Полезная статейка, источник - http://planet.ubuntu.com/
This how to will explain how to use screen to allow a shared terminal session over a ssh connection. This may be helpful if you wish to teach the Linux command line and can be used in concert with IRC.
The impetus for this how to is the desire for the Ubuntu Forums Beginners Team to facilitate learning the command line during IRC Classroom sessions.
This how-to will use two accounts :
guru - the master or teaching account. This account owns the screen session. Only the guru account will be able to enter commands into the shared screen session.
guest - the guest account may log in over ssh and will automatically attach to the shared session. You may have multiple people log into the guest account from multiple ip addresses (locations) simultaneously.
The shared session will be “read only” meaning the guest(s) will be able to observe commands, and the output, but not enter commands. The account running the screen session (both setting up and entering commands) will be “guru”.
Configure the guest account
Make the following files in /home/guest owned by root.guest
.bash_login
.bash_logout
.bash_profile
.bashrc
.profile
Permissions of the above files are 640
Make the contents of .bash_profile read something like :
trap “” 2 3 19 # *try* to stop user getting to shell
clear
BLUE=’\e[0;34m’
RED=’\e[0;31m’
GREEN=’\e[0;32m’
echo -e “${BLUE}” “Welcome to the UFBT ssh session”
echo
echo -e “${BLUE}” “This session is “read only”"
echo -e “${BLUE}” “You will see commands and the output …”
echo -e “${BLUE}” “But you will NOT be able to enter commands”
echo -e “${BLUE}” “of your own.”
echo
echo -e “${RED}” “To exit this session, just close your terminal”
echo
echo -e “${GREEN}” “Press Enter to continue…” && read
screen -x guru/lesson
exit
Make the contents of .bash_login, .bashrc, and .profile read :
. ./.bash_profile
Make /home/guest owned by root.guest
sudo chown root.guest /home/guest
Now make home directories “private”
Permissions of /home/guest (and any other /home directory) are 750
sudo chmod 750 /home/guest
sudo chmod o-rx /root
Now we will further restrict the guest with AppArmor. To do this we will make a restricted shell “jailbash” and use this as the default shell for the guest account. The idea of jailbash is to restrict the very public guest account in the unforeseen event a cracker misuses the account and obtains a shell.
(BIG thank you to jdong for teaching me this).
First make a (hard) link
ln /bin/bash /usr/local/bin/jailbash
Now we need an apparmor profile for /usr/local/bin/jailbash
The one I am using is modified from jdong :
#include
/usr/local/bin/jailbash {
#include
#include
capability setuid,
owner /etc/passwd r,
owner /etc/shadow r,
/home/guest/ r,
/home/guest/** r,
/lib/terminfo/** r,
/proc/*/stat r,
/tmp/** r,
/usr/bin/clear rix,
/usr/bin/screen rix,
/usr/local/bin/jailbash r,
owner /var/run/* r,
owner /var/run/screen/** rw,
}
The capability setuid is necessary to connect to the guest screen.
Save that profile as /etc/apparmor.d/usr.local.bin.jailbash
Then
sudo /etc/init.d/apparmor restart
sudo aa-enforce /usr/local/bin/jailbash
With that , the guest account should be all set.
Again, thank you to jdong for sharing his jailbash Apparmor profile.
Configure screen (must run with SUID bit set)
sudo chmod +s /usr/bin/screen
sudo chmod 755 /var/run/screen
Configure ssh keys
The use of ssh keys allows you to prevent your ssh server from becoming abused.
Make a key for the guru and guest accounts.
Copy the keys to the server in ~/.ssh/authorized_keys
Make the keys owned by root.guest and root.guru respectively (permissions 640)
Now edit the keys, at the very beginning of the line, add the following :
guru : command=”/bin/bash”,no-port-forwarding,no-agent-forwarding,no-X11-forwarding
guest : command=”/usr/local/bin/jailbash,no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty”
If you do not understand this, see my blog on svn+ssh.
Start a shared session
Begin by logging into the ssh server as “guru” and start a screen session :
screen -S lesson
NOTE: It is critical to name the screen session the same as in /home/guest/.bash_profile
“screen -x guru/lesson”
Once the screen session has started enter commands with c-a:
NOTE: c-a is an abbreviation for the key combination Control-a
so, hit c-a, then : then the command.
c-a:multiuser on
c-a:acladd guest
c-a:aclchg guest -wx “#,?”
c-a:aclchg guest +x “colon,wall,detach”
Guests can attach to the screen session with :
ssh guest@host -i /home/.ssh/guest-ssh-key
Note: They still need to enter the guest ssh key password.
Guests can detach with c-a d (Control-a d)
The user guru can see a list of attached guests with :
c-a:displays
guests and the guru can communicate via IRC (or wall).
Комментариев нет:
Отправить комментарий