This how-to needed to be updated for Jaunty (Ubuntu 9.04).
Jaunty (Ubuntu 9.04) make a few adjustments to screen and so to enable a shared ssh session I had to make adjustments to both the configuration and to the apparmor profile.
The two changes in Jaunty are :
- The binary /usr/bin/screen.real has been added.
- Screen now uses profiles (ie dark, etc).
This how to will explain how to use screen to allow a shared terminal session over a ssh connection. This may be helpful if you wish to teach the Linux command line and can be used in concert with IRC.
The initial impetus for this how to was to facilitate learning the command line during IRC Classroom sessions.
This how-to will use two accounts :
guru - the master or teaching account. This account owns the screen session. Only the guru account will be able to enter commands into the shared screen session.
guest - the guest account may log in over ssh and will automatically attach to the shared session. You may have multiple people log into the guest account from multiple ip addresses (locations) simultaneously.
The shared session will be “read only” meaning the guest(s) will be able to observe commands, and the output, but not enter commands. The account running the screen session (both setting up and entering commands) will be “guru”.
Configure the guest account
Make the following files in /home/guest owned by root.guest
.bash_login
.bash_logout
.bash_profile
.bashrc
.profile
Permissions of the above files are 640
Using any editor, as root, set the contents of .bash_profile to read :
trap “” 2 3 19 # *try* to stop user getting to shell
clear
BLUE=’e[0;34m’
RED=’e[0;31m’
GREEN=’e[0;32m’
echo -e “${BLUE}” “Welcome to the UFBT ssh session”
echo
echo -e “${BLUE}” “This session is “read only”"
echo -e “${BLUE}” “You will see commands and the output …”
echo -e “${BLUE}” “But you will NOT be able to enter commands”
echo -e “${BLUE}” “of your own.”
echo
echo -e “${RED}” “To exit this session, just close your terminal”
echo
echo -e “${GREEN}” “Press Enter to continue…” && read
screen -x guru/lesson
exit
Using any editor, as root, set the contents of .bash_login, .bashrc, and .profile to read :
. ./.bash_profile
New for Jaunty (Ubuntu 9.04):
sudo mkdir ~guest/.screen-profiles
sudo chown root.guest ~guest/.screen-profiles
sudo chmod 770 ~guest/.screen-profiles
Make /home/guest owned by root.guest
sudo chown root.guest /home/guest
Now make home directories “private”
Permissions of /home/guest (and any other /home directory) are 750
sudo chmod 750 /home/guest
sudo chmod o-rx /root
Now we will further restrict the guest with AppArmor. To do this we will make a restricted shell “jailbash” and use this as the default shell for the guest account. The idea of jailbash is to restrict the very public guest account in the unforeseen event a cracker misuses the account and obtains a shell.
(BIG thank you to jdong for teaching me this).
First make a (hard) link
sudo ln /bin/bash /usr/local/bin/jailbash
Now we need an apparmor profile for /usr/local/bin/jailbash
The apparmor profile needed to be updated, the old one will not work. :
Using any editor, as root, set the contents of /etc/apparmor.d/usr.local.bin.jailbash to read :
#include
/usr/local/bin/jailbash {
#include
#include
#include
#include
#include
capability setuid,
/bin/cp rix,
/bin/dash rix,
/bin/ln rix,
/bin/ls mrix,
/bin/mkdir rix,
/bin/mv rix,
/bin/rm rix,
/bin/sed rix,
/bin/touch rix,
/bin/true rix,
owner @{HOME}/.screen-profiles/keybindings a,
owner @{HOME}/.screen-profiles/keybindings r,
owner @{HOME}/.screen-profiles/profile w,
owner @{HOME}/.screen-profiles/profile r,
/home/guest/ r,
/home/guest/** r,
/lib/terminfo/** r,
@{PROC}/*/stat r,
/tmp/** r,
/usr/bin/basename rix,
/usr/bin/clear rix,
/usr/bin/expr rix,
/usr/bin/gettext rix,
/usr/bin/screen rix,
/usr/bin/screen.real rix,
/usr/bin/select-screen-profile rix,
/usr/local/bin/jailbash r,
/usr/share/screen-profiles/ r,
/usr/share/screen-profiles/** r,
owner /var/run/* rwk,
owner /var/run/screen/** rw,
}
The capability setuid is necessary to connect to the guest screen.
Save that profile as /etc/apparmor.d/usr.local.bin.jailbash
Then
sudo /etc/init.d/apparmor restart
sudo aa-enforce /usr/local/bin/jailbash
With that , the guest account should be all set.
Again, thank you to jdong for sharing his jailbash Apparmor profile.
Edit: The reason I used AppArmor rather then rbash is that AppArmor is more robust. jdong was kind enough to post a comment on my rbash blog showing he was able to break out of rbash in 10 minutes.
This Apparmor profile is quiet restrictive and allows minimal access for the guest to access the shared screen session.
For additional information on AppArmor, see my post on the Ubuntu forums
Configure screen (must run with SUID bit set)
New for Jaunty (Ubuntu 9.04), the binary we need to SUID is screen.real
sudo chmod +s /usr/bin/screen.real
sudo chmod 755 /var/run/screen
# This next step is ONLY NEEDED if you updated to Ubuntu 9.04 from a previous version
sudo chmod 0755 /usr/bin/screen
Configure ssh keys
The use of ssh keys allows you to prevent your ssh server from becoming abused.
Make a key for the guru and guest accounts.
Copy the keys to the server in ~/.ssh/authorized_keys
Make the keys owned by root.guest and root.guru respectively (permissions 640)
Now edit the keys, at the very beginning of the line, add the following (for both guru and guest):
command=”/usr/local/bin/jailbash”,no-port-forwarding,no-agent-forwarding,no-X11-forwarding
If you do not understand this, see my blog on svn+ssh.
Start a shared session
Begin by logging into the ssh server as “guru” and start a screen session :
screen -S lesson
NOTE: It is critical to name the screen session the same as in /home/guest/.bash_profile
“screen -x guru/lesson”
Once the screen session has started enter commands with C-a:
NOTE: C-a is an abbreviation for the key combination Control-a
so, hit C-a, then : then the command.
C-a:multiuser on
C-a:acladd guest
C-a:aclchg guest -wx “#,?”
C-a:aclchg guest +x “colon,wall,detach”
By default screen will give a visual flash when guests attempt to enter commands. Although cute, it is confusing to guests and gets annoying fast.
To disable the “flash” disable the vbell in screen, as guru,
C-a C-g
That is short hand for control key + a and control key + g and is a toggle (same sequence a second time re-activates it). The only “problem” with this is you then get an audible bell, or beep. To disable this see This link.
To log a screen session use
C-a H
This key sequence turns logging on and off and the output is ’screenlog.x’ where x = the number of your current window.
Guests can attach to the screen session with :
ssh guest@host -i /home/.ssh/guest-ssh-key
Note: They still need to enter the guest ssh key password.
Guests can detach with c-a d (Control-a d)
The user guru can see a list of attached guests with :
C-a:displays
guests and the guru can communicate via IRC (or wall).
Example of using wall :
C-a:wall “message in quotes”
0 comments:
Post a Comment