SSH
的 chroot
环境
为 SSH
创建一个限制环境是一项坚苦的工作, 这由 SSH
为用户提供一个远程 shell 的事实可知, 其依赖关系和与其它服务不同. 因此,
您还必须考虑在此环境中那些程序用户可以使用. 如果您创建了这种文件结构, 如
/var/chroot/ssh
, 您可以被 chroot
的 ssh
服务, 用下边的命令:
# chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config
您可以使用 makejail
软件包很容易的创建一个限制环境,
因为它自动跟踪处理服务器守护进程(使用 strace
),
并使它运行在一个受限制的环境中.
自动构建 chroot
环境程序的优势在于它能为 chroot
环境复制任何软件包(甚至下边的依赖包, 并能保证其完整性). 因此,
用户使用起来更加容易.
使用 makejail
提供的例子配置环境, 运行下边的命令:
# makejail /usr/share/doc/makejail/examples/sshd.py
阅读示例文件, 查看还对环境做了哪些修改. 其中一些修改, 譬如用户主目录的复制,
不能自动完成. 还有, 限制显示的敏感信息只能由一些指定用户从
/etc/shadow
或 /etc/group
复制.
以下示例环境已经过(简单)测试, 使用软件包提供的配置文件构建, 包括
fileutils
软件包:
. |-- bin | |-- ash | |-- bash | |-- chgrp | |-- chmod | |-- chown | |-- cp | |-- csh -> /etc/alternatives/csh | |-- dd | |-- df | |-- dir | |-- fdflush | |-- ksh | |-- ln | |-- ls | |-- mkdir | |-- mknod | |-- mv | |-- rbash -> bash | |-- rm | |-- rmdir | |-- sh -> bash | |-- sync | |-- tcsh | |-- touch | |-- vdir | |-- zsh -> /etc/alternatives/zsh | `-- zsh4 |-- dev | |-- null | |-- ptmx | |-- pts | |-- ptya0 (...) | |-- tty | |-- tty0 (...) | `-- urandom |-- etc | |-- alternatives | | |-- csh -> /bin/tcsh | | `-- zsh -> /bin/zsh4 | |-- environment | |-- hosts | |-- hosts.allow | |-- hosts.deny | |-- ld.so.conf | |-- localtime -> /usr/share/zoneinfo/Europe/Madrid | |-- motd | |-- nsswitch.conf | |-- pam.conf | |-- pam.d | | |-- other | | `-- ssh | |-- passwd | |-- resolv.conf | |-- security | | |-- access.conf | | |-- chroot.conf | | |-- group.conf | | |-- limits.conf | | |-- pam_env.conf | | `-- time.conf | |-- shadow | |-- shells | `-- ssh | |-- moduli | |-- ssh_host_dsa_key | |-- ssh_host_dsa_key.pub | |-- ssh_host_rsa_key | |-- ssh_host_rsa_key.pub | `-- sshd_config |-- home | `-- userX |-- lib | |-- ld-2.2.5.so | |-- ld-linux.so.2 -> ld-2.2.5.so | |-- libc-2.2.5.so | |-- libc.so.6 -> libc-2.2.5.so | |-- libcap.so.1 -> libcap.so.1.10 | |-- libcap.so.1.10 | |-- libcrypt-2.2.5.so | |-- libcrypt.so.1 -> libcrypt-2.2.5.so | |-- libdl-2.2.5.so | |-- libdl.so.2 -> libdl-2.2.5.so | |-- libm-2.2.5.so | |-- libm.so.6 -> libm-2.2.5.so | |-- libncurses.so.5 -> libncurses.so.5.2 | |-- libncurses.so.5.2 | |-- libnsl-2.2.5.so | |-- libnsl.so.1 -> libnsl-2.2.5.so | |-- libnss_compat-2.2.5.so | |-- libnss_compat.so.2 -> libnss_compat-2.2.5.so | |-- libnss_db-2.2.so | |-- libnss_db.so.2 -> libnss_db-2.2.so | |-- libnss_dns-2.2.5.so | |-- libnss_dns.so.2 -> libnss_dns-2.2.5.so | |-- libnss_files-2.2.5.so | |-- libnss_files.so.2 -> libnss_files-2.2.5.so | |-- libnss_hesiod-2.2.5.so | |-- libnss_hesiod.so.2 -> libnss_hesiod-2.2.5.so | |-- libnss_nis-2.2.5.so | |-- libnss_nis.so.2 -> libnss_nis-2.2.5.so | |-- libnss_nisplus-2.2.5.so | |-- libnss_nisplus.so.2 -> libnss_nisplus-2.2.5.so | |-- libpam.so.0 -> libpam.so.0.72 | |-- libpam.so.0.72 | |-- libpthread-0.9.so | |-- libpthread.so.0 -> libpthread-0.9.so | |-- libresolv-2.2.5.so | |-- libresolv.so.2 -> libresolv-2.2.5.so | |-- librt-2.2.5.so | |-- librt.so.1 -> librt-2.2.5.so | |-- libutil-2.2.5.so | |-- libutil.so.1 -> libutil-2.2.5.so | |-- libwrap.so.0 -> libwrap.so.0.7.6 | |-- libwrap.so.0.7.6 | `-- security | |-- pam_access.so | |-- pam_chroot.so | |-- pam_deny.so | |-- pam_env.so | |-- pam_filter.so | |-- pam_ftp.so | |-- pam_group.so | |-- pam_issue.so | |-- pam_lastlog.so | |-- pam_limits.so | |-- pam_listfile.so | |-- pam_mail.so | |-- pam_mkhomedir.so | |-- pam_motd.so | |-- pam_nologin.so | |-- pam_permit.so | |-- pam_rhosts_auth.so | |-- pam_rootok.so | |-- pam_securetty.so | |-- pam_shells.so | |-- pam_stress.so | |-- pam_tally.so | |-- pam_time.so | |-- pam_unix.so | |-- pam_unix_acct.so -> pam_unix.so | |-- pam_unix_auth.so -> pam_unix.so | |-- pam_unix_passwd.so -> pam_unix.so | |-- pam_unix_session.so -> pam_unix.so | |-- pam_userdb.so | |-- pam_warn.so | `-- pam_wheel.so |-- sbin | `-- start-stop-daemon |-- usr | |-- bin | | |-- dircolors | | |-- du | | |-- install | | |-- link | | |-- mkfifo | | |-- shred | | |-- touch -> /bin/touch | | `-- unlink | |-- lib | | |-- libcrypto.so.0.9.6 | | |-- libdb3.so.3 -> libdb3.so.3.0.2 | | |-- libdb3.so.3.0.2 | | |-- libz.so.1 -> libz.so.1.1.4 | | `-- libz.so.1.1.4 | |-- sbin | | `-- sshd | `-- share | |-- locale | | `-- es | | |-- LC_MESSAGES | | | |-- fileutils.mo | | | |-- libc.mo | | | `-- sh-utils.mo | | `-- LC_TIME -> LC_MESSAGES | `-- zoneinfo | `-- Europe | `-- Madrid `-- var `-- run |-- sshd `-- sshd.pid 27 directories, 733 files
SSH
启用 chroot
功能
Debian 的 sshd
不允许通过服务器限制用户的活动, 因为
sshd2
中(使用 'ChrootGroups' 或 'ChrootUsers', 参阅
sshd2_config(5)
)的商用程序缺乏 chroot
功能. 但是,
可以利用一个补丁来 Bug report
139047
增加此项功能. 这个补丁可能在 OpenSSH 的未来发行版中提供. 在
http://debian.home-dn.net/woody/ssh/
处 Emmanuel Lacour 提供了含有这种功能的 ssh
deb 软件包.
虽然需要完成编译步骤.
在 http://mail.incredimail.com/howto/openssh/
处可以找到所有步骤的描述(虽然它是针对RedHat7.2 用户的, 几乎所有的内容都适用于
Debian). 打了补丁以后, 编辑 /etc/passwd
修改用户主目录为(注意
/./):
joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash
这将限制通过 ssh 隧道的远程 shell 访问, 和通过 ssh
隧道进行的远程拷贝.
确保用户的 chroot
目录下包含了所有需要的程序和库文件.
这些文件的宿主应当是 root 以避免被用户篡改(在用户退出 chroot
jail
时). 下边是一个范例:
./bin: total 660 drwxr-xr-x 2 root root 4096 Mar 18 13:36 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. -r-xr-xr-x 1 root root 531160 Feb 6 22:36 bash -r-xr-xr-x 1 root root 43916 Nov 29 13:19 ls -r-xr-xr-x 1 root root 16684 Nov 29 13:19 mkdir -rwxr-xr-x 1 root root 23960 Mar 18 13:36 more -r-xr-xr-x 1 root root 9916 Jul 26 2001 pwd -r-xr-xr-x 1 root root 24780 Nov 29 13:19 rm lrwxrwxrwx 1 root root 4 Mar 30 16:29 sh -> bash ./etc: total 24 drwxr-xr-x 2 root root 4096 Mar 15 16:13 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. -rw-r--r-- 1 root root 54 Mar 15 13:23 group -rw-r--r-- 1 root root 428 Mar 15 15:56 hosts -rw-r--r-- 1 root root 44 Mar 15 15:53 passwd -rw-r--r-- 1 root root 52 Mar 15 13:23 shells ./lib: total 1848 drwxr-xr-x 2 root root 4096 Mar 18 13:37 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. -rwxr-xr-x 1 root root 92511 Mar 15 12:49 ld-linux.so.2 -rwxr-xr-x 1 root root 1170812 Mar 15 12:49 libc.so.6 -rw-r--r-- 1 root root 20900 Mar 15 13:01 libcrypt.so.1 -rw-r--r-- 1 root root 9436 Mar 15 12:49 libdl.so.2 -rw-r--r-- 1 root root 248132 Mar 15 12:48 libncurses.so.5 -rw-r--r-- 1 root root 71332 Mar 15 13:00 libnsl.so.1 -rw-r--r-- 1 root root 34144 Mar 15 16:10 libnss_files.so.2 -rw-r--r-- 1 root root 29420 Mar 15 12:57 libpam.so.0 -rw-r--r-- 1 root root 105498 Mar 15 12:51 libpthread.so.0 -rw-r--r-- 1 root root 25596 Mar 15 12:51 librt.so.1 -rw-r--r-- 1 root root 7760 Mar 15 12:59 libutil.so.1 -rw-r--r-- 1 root root 24328 Mar 15 12:57 libwrap.so.0 ./usr: total 16 drwxr-xr-x 4 root root 4096 Mar 15 13:00 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. drwxr-xr-x 2 root root 4096 Mar 15 15:55 bin drwxr-xr-x 2 root root 4096 Mar 15 15:37 lib ./usr/bin: total 340 drwxr-xr-x 2 root root 4096 Mar 15 15:55 . drwxr-xr-x 4 root root 4096 Mar 15 13:00 .. -rwxr-xr-x 1 root root 10332 Mar 15 15:55 env -rwxr-xr-x 1 root root 13052 Mar 15 13:13 id -r-xr-xr-x 1 root root 25432 Mar 15 12:40 scp -rwxr-xr-x 1 root root 43768 Mar 15 15:15 sftp -r-sr-xr-x 1 root root 218456 Mar 15 12:40 ssh -rwxr-xr-x 1 root root 9692 Mar 15 13:17 tty ./usr/lib: total 852 drwxr-xr-x 2 root root 4096 Mar 15 15:37 . drwxr-xr-x 4 root root 4096 Mar 15 13:00 .. -rw-r--r-- 1 root root 771088 Mar 15 13:01 libcrypto.so.0.9.6 -rw-r--r-- 1 root root 54548 Mar 15 13:00 libz.so.1 -rwxr-xr-x 1 root root 23096 Mar 15 15:37 sftp-server
使用尝试-错误的方式, 通过监视 sshd
服务器和日志文件以确定必要的文件, 构建一个环境是可能的. 下边的环境, 由 José
Luis Ledesma 提供, 是一个 ssh
的 chroot
环境下的文件列表: [51]
.: total 36 drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./ drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../ drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/ drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/ drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/ drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/ drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/ drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/ drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/ ./bin: total 8368 drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p* -rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash* -rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph* -rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp* -rwxr-xr-x 1 root root 6956 Jun 3 13:46 env* -rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps* -rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter* -rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover* -rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail* -rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm* -rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat* -rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep* -rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph* -rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs* -rwxr-xr-x 1 root root 10420 Jun 3 13:46 id* -rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd* -rwxr-xr-x 1 root root 111386 Jun 4 11:46 less* -r-xr-xr-x 1 root root 26168 Jun 3 13:45 login* -rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls* -rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir* -rwxr-xr-x 1 root root 24780 Jun 3 13:45 more* -rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb* -rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd* -rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm* -rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html* -rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex* -rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man* -rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text* -rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage* -rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker* -rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect* -r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps* -rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct* -rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd* -rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr* -rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm* -rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir* -rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p* -rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp* -rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax* -rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage* -rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp* -rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh* -rws--x--x 1 root root 744500 Jun 3 13:46 slogin* -rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain* -rws--x--x 1 root root 744500 Jun 3 13:46 ssh* -rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add* -rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent* -rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen* -rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan* -rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa* -rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace* -rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph* -rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail* -rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty* -rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd* -rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi* -rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami* ./dev: total 8 drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom ./etc: total 208 drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rw------- 1 root root 0 Jun 4 11:46 .pwd.lock -rw-r--r-- 1 root root 653 Jun 3 13:46 group -rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf -rw-r--r-- 1 root root 857 Jun 4 12:04 hosts -rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache -rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf -rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~ -rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli -rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/ -rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf -rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd -rw-r--r-- 1 root root 7228 Jun 3 13:48 profile -rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols -rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/ -rw-r----- 1 root root 1178 Jun 4 11:51 shadow -rw------- 1 root root 80 Jun 4 11:45 shadow- -rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old -rw-r--r-- 1 root root 161 Jun 3 13:46 shells -rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config -rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key -rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub -rw------- 1 root root 527 Jun 3 13:46 ssh_host_key -rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub -rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key -rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub -rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config ./etc/pam.d: total 24 drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./ drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../ lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -> sshd -rw-r--r-- 1 root root 318 Jun 3 13:46 passwd -rw-r--r-- 1 root root 546 Jun 4 11:36 ssh -rw-r--r-- 1 root root 479 Jun 4 12:02 sshd -rw-r--r-- 1 root root 370 Jun 3 13:46 su ./etc/security: total 32 drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./ drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../ -rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf -rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf -rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf -rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf -rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf -rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf ./lib: total 8316 drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm -rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd -rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi -rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2* -rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6* lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -> libcrack.so.2.7* lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -> libcrack.so.2.7* -rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7* -rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1* -rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2* -rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0* lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -> libncurses.so.4.2* -rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2* lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -> libncurses.so.5.0* -rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0* -rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1* -rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1* -rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2* -rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1* -rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2* -rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2* -rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1* -rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2* -rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1* -rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2* -rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2* lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -> libpam.so.0.72* -rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72* lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 -> libpam_misc.so.0.72* -rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72* lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -> libpamc.so.0.72* -rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72* -rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0* -rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1* -rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a* lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -> libz.so.1.1.3* lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -> libz.so.1.1.3* -rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3* drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/ ./lib/security: total 668 drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./ drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../ -rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so* -rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so* -rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so* -rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so* -rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so* -rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so* -rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so* -rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so* -rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so* -rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so* -rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so* -rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so* -rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so* -rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so* -rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so* -rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so* -rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so* -rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so* -rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so* -rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so* -rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so* -rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so* -rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so* -rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so* -rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so* -rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so* -rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so* -rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so* -rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so* ./sbin: total 3132 drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest* -rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest* -rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest* -rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig* -rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname* -rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay* -rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend* -rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem* -rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats* -rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server* -rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd* -rwxr-xr-x 1 root root 30750 Jun 4 11:46 su* -rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest* -rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest* -rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest* ./tmp: total 8 drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ ./usr: total 8 drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -> ../bin// lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -> ../lib// lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -> ../sbin//
Securing Debian Manual
v3.2, Mon, 20 Jun 2005 08:01:11 +0000jfs@debian.org
etony@tom.com