User Tools

Site Tools


plugins:instantssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
plugins:instantssh [2014/10/14 10:19]
nuxwin
plugins:instantssh [2017/09/04 08:28] (current)
theemstra python-magic was missing from list of
Line 2: Line 2:
  
 <WRAP center round important 60%> <WRAP center round important 60%>
-This documentation is for to the latest version available in our plugins store. For an oldest documentation,​ see the README.md file inside the plugin archive.+This documentation is for the latest version available in our plugins store. For an oldest documentation,​ see the **README** file inside the plugin archive.
 </​WRAP>​ </​WRAP>​
  
 +===== Introduction =====
  
-=====Introduction=====+This plugin allows to give your customers a full or restricted shell access.
  
-This plugin allow to give your customers a full or jailed shell access.+A customer ​to which SSH permissions are given can create SSH users and use them to login on the server.
  
-customer ​to which SSH permissions are given can add its own SSH keys and use them to authenticate on the server.+For each customer, you can set the maximum number of allowed ​SSH users and choose if they can override the default authentication options. The authentication options are those specified in the documentation of the authorized_keys file.
  
-For each customer, you can set the maximum number of allowed SSH keys and choose if they can override the default authentication options. The authentication options are those specified in the documentation of the authorized_keys file (see man authorized_keys).+===== Requirements =====
  
-Default ​authentication ​options are set as follow:+  * i-MSCP version >= 1.2.3 
 +  * openSSH server with both, password and key-based ​authentication ​support enabled
  
-  no-agent-forwarding,no-port-forwarding,no-X11-forwarding+<WRAP center round tip 80%> 
 +If you want allow only the key-based authenticationyou can set the **passwordless_authentication** configuration option to **TRUE** in the plugin configuration file. Once you did the needed changeyou must not forget to update the plugin list through the plugins management interface, else, the new value will not be taken into account. 
 +</​WRAP>​
  
-which in order: 
  
-  * Forbids authentication agent forwarding +==== Debian / Ubuntu packages ====
-  * Forbids TCP forwarding +
-  * Forbids X11 forwarding+
  
-You can override default authentication options by editing the **default_ssh_auth_options** option which is defined in the plugin configuration file. In that file, you can also restrict the list of authentication options that your customers can add by editing the **allowed_ssh_auth_options** option. You must note that any authentication option appearing in the the default authentication string must also be specified in the **allowed_ssh_auth_options** option.+  ​bash 
 +  ​binstats 
 +  ​build-essential 
 +  ​busybox-static or busybox 
 +  ​flex 
 +  ​libpam-chroot 
 +  ​psmisc 
 +  ​python 
 +  ​python-magic 
 +  ​strace
  
-====Jailed shells====+You can install these packages by executing the following commands:
  
-The Jailed shells allow you to provide SSH access to your customers in a secured and restricted environment from which they can theorically not escape. It's the preferable way to give an SSH access to an un-trusted customer.+  # aptitude update 
 +  # aptitude install bash build-essential busybox-static flex \ 
 +  libpam-chroot psmisc python strace python-magic
  
-Several commands can be added into the jails by simply adding the needed application sections into the **app_sections** configuration option.+===== Installation =====
  
-The default configuration comes with a set of preselected application sections which allow to setup a very restricted jailed shell environment. This environment is setup by using busybox which combines tiny versions of many common UNIX utilities into a single small executable.+  - Be sure that all requirements as stated in the requirements section are meets 
 +  - Upload the plugin through the plugin management interface 
 +  - Install the plugin through the plugin management interface
  
-=====Plugin usage=====+**Note:** Depending on your system, installation can take up to several minutes. Time is needed to build jail.
  
-The development of this plugin took me a lot of time, especially the Jailbuilder layer which allows to build the jailed shell environments. Thus, I would ask a small contribution for use of this plugin by doing a donation on my paypal account ( <​[email protected]>​ ). If you don't understand such asks, or if you do not want donate, just don't use this plugin.+===== Update =====
  
-=====Requirements=====+  - Be sure that all requirements as stated in the requirements section are meets 
 +  - Backup your plugin configuration file if needed 
 +  - Upload the plugin archive through the plugin management interface 
 +  - Restore your plugin configuration file if needed ( compare it with the new version first ) 
 +  - Update the plugin list through the plugin management interface
  
-  ​i-MSCP >= 1.1.14 (plugin ​API >= 0.2.11) +**Note:** Prior any update attempt, do not forget to read the **UPDATE** file inside the plugin ​archive.
-  * openSSH server with public key authentication support enabled+
  
-====Debian / Ubuntu packages====+===== Configuration =====
  
-  * busybox +==== Authentication options ====
-  * libpam-chroot +
-  * makejail+
  
-You can install these packages by executing the following commands:+Default authentication options are set as follow;
  
-  ​# aptitude update +  ​no-agent-forwarding,​no-port-forwarding,​no-X11-forwarding
-  # aptitude install busybox libpam-chroot makejail+
  
-**Notes** +which in order:
-  - If a package is not installed on your system, the plugin installer throws an error +
-  - If you have any problem with the PAM chroot module read the **Troubleshooting** section below+
  
-=====Installation=====+  * Forbids authentication agent forwarding 
 +  * Forbids TCP forwarding 
 +  * Forbids X11 forwarding
  
-  - Login into the panel as admin and go to the plugin ​management interface +You can override default authentication options by editing ​the **default_ssh_auth_options** option which is defined in the plugin ​configuration file. In that file, you can also restrict the list of authentication options that your customers can add by editing ​the **allowed_ssh_auth_options** option. You must note that any authentication option appearing in the the default authentication string must also be specified in the **allowed_ssh_auth_options** option.
-  - Upload ​the **InstantSSH** plugin archive +
-  - Activate ​the plugin+
  
-=====Update=====+==== Jailed shells ​====
  
-  - Be sure that all required packages as mentioned ​in the requirements section are installed on your system +The jailed shells allow you to provide SSH access to your customers ​in a restricted environment from which they can theoretically not escapeIt'​s ​the preferable way to give an SSH access to an un-trusted customer.
-  - Backup your current config file **plugins/​InstantSSH/​config.php** +
-  - Login into the panel as admin and go to the plugin management interface +
-  ​Upload the **InstantSSH** plugin archive +
-  - Restore your **plugins/​InstantSSH/​config.php** (compare it with the new version first) +
-  - Click on the **Update Plugins** button in the plugin management interface+
  
-=====Troubleshooting=====+Several commands can be added into the jails by simply adding the required application sections to the app_sections configuration option.
  
-====PAM chroot module====+The default configuration comes with a set of preselected application sections which allow to setup very restricted jailed shell environments.
  
-The **PAM chroot** module shipped with some libpam-chroot package versions ​(eg. Ubuntu Lucid) ​doesn'​t work as expected. +Be aware that the creation of the jailed environments may take time, depending on many factors such as the type of your server, the number of file to copy inside the jails and so on... 
-For instance, You can see the following logs in the /​var/​log/​auth.log file:+ 
 +See the config.php file inside the plugin archive for further details. 
 + 
 +**Note:** When changing a configuration parameter in the plugin configuration file, do not forget to trigger plugin change by updating the plugin list through the plugin management interface. 
 + 
 +===== Troubleshootings ===== 
 + 
 +==== PAM chroot module ==== 
 + 
 +The PAM chroot ​module shipped with some libpam-chroot package versions doesn'​t work as expected. For instance, You can see the following logs in the /​var/​log/​auth.log file:
  
   ...   ...
Line 88: Line 104:
  
   # cd /​usr/​local/​src   # cd /​usr/​local/​src
-  # mkdir libpam-chroot ​&& ​cd libpam-chroot+  # mkdir libpam-chroot 
 +  # cd libpam-chroot
   # apt-get install build-essential debhelper libpam0g-dev   # apt-get install build-essential debhelper libpam0g-dev
   # apt-get source libpam-chroot   # apt-get source libpam-chroot
   # cd libpam-chroot*   # cd libpam-chroot*
  
-Edit the **Makefile** file to replace the line:+Edit the Makefile file to replace the line:
  
   CFLAGS=-fPIC -O2 -Wall -Werror -pedantic   CFLAGS=-fPIC -O2 -Wall -Werror -pedantic
Line 105: Line 122:
   # dpkg-buildpackage -uc -us   # dpkg-buildpackage -uc -us
   # cd ..   # cd ..
-  # dpkg -i dpkg -i libpam-chroot*.deb+  # dpkg -i libpam-chroot*.deb
  
-=====License=====+===== License =====
  
   i-MSCP InstantSSH plugin   i-MSCP InstantSSH plugin
-  Copyright (C) 2014 Laurent Declercq <​[email protected]>​ 
   ​   ​
-  ​This library is free software; you can redistribute it and/or +  ​@author Laurent Declercq <​[email protected]>​ 
-  ​modify it under the terms of the GNU Lesser General Public +  ​@copyright ​(C2014-2015 Laurent Declercq <l.declercq@nuxwin.com> 
-  License as published by the Free Software Foundation; either +  ​@license i-MSCP ​License ​<http://www.i-mscp.net/license-agreement.html>
-  version 2.1 of the License, or (at your optionany later version. +
-   +
-  This library is distributed in the hope that it will be useful, +
-  but WITHOUT ANY WARRANTY; without even the implied warranty of +
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU +
-  ​Lesser General Public ​License ​for more details. +
-   +
-  You should have received a copy of the GNU Lesser General Public +
-  License along with this library; if not, write to the Free Software +
-  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 ​ USA +
- +
- See [[http://www.gnu.org/​licenses/​lgpl-2.1.txt |LGPL v2.1]] +
- +
-=====Sponsors===== +
- +
-  * [[http://​portal.osna-solution.de|Osna-Solution UG]] +
-  * [[https://​github.com/​thecry|Sascha Bay aka TheCry]] +
- +
-=====Author(s)=====+
  
-  ​Laurent Declercq <​l.declercq@nuxwin.com>+See the **LICENSE** file inside the archive for further details.
/var/www/virtual/i-mscp.net/wiki/htdocs/data/attic/plugins/instantssh.1413281994.txt.gz · Last modified: 2014/10/14 10:19 by nuxwin