Emmabuntus, Ubuntu, Derivate, Linux, Open Source BackTrack, Linux, distributions, Ubuntu, derivate, securuty, forensic VirtualBox, Linux, Ubuntu, Raring Ringtail synaptic, Ubuntu, Linux, software packages jwplayer, multimedia, Linux, Ubuntu, flash Meshlab, graphic, software, Ubuntu, open source, Linux Synapse, Linux, Ubuntu, raring, Quantal Gimp, Ubuntu, Linux FreeMind, Linux, open source Linux, infographic, history

Shared SSH Sessions, Update for Ubuntu 9.04 Jaunty Jackalope

This how-to needed to be updated for Jaunty (Ubuntu 9.04).

Jaunty (Ubuntu 9.04) make a few adjustments to screen and so to enable a shared ssh session I had to make adjustments to both the configuration and to the apparmor profile.

The two changes in Jaunty are :

  1. The binary /usr/bin/screen.real has been added.
  2. Screen now uses profiles (ie dark, etc).

This how to will explain how to use screen to allow a shared terminal session over a ssh connection. This may be helpful if you wish to teach the Linux command line and can be used in concert with IRC.

The initial impetus for this how to was to facilitate learning the command line during IRC Classroom sessions.

DEM IWO 600x400

This how-to will use two accounts :

guru - the master or teaching account. This account owns the screen session. Only the guru account will be able to enter commands into the shared screen session.

guest - the guest account may log in over ssh and will automatically attach to the shared session. You may have multiple people log into the guest account from multiple ip addresses (locations) simultaneously.

The shared session will be “read only” meaning the guest(s) will be able to observe commands, and the output, but not enter commands. The account running the screen session (both setting up and entering commands) will be “guru”.

Configure the guest account

Make the following files in /home/guest owned by root.guest

.bash_login
.bash_logout
.bash_profile
.bashrc
.profile

Permissions of the above files are 640

Using any editor, as root, set the contents of .bash_profile to read :

trap “” 2 3 19 # *try* to stop user getting to shell
clear
BLUE=’e[0;34m’
RED=’e[0;31m’
GREEN=’e[0;32m’
echo -e “${BLUE}” “Welcome to the UFBT ssh session”
echo
echo -e “${BLUE}” “This session is “read only”"
echo -e “${BLUE}” “You will see commands and the output …”
echo -e “${BLUE}” “But you will NOT be able to enter commands”
echo -e “${BLUE}” “of your own.”
echo
echo -e “${RED}” “To exit this session, just close your terminal”
echo
echo -e “${GREEN}” “Press Enter to continue…” && read
screen -x guru/lesson
exit

Using any editor, as root, set the contents of .bash_login, .bashrc, and .profile to read :

. ./.bash_profile

New for Jaunty (Ubuntu 9.04):

sudo mkdir ~guest/.screen-profiles
sudo chown root.guest ~guest/.screen-profiles
sudo chmod 770 ~guest/.screen-profiles

Make /home/guest owned by root.guest

sudo chown root.guest /home/guest

Now make home directories “private”

Permissions of /home/guest (and any other /home directory) are 750

sudo chmod 750 /home/guest
sudo chmod o-rx /root

Now we will further restrict the guest with AppArmor. To do this we will make a restricted shell “jailbash” and use this as the default shell for the guest account. The idea of jailbash is to restrict the very public guest account in the unforeseen event a cracker misuses the account and obtains a shell.

(BIG thank you to jdong for teaching me this).

First make a (hard) link

sudo ln /bin/bash /usr/local/bin/jailbash

Now we need an apparmor profile for /usr/local/bin/jailbash

The apparmor profile needed to be updated, the old one will not work. :

Using any editor, as root, set the contents of /etc/apparmor.d/usr.local.bin.jailbash to read :

#include
/usr/local/bin/jailbash {
#include
#include
#include
#include
#include
capability setuid,
/bin/cp rix,
/bin/dash rix,
/bin/ln rix,
/bin/ls mrix,
/bin/mkdir rix,
/bin/mv rix,
/bin/rm rix,
/bin/sed rix,
/bin/touch rix,
/bin/true rix,
owner @{HOME}/.screen-profiles/keybindings a,
owner @{HOME}/.screen-profiles/keybindings r,
owner @{HOME}/.screen-profiles/profile w,
owner @{HOME}/.screen-profiles/profile r,
/home/guest/ r,
/home/guest/** r,
/lib/terminfo/** r,
@{PROC}/*/stat r,
/tmp/** r,
/usr/bin/basename rix,
/usr/bin/clear rix,
/usr/bin/expr rix,
/usr/bin/gettext rix,
/usr/bin/screen rix,
/usr/bin/screen.real rix,
/usr/bin/select-screen-profile rix,
/usr/local/bin/jailbash r,
/usr/share/screen-profiles/ r,
/usr/share/screen-profiles/** r,
owner /var/run/* rwk,
owner /var/run/screen/** rw,
}

The capability setuid is necessary to connect to the guest screen.

Save that profile as /etc/apparmor.d/usr.local.bin.jailbash

Then

sudo /etc/init.d/apparmor restart
sudo aa-enforce /usr/local/bin/jailbash

With that , the guest account should be all set.

Again, thank you to jdong for sharing his jailbash Apparmor profile.

Edit: The reason I used AppArmor rather then rbash is that AppArmor is more robust. jdong was kind enough to post a comment on my rbash blog showing he was able to break out of rbash in 10 minutes.

This Apparmor profile is quiet restrictive and allows minimal access for the guest to access the shared screen session.

For additional information on AppArmor, see my post on the Ubuntu forums

Configure screen (must run with SUID bit set)
New for Jaunty (Ubuntu 9.04), the binary we need to SUID is screen.real

sudo chmod +s /usr/bin/screen.real
sudo chmod 755 /var/run/screen
# This next step is ONLY NEEDED if you updated to Ubuntu 9.04 from a previous version
sudo chmod 0755 /usr/bin/screen

Configure ssh keys

The use of ssh keys allows you to prevent your ssh server from becoming abused.

Make a key for the guru and guest accounts.

Copy the keys to the server in ~/.ssh/authorized_keys

Make the keys owned by root.guest and root.guru respectively (permissions 640)

Now edit the keys, at the very beginning of the line, add the following (for both guru and guest):

command=”/usr/local/bin/jailbash”,no-port-forwarding,no-agent-forwarding,no-X11-forwarding

If you do not understand this, see my blog on svn+ssh.

Start a shared session

Begin by logging into the ssh server as “guru” and start a screen session :

screen -S lesson

NOTE: It is critical to name the screen session the same as in /home/guest/.bash_profile
“screen -x guru/lesson”

Once the screen session has started enter commands with C-a:
NOTE: C-a is an abbreviation for the key combination Control-a
so, hit C-a, then : then the command.

C-a:multiuser on
C-a:acladd guest
C-a:aclchg guest -wx “#,?”
C-a:aclchg guest +x “colon,wall,detach”

By default screen will give a visual flash when guests attempt to enter commands. Although cute, it is confusing to guests and gets annoying fast.

To disable the “flash” disable the vbell in screen, as guru,

C-a C-g

That is short hand for control key + a and control key + g and is a toggle (same sequence a second time re-activates it). The only “problem” with this is you then get an audible bell, or beep. To disable this see This link.

To log a screen session use

C-a H

This key sequence turns logging on and off and the output is ’screenlog.x’ where x = the number of your current window.

Guests can attach to the screen session with :

ssh guest@host -i /home/.ssh/guest-ssh-key

Note: They still need to enter the guest ssh key password.

Guests can detach with c-a d (Control-a d)

The user guru can see a list of attached guests with :

C-a:displays

guests and the guru can communicate via IRC (or wall).

Example of using wall :

C-a:wall “message in quotes”

www.zanox.com

Related Post



Linux Links

    160x600     step









Do you consider this article interesting? Share it on your network of Twitter contacts, on your Facebook wall or simply press "+1" to suggest this result in searches in Google, Linkedin, Instagram or Pinterest. Spreading content that you find relevant helps this blog to grow. Thank you!
Share on Google Plus

About Hugo

Ubuntu is a Linux distribution that offers an operating system predominantly focused on desktop computers but also provides support for servers. Based on Debian GNU / Linux, Ubuntu focuses on ease of use, freedom in usage restriction, regular releases (every 6 months) and ease of installation.
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment