.ssh/id_rsa
Enter passphrase for /root/.ssh/id_rsa azerty
Identity added : /root/.ssh/id_rsa (rsa w/o comment)
[root@LINUX1 .ssh]# . ./.info
[root@LINUX1 .ssh]# ssh adminunix
Last login : Tue Jun 24 23:28:42 2003 from linux1
[root@adminunix root]# uname -n
adminunix
[root@adminunix root]# exit

[root@LINUX1 .ssh]# cat lance.sh

# !/bin/sh
ssh-agent | head -2 > /root/.ssh/.info
. /root/.ssh/.info
ssh-add

[root@adminunix
root]# ssh LINUX1
Permission denied (publickey,password,keyboard-interactive).
[root@adminunix root]#

Mais ... car pas configurer ....
car généralement dans ssh_config : PasswordAuthentication no
et PubkeyAuthentication yes

LINUX1	adminunix
/etc/ssh/ssh_config	/etc/ssh/sshd_config	/etc/ssh/ssh_config	/etc/ssh/sshd_config
# $OpenBSD : ssh_config,v 1.10 2001/04/03 21:19:38 todd Exp $ # This is ssh client systemwide configuration file. See ssh(1) for more # information. This file provides defaults for users, and the values can # be changed in per-user configuration files or on the command line. # Configuration data is parsed as follows : # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent no # ForwardX11 no # RhostsAuthentication no # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes # FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes # StrictHostKeyChecking yes # IdentityFile /.ssh/identity # IdentityFile /.ssh/id_dsa # IdentityFile /.ssh/id_rsa # Port 22 # Protocol 2,1 # Cipher blowfish # EscapeChar Host * ForwardX11 yes # PubkeyAuthentication yes	# $OpenBSD : sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $ # This sshd was compiled with PATH=/usr/bin :/bin :/usr/sbin :/sbin # This is the sshd server system-wide configuration file. See sshd(8) # for more information. Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress : : HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read /.rhosts and /.shosts files IgnoreRhosts yes # Uncomment if you don't trust /.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes PubkeyAuthentication yes # Logging SyslogFacility AUTHPRIV LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here ! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # Uncomment to enable PAM keyboard-interactive authentication # Warning : enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp/usr/libexec/openssh/sftp-server	# $OpenBSD : ssh_config,v 1.10 2001/04/03 21:19:38 todd Exp $ # This is ssh client systemwide configuration file. See ssh(1) for more # information. This file provides defaults for users, and the values can # be changed in per-user configuration files or on the command line. # Configuration data is parsed as follows : # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent no # ForwardX11 no # RhostsAuthentication no # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes # FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes # StrictHostKeyChecking yes # IdentityFile /.ssh/identity # IdentityFile /.ssh/id_dsa # IdentityFile /.ssh/id_rsa # Port 22 # Protocol 2,1 # Cipher blowfish # EscapeChar Host * ForwardX11 yes # PubkeyAuthentication yes	# $OpenBSD : sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $ # This sshd was compiled with PATH=/usr/bin :/bin :/usr/sbin :/sbin # This is the sshd server system-wide configuration file. See sshd(8) # for more information. Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress : : HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read /.rhosts and /.shosts files IgnoreRhosts yes # Uncomment if you don't trust /.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes PubkeyAuthentication yes # Logging SyslogFacility AUTHPRIV LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here ! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # Uncomment to enable PAM keyboard-interactive authentication # Warning : enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp/usr/libexec/openssh/sftp-server

Introduction Ã SSH

Jerome ROBERT — 2009-04-22T14:59:40Z

Vous vous connectez comment sur vos machines ???

En telnet, rlogin, reflectionX ...

Vous avez entendu parler de snoop, tcpdump, de sonde réseaux ???

Non, alors .... il faut savoir que votre mot de passe circule en clair sur le
réseau et que tout ce que vous voyez aussi ... si si ...

Vous en passez QUOI ???

C'est la fÃªte au village non ?? Alors pour éviter de ce faire pirater, je
vous conseille d'étudier "SSH". C'est gratuit est cela peu vous faire
gagner de l'argent du moins éviter d'en perdre ...

Voici un pdf intéressant : télécharger un pdf

— >

Sinon, voici quelque liens pour ce faire une idée :

http://www.openssh.org/fr/index.html

http://www.ssh.com/

http://www.via.ecp.fr/ alexis/formation-linux/ssh.html

http://linuxline.epfl.ch/Doc/rhl-cg-fr-7.1/openssh-clients.html

http://ftp.ssh.com/priv/secureshell/h7cq89th/francais/notesdepublication.pdf