[Watford] February Meeting Notes
Mark Stewart
markwstewart at gmail.com
Fri Feb 8 15:45:31 GMT 2008
Excellent summary, I'll give this root kit a try this weekend.
On 08/02/2008, Yvan Seth <watford.lug.org.uk at malignity.net> wrote:
>
> Hi all, since Cliff was unable to attend I'd step in to write some
> "quick" notes about last night's (Thursday 8th) LUG meeting. I wasn't
> taking any notes at the time so will try my best from memory, apologies
> for inaccuracies and omissions (especially in the area of names!) Please
> correct and extend!
>
> Date: 2008-02-08
> Open: 07:30
> Close: 22:00
> Location: Pitney Bowes Software, Leavesden Park
> Attendees:
> Alan ?, Kathlene Belista, Magnus Kelly, Marcin Kisiala,
> Steven Acreman, Yvan Seth
> Apologies:
> Alain Williams, Cliff Deamer, John Ingleby, Mat-Berry Sutton,
> Neel Upadhyaya
>
> Best wishes and a "get well soon" for Cliff and Neel's grandmother.
>
> I'm afraid my terrible memory for names has has struck. The gentleman
> with a background in accountancy may have been an Alan, my sincere
> apologies in the likely case I got it wrong! I believe that
> possible-Alan was attending for the first time. As was Magnus who
> (along with Marcin) is from Mapesbury Communications in Watford, a small
> company fighting it out in the telco scene and endeavouring to do the
> job with OSS.
>
> Asus Eee
> --------
> Steven kicked off the meeting by showing off one of the Pitney Bowes
> Software's "Asus Eee" laptops. It's surprisingly snappy but, I found,
> very difficult to type on. It was running Windows though (since it is
> used for powerpoint/etc) so we'll leave it at that!
>
> Jailkit
> -------
>
> The major activity for the evening was working out how to set up
> chrooted sftp-access accounts. Marcin brought in a PC with a basic
> Centos install to be a guinea-pig for this purpose. As with many things
> Linux the best approach is often to download the script that someone
> else wrote when they solved the same problem, in this spirit Steven
> downloaded the "jailkit" (http://olivier.sessink.nl/jailkit/) tarball.
>
> Jailkit is actually more than just a script, it's a whole toolkit and
> also provides a compiled binary program that takes the place of the
> user's shell to enforce login policy and enact the chroot. Building
> (./configure) and installing (make install) the toolkit gives you a set
> of commands for creating and managing chroots and users. The tarball
> comes with a README.txt file and it really is mostly a matter of
> following the instructions within. For our purposes, to make it work on
> the Centos system:
>
> -------------------------------------------------
> mkdir /home/sftproot
> jk_init -j /home/sftproot jk_lsh
> jk_init -j /home/sftproot sftp
> jk_init -j /home/sftproot scp
> adduser test2
> jk_jailuser -j /home/sftproot test2
> killall jk_socketd
> jk_socketd
> vim /home/sftproot/etc/jailkit/jk_lsh.ini
> -------------------------------------------------
> (Did we run the two jk_socketd lines at all?)
>
> Based on the existing template we put this in jk_lsh.ini:
> -------------------------------------------------
> [test2]
> paths= /usr/lib/
> executables= /usr/lib/openssh/sftp-server
> allow_word_expansion = 0
> umask = 002
> -------------------------------------------------
>
> To test this, which we had to do several times before getting it right,
> we tried to sftp to localhost with:
> sftp -oPort=1616 test2 at localhost
> Marcin had SSH configured to port 1616, thus the extra param. In the
> occasions that it failed useful error messages were to be found in:
> /var/log/messages
>
> With "test2" working we next created a second user, "foo" (adduser
> followed by jk_jailuser) with a duplicate of the "test2" policy block in
> jk_lsh.ini. We ensured that the user could log in and verified that the
> different users can see each other's home directories (as they can
> navigate within the chroot) but not enter or examine other homedirs so
> long as the directory permissions are set appropriately.
>
> Other Jailkit discussion points and questions included:
> * You could give each account it's own gaol and thus completely
> isolate them from each other.
> * While "chroot" is notoriously insecure this configuration allows
> only FTP-style access so should be safe (i.e. user cannot execute
> arbitrary binaries.)
> * The policy file (jk_lsh.ini) deserves further investigation, as it
> certainly allows more login control than we investigated.
> * The thought of using a VM, sch as Xen, was considered as an
> alternative but deemed a rather heavyweight approach.
> * We tested with password authentication but all the usual SSH
> authentication methods should work too as the jk_lsh chrooting and
> policy enforcement occurs after the normal SSH authentication
> procedure.
> * Throttling bandwidth per-account was discussed though on the
> evening, no-one knew a solution for this for "jailkit". A program
> that can run as the super-process of another process and throttle IO
> was suggested (very good for slowing down those SCPs, wgets and
> pagkage-updates that otherwise flood your link, it's "trickle".)
>
>
> Further Discussion
> ------------------
>
> Magnus and Marcin brought up a few topics that were troubling them in
> their attempt to run a telco on OSS technology. We discussed:
>
> * Asterisk failover, whether it was possible to have one system cut
> over to another on failure *without* dropping calls (hardware layer
> difficulties?) Especially in a context where the systems are
> running in virtual machines. Nobody had a ready answer for this.
> * Billing systems, especially unifying across different forms of
> service provision and working with the standardised formats of the
> telco industry. OSS vs Microsoft solutions in this area and
> self-rolled versus getting the experts in. Steven had a lot of
> insightful input on this given it is one of his areas of expertise.
> * Remote X (xterm) access to Linux systems from Windows. Cygwin
> (x.cygwin.com) and Xming (sourceforge.net/projects/xming) were
> mentioned as solutions for this. It was suggested that we could do
> a quick run-through on installing, configuring, and using these in
> next month's meeting.
>
>
> Big Iron
> --------
>
> Steven had more impressive hardware to show off this evening. Including
> a nice little computer from IBM, they had to punch a hole in the side of
> the building to get this one inside!
>
>
> Next Meeting
> ------------
>
> Date: Thursday March 6th, 19:30 - 22:00
> Demonstration: TBC: Introduction to AMPACHE, Toby Deans
>
> Best regards,
> Yvan Seth
>
> _______________________________________________
> Watford mailing list
> Watford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/watford
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/watford/attachments/20080208/aae034ea/attachment.html
More information about the Watford
mailing list