User Tools

Site Tools


plugins:instantssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
plugins:instantssh [2014/10/16 21:04]
nuxwin
plugins:instantssh [2017/09/04 09:28] (current)
theemstra python-magic was missing from list of
Line 2: Line 2:
  
 <WRAP center round important 60%> <WRAP center round important 60%>
-This documentation is for to the latest version available in our plugins store. For an oldest documentation,​ see the README.md file inside the plugin archive.+This documentation is for the latest version available in our plugins store. For an oldest documentation,​ see the **README** file inside the plugin archive.
 </​WRAP>​ </​WRAP>​
  
 +===== Introduction =====
  
-=====Introduction=====+This plugin allows to give your customers a full or restricted shell access.
  
-This plugin allow to give your customers a full or jailed shell access.+A customer ​to which SSH permissions are given can create SSH users and use them to login on the server.
  
-customer ​to which SSH permissions are given can add its own SSH keys and use them to authenticate on the server.+For each customer, you can set the maximum number of allowed ​SSH users and choose if they can override the default authentication options. The authentication options are those specified in the documentation of the authorized_keys file.
  
-For each customer, you can set the maximum number of allowed SSH keys and choose if they can override the default authentication options. The authentication options are those specified in the documentation of the authorized_keys file (see man authorized_keys).+===== Requirements =====
  
-Default ​authentication ​options are set as follow:+  * i-MSCP version >= 1.2.3 
 +  * openSSH server with both, password and key-based ​authentication ​support enabled
  
-  no-agent-forwarding,no-port-forwarding,no-X11-forwarding+<WRAP center round tip 80%> 
 +If you want allow only the key-based authenticationyou can set the **passwordless_authentication** configuration option to **TRUE** in the plugin configuration file. Once you did the needed changeyou must not forget to update the plugin list through the plugins management interface, else, the new value will not be taken into account. 
 +</​WRAP>​
  
-which in order: 
  
-  * Forbids authentication agent forwarding +==== Debian / Ubuntu packages ====
-  * Forbids TCP forwarding +
-  * Forbids X11 forwarding+
  
-You can override default authentication options by editing the **default_ssh_auth_options** option which is defined in the plugin configuration file. In that file, you can also restrict the list of authentication options that your customers can add by editing the **allowed_ssh_auth_options** option. You must note that any authentication option appearing in the the default authentication string must also be specified in the **allowed_ssh_auth_options** option.+  ​bash 
 +  ​binstats 
 +  ​build-essential 
 +  ​busybox-static or busybox 
 +  ​flex 
 +  ​libpam-chroot 
 +  ​psmisc 
 +  ​python 
 +  ​python-magic 
 +  ​strace
  
-====Jailed shells====+You can install these packages by executing the following commands:
  
-The Jailed shells allow you to provide SSH access to your customers in a secured and restricted environment from which they can theorically not escape. It's the preferable way to give an SSH access to an un-trusted customer.+  # aptitude update 
 +  # aptitude install bash build-essential busybox-static flex \ 
 +  libpam-chroot psmisc python strace python-magic
  
-Several commands can be added into the jails by simply adding the needed application sections into the **app_sections** configuration option.+===== Installation =====
  
-The default configuration comes with a set of preselected application sections which allow to setup a very restricted jailed shell environment. This environment is setup by using busybox which combines tiny versions of many common UNIX utilities into a single small executable.+  - Be sure that all requirements as stated in the requirements section are meets 
 +  - Upload the plugin through the plugin management interface 
 +  - Install the plugin through the plugin management interface
  
-=====Plugin usage=====+**Note:** Depending on your system, installation can take up to several minutes. Time is needed to build jail.
  
-The development of this plugin took me a lot of time, especially the Jailbuilder layer which allows to build the jailed shell environments. Thus, I would ask a small contribution for use of this plugin by doing a donation on my paypal account ( <​paypal@nuxwin.com>​ ). If you don't understand such asks, or if you do not want donate, just don't use this plugin.+===== Update =====
  
-=====Requirements=====+  - Be sure that all requirements as stated in the requirements section are meets 
 +  - Backup your plugin configuration file if needed 
 +  - Upload the plugin archive through the plugin management interface 
 +  - Restore your plugin configuration file if needed ( compare it with the new version first ) 
 +  - Update the plugin list through the plugin management interface
  
-  ​i-MSCP >= 1.1.14 (plugin ​API >= 0.2.11) +**Note:** Prior any update attempt, do not forget to read the **UPDATE** file inside the plugin ​archive.
-  * openSSH server with public key authentication support enabled+
  
-====Debian / Ubuntu packages====+===== Configuration =====
  
-  * busybox +==== Authentication options ====
-  * libpam-chroot +
-  * makejail+
  
-You can install these packages by executing the following commands:+Default authentication options are set as follow;
  
-  ​# aptitude update +  ​no-agent-forwarding,​no-port-forwarding,​no-X11-forwarding
-  # aptitude install busybox libpam-chroot makejail+
  
-**Notes** +which in order:
-  - If a package is not installed on your system, the plugin installer throws an error +
-  - If you have any problem with the PAM chroot module read the **Troubleshooting** section below+
  
-=====Installation=====+  * Forbids authentication agent forwarding 
 +  * Forbids TCP forwarding 
 +  * Forbids X11 forwarding 
 + 
 +You can override default authentication options by editing the **default_ssh_auth_options** option which is defined in the plugin configuration file. In that file, you can also restrict the list of authentication options that your customers can add by editing the **allowed_ssh_auth_options** option. You must note that any authentication option appearing in the the default authentication string must also be specified in the **allowed_ssh_auth_options** option. 
 + 
 +==== Jailed shells ​==== 
 + 
 +The jailed shells allow you to provide SSH access to your customers in a restricted environment from which they can theoretically not escape. It's the preferable way to give an SSH access to an un-trusted customer. 
 + 
 +Several commands can be added into the jails by simply adding the required application sections to the app_sections configuration option. 
 + 
 +The default configuration comes with a set of preselected application sections which allow to setup very restricted jailed shell environments.
  
-  - Login into the panel as admin and go to the plugin management interface +Be aware that the creation of the jailed environments may take time, depending on many factors such as the type of your server, ​the number of file to copy inside ​the jails and so on...
-  - Upload ​the plugin archive +
-  - Activate ​the plugin+
  
-=====Update=====+See the config.php file inside the plugin archive for further details.
  
-  - Be sure that all required packages as mentioned in the requirements section are installed on your system +**Note:** When changing a configuration parameter in the plugin ​configuration file, do not forget ​to trigger ​plugin ​change by updating ​the plugin ​list through ​the plugin ​management interface.
-  - Backup your **plugins/​InstantSSH/​config.php** configuration file +
-  - Login into the panel as admin and go to the plugin ​management interface +
-  - Deactivate ​the plugin +
-  - Upload ​the plugin ​archive +
-  - Restore your **plugins/​InstantSSH/​config.php** configuration file (compare it with the new version first) +
-  - Activate the plugin+
  
-=====Troubleshootings=====+===== Troubleshootings =====
  
-====PAM chroot module====+==== PAM chroot module ====
  
-The **PAM chroot** module shipped with some libpam-chroot package versions ​(eg. Ubuntu Lucid) ​doesn'​t work as expected. +The PAM chroot module shipped with some libpam-chroot package versions doesn'​t work as expected. For instance, You can see the following logs in the /​var/​log/​auth.log file:
-For instance, You can see the following logs in the /​var/​log/​auth.log file:+
  
   ...   ...
Line 89: Line 104:
  
   # cd /​usr/​local/​src   # cd /​usr/​local/​src
-  # mkdir libpam-chroot ​&& ​cd libpam-chroot+  # mkdir libpam-chroot 
 +  # cd libpam-chroot
   # apt-get install build-essential debhelper libpam0g-dev   # apt-get install build-essential debhelper libpam0g-dev
   # apt-get source libpam-chroot   # apt-get source libpam-chroot
   # cd libpam-chroot*   # cd libpam-chroot*
  
-Edit the **Makefile** file to replace the line:+Edit the Makefile file to replace the line:
  
   CFLAGS=-fPIC -O2 -Wall -Werror -pedantic   CFLAGS=-fPIC -O2 -Wall -Werror -pedantic
Line 108: Line 124:
   # dpkg -i libpam-chroot*.deb   # dpkg -i libpam-chroot*.deb
  
-=====License=====+===== License =====
  
   i-MSCP InstantSSH plugin   i-MSCP InstantSSH plugin
-  Copyright (C) 2014 Laurent Declercq <​l.declercq@nuxwin.com>​ 
   ​   ​
-  ​This library is free software; you can redistribute it and/or +  ​@author Laurent Declercq <​l.declercq@nuxwin.com>​ 
-  ​modify it under the terms of the GNU Lesser General Public +  ​@copyright ​(C2014-2015 Laurent Declercq <l.declercq@nuxwin.com> 
-  License as published by the Free Software Foundation; either +  ​@license i-MSCP ​License ​<http://www.i-mscp.net/license-agreement.html>
-  version 2.1 of the License, or (at your optionany later version. +
-   +
-  This library is distributed in the hope that it will be useful, +
-  but WITHOUT ANY WARRANTY; without even the implied warranty of +
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU +
-  ​Lesser General Public ​License ​for more details. +
-   +
-  You should have received a copy of the GNU Lesser General Public +
-  License along with this library; if not, write to the Free Software +
-  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 ​ USA +
- +
- See [[http://www.gnu.org/​licenses/​lgpl-2.1.txt |LGPL v2.1]] +
- +
-=====Sponsors===== +
- +
-  * [[http://​portal.osna-solution.de|Osna-Solution UG]] +
-  * [[https://​github.com/​thecry|Sascha Bay aka TheCry]] +
- +
-=====Author(s)=====+
  
-  ​Laurent Declercq <​l.declercq@nuxwin.com>+See the **LICENSE** file inside the archive for further details.
/var/www/virtual/i-mscp.net/wiki/htdocs/data/attic/plugins/instantssh.1413489871.txt.gz · Last modified: 2014/10/16 21:04 by nuxwin