[Watford] February Meeting Notes
Yvan Seth
watford.lug.org.uk at malignity.net
Fri Feb 8 11:27:10 GMT 2008
Hi all, since Cliff was unable to attend I'd step in to write some
"quick" notes about last night's (Thursday 8th) LUG meeting. I wasn't
taking any notes at the time so will try my best from memory, apologies
for inaccuracies and omissions (especially in the area of names!) Please
correct and extend!
Date: 2008-02-08
Open: 07:30
Close: 22:00
Location: Pitney Bowes Software, Leavesden Park
Attendees:
Alan ?, Kathlene Belista, Magnus Kelly, Marcin Kisiala,
Steven Acreman, Yvan Seth
Apologies:
Alain Williams, Cliff Deamer, John Ingleby, Mat-Berry Sutton,
Neel Upadhyaya
Best wishes and a "get well soon" for Cliff and Neel's grandmother.
I'm afraid my terrible memory for names has has struck. The gentleman
with a background in accountancy may have been an Alan, my sincere
apologies in the likely case I got it wrong! I believe that
possible-Alan was attending for the first time. As was Magnus who
(along with Marcin) is from Mapesbury Communications in Watford, a small
company fighting it out in the telco scene and endeavouring to do the
job with OSS.
Asus Eee
--------
Steven kicked off the meeting by showing off one of the Pitney Bowes
Software's "Asus Eee" laptops. It's surprisingly snappy but, I found,
very difficult to type on. It was running Windows though (since it is
used for powerpoint/etc) so we'll leave it at that!
Jailkit
-------
The major activity for the evening was working out how to set up
chrooted sftp-access accounts. Marcin brought in a PC with a basic
Centos install to be a guinea-pig for this purpose. As with many things
Linux the best approach is often to download the script that someone
else wrote when they solved the same problem, in this spirit Steven
downloaded the "jailkit" (http://olivier.sessink.nl/jailkit/) tarball.
Jailkit is actually more than just a script, it's a whole toolkit and
also provides a compiled binary program that takes the place of the
user's shell to enforce login policy and enact the chroot. Building
(./configure) and installing (make install) the toolkit gives you a set
of commands for creating and managing chroots and users. The tarball
comes with a README.txt file and it really is mostly a matter of
following the instructions within. For our purposes, to make it work on
the Centos system:
-------------------------------------------------
mkdir /home/sftproot
jk_init -j /home/sftproot jk_lsh
jk_init -j /home/sftproot sftp
jk_init -j /home/sftproot scp
adduser test2
jk_jailuser -j /home/sftproot test2
killall jk_socketd
jk_socketd
vim /home/sftproot/etc/jailkit/jk_lsh.ini
-------------------------------------------------
(Did we run the two jk_socketd lines at all?)
Based on the existing template we put this in jk_lsh.ini:
-------------------------------------------------
[test2]
paths= /usr/lib/
executables= /usr/lib/openssh/sftp-server
allow_word_expansion = 0
umask = 002
-------------------------------------------------
To test this, which we had to do several times before getting it right,
we tried to sftp to localhost with:
sftp -oPort=1616 test2 at localhost
Marcin had SSH configured to port 1616, thus the extra param. In the
occasions that it failed useful error messages were to be found in:
/var/log/messages
With "test2" working we next created a second user, "foo" (adduser
followed by jk_jailuser) with a duplicate of the "test2" policy block in
jk_lsh.ini. We ensured that the user could log in and verified that the
different users can see each other's home directories (as they can
navigate within the chroot) but not enter or examine other homedirs so
long as the directory permissions are set appropriately.
Other Jailkit discussion points and questions included:
* You could give each account it's own gaol and thus completely
isolate them from each other.
* While "chroot" is notoriously insecure this configuration allows
only FTP-style access so should be safe (i.e. user cannot execute
arbitrary binaries.)
* The policy file (jk_lsh.ini) deserves further investigation, as it
certainly allows more login control than we investigated.
* The thought of using a VM, sch as Xen, was considered as an
alternative but deemed a rather heavyweight approach.
* We tested with password authentication but all the usual SSH
authentication methods should work too as the jk_lsh chrooting and
policy enforcement occurs after the normal SSH authentication
procedure.
* Throttling bandwidth per-account was discussed though on the
evening, no-one knew a solution for this for "jailkit". A program
that can run as the super-process of another process and throttle IO
was suggested (very good for slowing down those SCPs, wgets and
pagkage-updates that otherwise flood your link, it's "trickle".)
Further Discussion
------------------
Magnus and Marcin brought up a few topics that were troubling them in
their attempt to run a telco on OSS technology. We discussed:
* Asterisk failover, whether it was possible to have one system cut
over to another on failure *without* dropping calls (hardware layer
difficulties?) Especially in a context where the systems are
running in virtual machines. Nobody had a ready answer for this.
* Billing systems, especially unifying across different forms of
service provision and working with the standardised formats of the
telco industry. OSS vs Microsoft solutions in this area and
self-rolled versus getting the experts in. Steven had a lot of
insightful input on this given it is one of his areas of expertise.
* Remote X (xterm) access to Linux systems from Windows. Cygwin
(x.cygwin.com) and Xming (sourceforge.net/projects/xming) were
mentioned as solutions for this. It was suggested that we could do
a quick run-through on installing, configuring, and using these in
next month's meeting.
Big Iron
--------
Steven had more impressive hardware to show off this evening. Including
a nice little computer from IBM, they had to punch a hole in the side of
the building to get this one inside!
Next Meeting
------------
Date: Thursday March 6th, 19:30 - 22:00
Demonstration: TBC: Introduction to AMPACHE, Toby Deans
Best regards,
Yvan Seth
More information about the Watford
mailing list