Excellent summary, I'll give this root kit a try this weekend.<br><br><div><span class="gmail_quote">On 08/02/2008, <b class="gmail_sendername">Yvan Seth</b> <<a href="mailto:watford.lug.org.uk@malignity.net">watford.lug.org.uk@malignity.net</a>> wrote:</span><blockquote class="gmail_quote" style="margin-top: 0; margin-right: 0; margin-bottom: 0; margin-left: 0; margin-left: 0.80ex; border-left-color: #cccccc; border-left-width: 1px; border-left-style: solid; padding-left: 1ex">
Hi all, since Cliff was unable to attend I'd step in to write some<br>"quick" notes about last night's (Thursday 8th) LUG meeting. I wasn't<br>taking any notes at the time so will try my best from memory, apologies<br>
for inaccuracies and omissions (especially in the area of names!) Please<br>correct and extend!<br><br>Date: 2008-02-08<br>Open: 07:30<br>Close: 22:00<br>Location: Pitney Bowes Software, Leavesden Park<br>Attendees:<br> Alan ?, Kathlene Belista, Magnus Kelly, Marcin Kisiala,<br>
Steven Acreman, Yvan Seth<br>Apologies:<br> Alain Williams, Cliff Deamer, John Ingleby, Mat-Berry Sutton,<br> Neel Upadhyaya<br><br>Best wishes and a "get well soon" for Cliff and Neel's grandmother.<br>
<br>I'm afraid my terrible memory for names has has struck. The gentleman<br>with a background in accountancy may have been an Alan, my sincere<br>apologies in the likely case I got it wrong! I believe that<br>possible-Alan was attending for the first time. As was Magnus who<br>
(along with Marcin) is from Mapesbury Communications in Watford, a small<br>company fighting it out in the telco scene and endeavouring to do the<br>job with OSS.<br><br>Asus Eee<br>--------<br>Steven kicked off the meeting by showing off one of the Pitney Bowes<br>
Software's "Asus Eee" laptops. It's surprisingly snappy but, I found,<br>very difficult to type on. It was running Windows though (since it is<br>used for powerpoint/etc) so we'll leave it at that!<br>
<br>Jailkit<br>-------<br><br>The major activity for the evening was working out how to set up<br>chrooted sftp-access accounts. Marcin brought in a PC with a basic<br>Centos install to be a guinea-pig for this purpose. As with many things<br>
Linux the best approach is often to download the script that someone<br>else wrote when they solved the same problem, in this spirit Steven<br>downloaded the "jailkit" (<a href="http://olivier.sessink.nl/jailkit/">http://olivier.sessink.nl/jailkit/</a>) tarball.<br>
<br>Jailkit is actually more than just a script, it's a whole toolkit and<br>also provides a compiled binary program that takes the place of the<br>user's shell to enforce login policy and enact the chroot. Building<br>
(./configure) and installing (make install) the toolkit gives you a set<br>of commands for creating and managing chroots and users. The tarball<br>comes with a README.txt file and it really is mostly a matter of<br>following the instructions within. For our purposes, to make it work on<br>
the Centos system:<br><br>-------------------------------------------------<br> mkdir /home/sftproot<br> jk_init -j /home/sftproot jk_lsh<br> jk_init -j /home/sftproot sftp<br> jk_init -j /home/sftproot scp<br>
adduser test2<br> jk_jailuser -j /home/sftproot test2<br> killall jk_socketd<br> jk_socketd<br> vim /home/sftproot/etc/jailkit/jk_lsh.ini<br>-------------------------------------------------<br>(Did we run the two jk_socketd lines at all?)<br>
<br>Based on the existing template we put this in jk_lsh.ini:<br>-------------------------------------------------<br> [test2]<br> paths= /usr/lib/<br> executables= /usr/lib/openssh/sftp-server<br> allow_word_expansion = 0<br>
umask = 002<br>-------------------------------------------------<br><br>To test this, which we had to do several times before getting it right,<br>we tried to sftp to localhost with:<br> sftp -oPort=1616 test2@localhost<br>
Marcin had SSH configured to port 1616, thus the extra param. In the<br>occasions that it failed useful error messages were to be found in:<br> /var/log/messages<br><br>With "test2" working we next created a second user, "foo" (adduser<br>
followed by jk_jailuser) with a duplicate of the "test2" policy block in<br>jk_lsh.ini. We ensured that the user could log in and verified that the<br>different users can see each other's home directories (as they can<br>
navigate within the chroot) but not enter or examine other homedirs so<br>long as the directory permissions are set appropriately.<br><br>Other Jailkit discussion points and questions included:<br> * You could give each account it's own gaol and thus completely<br>
isolate them from each other.<br> * While "chroot" is notoriously insecure this configuration allows<br> only FTP-style access so should be safe (i.e. user cannot execute<br> arbitrary binaries.)<br> * The policy file (jk_lsh.ini) deserves further investigation, as it<br>
certainly allows more login control than we investigated.<br> * The thought of using a VM, sch as Xen, was considered as an<br> alternative but deemed a rather heavyweight approach.<br> * We tested with password authentication but all the usual SSH<br>
authentication methods should work too as the jk_lsh chrooting and<br> policy enforcement occurs after the normal SSH authentication<br> procedure.<br> * Throttling bandwidth per-account was discussed though on the<br>
evening, no-one knew a solution for this for "jailkit". A program<br> that can run as the super-process of another process and throttle IO<br> was suggested (very good for slowing down those SCPs, wgets and<br>
pagkage-updates that otherwise flood your link, it's "trickle".)<br><br><br>Further Discussion<br>------------------<br><br>Magnus and Marcin brought up a few topics that were troubling them in<br>their attempt to run a telco on OSS technology. We discussed:<br>
<br> * Asterisk failover, whether it was possible to have one system cut<br> over to another on failure *without* dropping calls (hardware layer<br> difficulties?) Especially in a context where the systems are<br>
running in virtual machines. Nobody had a ready answer for this.<br> * Billing systems, especially unifying across different forms of<br> service provision and working with the standardised formats of the<br> telco industry. OSS vs Microsoft solutions in this area and<br>
self-rolled versus getting the experts in. Steven had a lot of<br> insightful input on this given it is one of his areas of expertise.<br> * Remote X (xterm) access to Linux systems from Windows. Cygwin<br> (<a href="http://x.cygwin.com">x.cygwin.com</a>) and Xming (<a href="http://sourceforge.net/projects/xming">sourceforge.net/projects/xming</a>) were<br>
mentioned as solutions for this. It was suggested that we could do<br> a quick run-through on installing, configuring, and using these in<br> next month's meeting.<br><br><br>Big Iron<br>--------<br><br>
Steven had more impressive hardware to show off this evening. Including<br>a nice little computer from IBM, they had to punch a hole in the side of<br>the building to get this one inside!<br><br><br>Next Meeting<br>------------<br>
<br>Date: Thursday March 6th, 19:30 - 22:00<br>Demonstration: TBC: Introduction to AMPACHE, Toby Deans<br><br>Best regards,<br>Yvan Seth<br><br>_______________________________________________<br>Watford mailing list<br><a href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br></blockquote></div><br>