User Tools

Site Tools


plugins:instantssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
plugins:instantssh [2014/12/14 13:38]
nuxwin
plugins:instantssh [2017/09/04 08:28] (current)
theemstra python-magic was missing from list of
Line 2: Line 2:
  
 <WRAP center round important 60%> <WRAP center round important 60%>
-This documentation is for to the latest version available in our plugins store. For an oldest documentation,​ see the README.md file inside the plugin archive.+This documentation is for the latest version available in our plugins store. For an oldest documentation,​ see the **README** file inside the plugin archive.
 </​WRAP>​ </​WRAP>​
  
 +===== Introduction =====
  
-=====Introduction===== +This plugin ​allows ​to give your customers a full or restricted shell access.
- +
-This plugin ​allow to give your customers a full or restricted shell access.+
  
 A customer to which SSH permissions are given can create SSH users and use them to login on the server. A customer to which SSH permissions are given can create SSH users and use them to login on the server.
  
-For each customer, you can set the maximum number of allowed SSH users and choose if they can override the default authentication options. The authentication options are those specified in the documentation of the authorized_keys file ( see man authorized_keys ).+For each customer, you can set the maximum number of allowed SSH users and choose if they can override the default authentication options. The authentication options are those specified in the documentation of the authorized_keys file.
  
-Default authentication options are set as follow:+===== Requirements =====
  
-  ​no-agent-forwarding,no-port-forwarding,​no-X11-forwarding+  ​* i-MSCP version >= 1.2.3 
 +  * openSSH server with bothpassword and key-based authentication support enabled
  
-which in order:+<WRAP center round tip 80%> 
 +If you want allow only the key-based authentication,​ you can set the **passwordless_authentication** configuration option to **TRUE** ​in the plugin configuration file. Once you did the needed change, you must not forget to update the plugin list through the plugins management interface, else, the new value will not be taken into account. 
 +</​WRAP>​
  
-  * Forbids authentication agent forwarding 
-  * Forbids TCP forwarding 
-  * Forbids X11 forwarding 
  
-You can override default authentication options by editing the **default_ssh_auth_options** option which is defined in the plugin configuration file. In that file, you can also restrict the list of authentication options that your customers can add by editing the **allowed_ssh_auth_options** option. You must note that any authentication option appearing in the the default authentication string must also be specified in the **allowed_ssh_auth_options** option.+==== Debian / Ubuntu packages ====
  
-====Jailed shells====+  * bash 
 +  * binstats 
 +  * build-essential 
 +  * busybox-static or busybox 
 +  * flex 
 +  * libpam-chroot 
 +  * psmisc 
 +  * python 
 +  * python-magic 
 +  * strace
  
-The Jailed shells allow you to provide SSH access to your customers in a restricted environment from which they can theoretically not escape. It'​s ​the preferable way to give an SSH access to an un-trusted customer.+You can install these packages by executing ​the following commands:
  
-Several commands can be added into the jails by simply adding the required application sections to the **app_sections** configuration option.+  # aptitude update 
 +  # aptitude install bash build-essential busybox-static flex \ 
 +  libpam-chroot psmisc python strace python-magic
  
-The default configuration comes with a set of preselected application sections which allow to setup very restricted jailed shell environments. These environments are setup using busybox which combines tiny versions of many common UNIX utilities into a single small executable.+===== Installation =====
  
-See the plugin ​**config.php** file for further details.+  - Be sure that all requirements as stated in the requirements section are meets 
 +  - Upload the plugin through the plugin management interface 
 +  - Install the plugin through ​the plugin ​management interface
  
-=====Requirements=====+**Note:** Depending on your system, installation can take up to several minutes. Time is needed to build jail.
  
-  * i-MSCP >1.1.19 (plugin API >0.2.14) +===== Update =====
-  * openSSH server with public key authentication support enabled+
  
-====Debian / Ubuntu packages====+  - Be sure that all requirements as stated in the requirements section are meets 
 +  - Backup your plugin configuration file if needed 
 +  - Upload the plugin archive through the plugin management interface 
 +  - Restore your plugin configuration file if needed ( compare it with the new version first ) 
 +  - Update the plugin list through the plugin management interface
  
-  ​busybox +**Note:** Prior any update attempt, do not forget to read the **UPDATE** file inside the plugin archive.
-  ​libpam-chroot +
-  ​makejail+
  
-You can install these packages by executing the following commands:+===== Configuration =====
  
-  # aptitude update +==== Authentication options ====
-  # aptitude install busybox libpam-chroot makejail+
  
-**Notes** +Default authentication options are set as follow;
-  - If a package is not installed on your system, the plugin installer throws an error +
-  - If you have any problem with the PAM chroot module read the **Troubleshooting** section below+
  
-=====Installation=====+  no-agent-forwarding,​no-port-forwarding,​no-X11-forwarding
  
-  - Be sure that all required packages as mentioned ​in the requirements section are installed on your system +which in order:
-  - Login into the panel as admin and go to the plugin management interface +
-  - Upload the plugin archive +
-  - Configure the plugin for your needs by editing the **plugins/​InstantSSH/​config.php** configuration file +
-  - Install the plugin+
  
-=====Update=====+  * Forbids authentication agent forwarding 
 +  * Forbids TCP forwarding 
 +  * Forbids X11 forwarding
  
-  - Be sure that all required packages as mentioned in the requirements section are installed on your system +You can override default authentication options by editing ​the **default_ssh_auth_options** option which is defined in the plugin ​configuration file. In that file, you can also restrict ​the list of authentication options that your customers can add by editing the **allowed_ssh_auth_options** option. You must note that any authentication option appearing in the the default authentication string must also be specified in the **allowed_ssh_auth_options** option.
-  - Backup your **plugins/​InstantSSH/​config.php** configuration file +
-  - Login into the panel as admin and go to the plugin management interface +
-  - Deactivate the plugin +
-  - Upload the plugin archive +
-  - Configure the plugin for your needs by editing the **plugins/​InstantSSH/​config.php** configuration file +
-  - Activate ​the plugin+
  
-**Note:** Don't forget to read the [[https://​github.com/​i-MSCP/​plugins/​blob/​master/​incubator/​InstantSSH/​update_errata.md|update_errata.md]] file.+==== Jailed shells ====
  
-=====Troubleshootings=====+The jailed shells allow you to provide SSH access to your customers in a restricted environment from which they can theoretically not escape. It's the preferable way to give an SSH access to an un-trusted customer.
  
-====PAM chroot module====+Several commands can be added into the jails by simply adding the required application sections to the app_sections configuration option.
  
-The **PAM chroot** module shipped with some libpam-chroot package versions ​(eg. Ubuntu Lucid) ​doesn'​t work as expected. For instance, You can see the following logs in the /​var/​log/​auth.log file:+The default configuration comes with a set of preselected application sections which allow to setup very restricted jailed shell environments. 
 + 
 +Be aware that the creation of the jailed environments may take time, depending on many factors such as the type of your server, the number of file to copy inside the jails and so on... 
 + 
 +See the config.php file inside the plugin archive for further details. 
 + 
 +**Note:** When changing a configuration parameter in the plugin configuration file, do not forget to trigger plugin change by updating the plugin list through the plugin management interface. 
 + 
 +===== Troubleshootings ===== 
 + 
 +==== PAM chroot module ==== 
 + 
 +The PAM chroot ​module shipped with some libpam-chroot package versions doesn'​t work as expected. For instance, You can see the following logs in the /​var/​log/​auth.log file:
  
   ...   ...
Line 90: Line 104:
  
   # cd /​usr/​local/​src   # cd /​usr/​local/​src
-  # mkdir libpam-chroot ​&& ​cd libpam-chroot+  # mkdir libpam-chroot 
 +  # cd libpam-chroot
   # apt-get install build-essential debhelper libpam0g-dev   # apt-get install build-essential debhelper libpam0g-dev
   # apt-get source libpam-chroot   # apt-get source libpam-chroot
   # cd libpam-chroot*   # cd libpam-chroot*
  
-Edit the **Makefile** file to replace the line:+Edit the Makefile file to replace the line:
  
   CFLAGS=-fPIC -O2 -Wall -Werror -pedantic   CFLAGS=-fPIC -O2 -Wall -Werror -pedantic
Line 109: Line 124:
   # dpkg -i libpam-chroot*.deb   # dpkg -i libpam-chroot*.deb
  
-=====Plugin usage===== +===== License =====
- +
-The development of this plugin took me a lot of time, especially the Jailbuilder layer which allows to build the jailed shell environments. Thus, I would ask a small contribution for use of this plugin by doing a donation on my paypal account ( [email protected] ). If you don't understand such asks, or if you do not want donate, just don't use this plugin. +
- +
-=====License=====+
  
   i-MSCP InstantSSH plugin   i-MSCP InstantSSH plugin
-  Copyright (C) 2014 Laurent Declercq <​[email protected]>​ 
   ​   ​
-  ​This library is free software; you can redistribute it and/or +  ​@author Laurent Declercq <​[email protected]>​ 
-  ​modify it under the terms of the GNU Lesser General Public +  ​@copyright ​(C2014-2015 Laurent Declercq <l.declercq@nuxwin.com> 
-  License as published by the Free Software Foundation; either +  ​@license i-MSCP ​License ​<http://www.i-mscp.net/license-agreement.html>
-  version 2.1 of the License, or (at your optionany later version. +
-   +
-  This library is distributed in the hope that it will be useful, +
-  but WITHOUT ANY WARRANTY; without even the implied warranty of +
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU +
-  ​Lesser General Public ​License ​for more details. +
-   +
-  You should have received a copy of the GNU Lesser General Public +
-  License along with this library; if not, write to the Free Software +
-  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 ​ USA +
- +
- See [[http://www.gnu.org/​licenses/​lgpl-2.1.txt |LGPL v2.1]] +
- +
-=====Sponsors===== +
- +
-  * [[http://​portal.osna-solution.de|Osna-Solution UG]] +
-  * [[https://​github.com/​thecry|Sascha Bay aka TheCry]] +
- +
-=====Author(s)=====+
  
-  ​Laurent Declercq <​l.declercq@nuxwin.com>+See the **LICENSE** file inside the archive for further details.
/var/www/virtual/i-mscp.net/wiki/htdocs/data/attic/plugins/instantssh.1418564317.txt.gz · Last modified: 2014/12/14 13:38 (external edit)