-2

我正在尝试chroot在 EC2 实例(Amazon AMI Linux)上创建监狱。我已经尝试过这里的说明:https ://allanfeid.com/content/creating-chroot-jail-ssh-access

我的 EC2 实例有一个名为 SSH 密钥demosystems.pem,我可以通过ec2-user.

$ groupadd sshusers
$ adduser -g sshusers janedoe
$ mkdir -p /var/jail/{dev,etc,lib,lib64,usr,bin}
$ mkdir -p /var/jail/usr/bin
$ chown root.root /var/jail
$ mknod -m 666 /var/jail/dev/null c 1 3
$ cd /var/jail/etc
$ cp /etc/ld.so.cache .
$ cp /etc/ld.so.conf .
$ cp /etc/nsswitch.conf .
$ cp /etc/hosts .
$ cd /var/jail/usr/bin
$ cp /usr/bin/ls .
$ cp /usr/bin/bash .
$ cd /sbin
$ wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
$ chmod +x l2chroot
$ l2chroot ls
$ l2chroot bash
$ nano /etc/ssh/sshd_config
Match group sshusers
          ChrootDirectory /var/jail/
          X11Forwarding no
          AllowTcpForwarding no

我也尝试过使用geerlingguy.ansible-role-ssh-chroot-jailAnsible 角色:

---
- name: Create chroot jail
  hosts: chroot
  become: yes

  vars:
  - ssh_chroot_jail_users:
      name: janedoe
      homedir: /home/janedoe
      shell: /bin/bash

  roles:
    - geerlingguy.ssh-chroot-jail

这两种情况下,我在尝试 SSH 时遇到的错误janedoe是:

No supported authentication methods available (server sent: public key). Server refused our key.

因此,我认为问题出在最后一步。以上设置Match group

有什么想法/想法吗?

4

1 回答 1

1

.ssh目录和authorized_keys文件不存在。Ansible 的解决方案是创建两个发布任务:

post_tasks:
  - name: Create SSH Directory
    file:
      path: /home/janedoe/.ssh
      state: directory

  - name: Copy SSH from ec2-user to janedoe
    copy:
      remote_src: yes
      src: /home/ec2-user/.ssh/authorized_keys
      dest: /home/janedoe/.ssh/authorized_keys
      owner: janedoe
于 2019-06-14T06:03:08.033 回答