openssh gives you the option to specify a chroot directory. This provides a way of protecting your system from an attacker that has gained unauthorized access to your ssh server. The chroot folder presumably could be anything from a simple chroot to full-out linux container. oppenssh has an option to have privilege separation, so with this option one might expect more isolation then the standard chroot enviornment.
An application of an ssh chroot folder (key transfer)
SSH communication via the public/private key pair model is typically more secure than password based authentication, presumably due to the length of passwords that most people use. The situation is even worse if one uses the default password. A common attack to a network service is to try the default passwords.
So in this example, we are going to consider a low threat scenario. We want to transfer public keys between two ssh servers over the local network. Possible threats could be malicious process ruining on one of the devices in the network, or someone that hacked into the wifi network.
The likelihood of such threats is low, under the assumption that the user is practicing safe surfing habits and is not a person of interest from a skilled adversary like an inelegance agency. However, since these threats might be present, we don't want the default password to give access to our full system. Also we consider the consequences of an attack to our system minor. This assumption depends on what data you are protecting.
The solution is to run the ssh server in a chroot directory, use scp [6] to copy the keys and once the keys are copied then disable password based authentication. If in the odd chance someone hacks the system in this interval then we should see changes in the save layer. If the save layer is minimal, then such changes should be easy to identify.
To do this we might push any changes that we want into an sfs file like the adrv prior to setting up our chroot system. For a live system, you can use nic007's script to save changes (or remaster?) to an adrv. For a sandboxed system, you can use my remaster sandbox script. Alternatively, you can use the official puppy scripts to do a full remaster.
Alternative approaches, which don't directly use ssh
Rather than using ssh to transfer our public keys, we could use a third party service like dropbox to transfer the keys, which presumably add some privacy and also the risk of an attacker being able to utilize a public key in an attack is low. Finally, we could after we first establish an ssh session this way using public keys we could transfer new public keys once the ssh session is established that dropbox doesn't know about and delete the old keys.
If this second transfer was done over a private network the chances of the secondary key transfer being intercepted would be very low but if one is really paranoid then use a hardwired network equipment, or for even better security transfer via removable media (a usb key).
One could also encrypt the ssh key prior to transferring it over the ssh connection. Much of this would be overkill in most instances but depending on the cost and the expected threat level it may be prudent to be overly cautious.
Create your chroot system
Prior to starting the ssh server we want to create a chroot system to isolate our main system from attacks. I created one from pebee's arch32pup ISO as follows:
1. Download the ISO and delta file to a folder
2. Click on the delta file to apply the delta (I believe this requires the xdelta package)
3. Click on the newly generated ISO file to mount it.
4. Copy the files in the ISO to a new folder.
5. Clone my psandbox, project (or alternativly download it as an archive and extract it).
6. In this newly created folder (Step #4) create a script called "run_sandbox.sh", that looks like this:
Code: Select all
#!/bin/bash
SB_PREFIX=/mnt/home/gitlab_projects/psandbox/master
OS_HOME=/initrd/mnt/dev_save/arch/32/20.02
MP=/initrd/mnt/dev_save
PSUBDIR="arch/32/20.02"
OS_HOME="$MP/$PSUBDIR"
LOGFILE="$(realpath ./sandbox.log)"
RW_LAYER="$(realpath ./a32pupsave)"
bash -x "$SB_PREFIX"/usr/bin/psandbox.sh --logfile "$LOGFILE" -f "$OS_HOME"/sandbox.out -o "$OS_HOME"/sandbox.out --pdrv /mnt/home --maybe-psubdir "$PSUBDIR" --no-exit --rw-layer "$RW_LAYER"
OS_HOME is the path to the folder that we just copied the files from the ISO into.
Now run this script.
Code: Select all
chmod +x ./run_sandbox.sh
./run_sandbox.sh
Install and run the ssh server
Step #2A, install openssh-server
Step #2B create a /etc/ssh/sshd_config file (for the ssh server)
E.g. https://pastebin.com/GPi6vMXk
Step #2C, generate your ssh server keys
Code: Select all
#for ssh version 2
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ''
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
#for ssh version 1
ssh-keygen -t rsa -f /etc/ssh/ssh_host_key -N ''
HostKey /etc/ssh/ssh_host_ecdsa_key
If you want to support all key types then you add a line in sshd_config for each key type. If you don't specify any key types then all of the above keys except for dsa are expected. The -N '' means to create the key without a passphrase. I'm not sure if it is possible to use a passphrase for the server keys. On the client side you don't use the -N '' option because the passphrase adds security by encrypting the keys. You want this protection to make it harder for people to steel your private keys.
Finally, we have to edit /etc/hosts.allow to include any host that we want to be able to connect to the ssh server. For instance if we want all local hosts in a class C subnet to be able to connect to the server then our hosts.allow file might look something like:
Code: Select all
ALL: LOCAL
ALL: 192.168.0.0/16
the ChrootDirectory Paramater
Prior to starting the ssh server, you must specify the chroot directory. For sandbox.sh and sandbox-rw.sh (both of which are available puppylinux and fatdog64) and psandbox we put the following in /etc/sshd_config:
Code: Select all
ChrootDirectory /mnt/sb/fakeroot
You can start the ssh server as follows:
Code: Select all
/etc/init.d ssh start
Code: Select all
/usr/sbin/sshd -d #Can't do X11 forwarding in debugging mode
Code: Select all
/usr/sbin/sshd -D
Install and configure the ssh client.
1. Install openssh client
2. Generate your private keys [5]:
Code: Select all
#for ssh version 2
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa
ssh-keygen -t ed25519 -f ~/.ssh/if_ed25519
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/id_ecdsa
ssh-keygen -t dsa -f /etc/ssh/id_dsa
Start the ssh client
Say your ssh server is at ip address. 192.168.1.7, then we could connect to it from the client as follows:
Code: Select all
ssh root@192.168.1.7
For this to work we should have the following two lines in our sshd_config file:
Code: Select all
AllowUsers spot root
PermitRootLogin yes
PasswordAuthentication yes #This is the default
X11 Forwarding
If we want to use X11 forwarding then we can start the ssh client either like:
Code: Select all
ssh -X root@192.168.1.7 #Subject to X11 Security extension restrictions
or
Code: Select all
ssh -Y root@192.168.1.7# **Not** Subject to X11 Security extension restrictions
*** The -Y option is easier to get working but less secure.
In either case I believe that one must install the xauth package in the chroot environment. Also we must use capital letters for both the "-X" and "-Y" options. Lowercase letters do the opposite (i.e. they disable forwarding). One might need to disable forwarding if one has the ssh client configured to automatically do X11 forwarding.
Note, that if there is ~/.Xauthority file, you'll get a warning that it doesn't exist but it will be automatically created for you (or at-least it is with the -Y option).
Further Security Measures
Once the keys are copied between the servers using password based authentication, then one can switch to key based authentication. Alternatively, one could make it so that both password and key based authentication are required by adding the following to the sshd_config file:
Code: Select all
RequiredAuthentications2 publickey,password
1. https://linux.die.net/man/5/sshd_config
2. https://linux.die.net/man/5/ssh_config
3. https://linux.die.net/man/1/ssh
4. https://linux.die.net/man/8/sshd
5. https://www.ssh.com/ssh/keygen - contains some recommendation about what kind of keys to use.
6 - https://linux.die.net/man/1/scp
7 - http://distro.ibiblio.org/fatdog/web/faqs/sandbox.html