Posts Tagged solaris 10

My own referral…?


Funny story… at least I thought it was… I was on-site @ a customer’s data center the other day and I was tasked with configuring a SUN LTO-3 Quantum tape drive, similar to the photo on the left here, among other things… No biggie right…? Any way… in my usual way I was Googling lots of stuff, because I don’t remember anything… and while doing so, I came across my own blog, this very one you are reading for the answer.¬† I thought that was awesome… I answered my own question… LOL ūüôā

Advertisements

, , , ,

Leave a comment

SUN-Jail ‚Äď Solaris 10 convicted ! Part II Dammit‚Ķ I forgot to lock the door !


OK… so hopefully you already went through Part I, but if not, this may not make much sense as I am not going to re-visit anything here.¬† This is for the mod_tls setup for ftps or ftpes if you are using filezilla… I was not familiar with the ftpes connection state, but now I am and so are you… I was using fireFTP and everything was working fine, but in the interest of testing more than what I use, I found this new tidbit of information ūüôā

So lets first tweak the proftpd.conf file, add this to the bottom of the file:

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                off
</IfModule>
Take note of the files referenced here.¬† Go ahead and create the log dir, def do this as you will need it if anything is not working… and then we can move on to making the key/cert.¬† Keep in mind that I am using webmin for the proftpd control and it allows you to apply changes following a save eliminating the need for a manual restart of proftpd ūüôā

Make this dir, please make this or the key/cert command will whine like a bitty baby…

mkdir -p /etc/proftpd/ssl

Then make the key/cert:

openssl req -new -x509 -days 365 -nodes -out /etc/proftp /ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Make sure to answer all the posed questions:

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter  your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name  of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT  Department").
Common Name (eg, YOUR name) []: <--  Enter the Fully Qualified Domain Name of the system (e.g.  "server1.example.com").
Email Address []: <-- Enter your Email  Address.

And again now we are done.¬† Not too bad… right?¬† I set up a few test users to allow me to tail the log file and watch as they login to make sure I can see what is expected as well as what isn’t…

May 25 15:35:08 mod_tls/2.2.1[2020]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:08 mod_tls/2.2.1[2020]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:09 mod_tls/2.2.1[2020]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
May 25 15:35:10 mod_tls/2.2.1[2020]: Protection set to Private
May 25 15:35:26 mod_tls/2.2.1[2021]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:26 mod_tls/2.2.1[2021]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:27 mod_tls/2.2.1[2021]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES128-SHA (128 bits)
May 25 15:35:27 mod_tls/2.2.1[2021]: Protection set to Private
May 25 15:35:51 mod_tls/2.2.1[2022]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:35:52 mod_tls/2.2.1[2022]: TLS/TLS-C requested, starting TLS handshake
May 25 15:35:52 mod_tls/2.2.1[2022]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
May 25 15:36:33 mod_tls/2.2.1[2023]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
May 25 15:36:33 mod_tls/2.2.1[2023]: TLS/TLS-C requested, starting TLS handshake
May 25 15:36:33 mod_tls/2.2.1[2023]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)

, , , , , , , , ,

1 Comment

SUN-Jail ‚Äď Solaris 10 convicted ! Part I


OK… so a while back I did something about jails for FTP… Odd that I don’t even remember what it was for let-alone being to lazy to go back and look to make proper reference here.. but anyway, I have a successful and simple approach to doing this on Solaris 10 and seeing that I get ALOT of hits for my Solaris posts, this may in fact be another good destination. I went back to my tried and true buddy, webmin for this, with as little effort as possible.¬† I decided to use the ProFTPd module that comes (icon anyway) included with webmin for Solaris (which by the by, is also a default package on Sol 10) and packages from the sunfreeware site.¬† So lets get started with the required packages and some basic system tweaks you may or may not need:

I started out making a repo dir under /export/home as it is a large one on these systems:

mkdir /export/home/sunfreeware

cd /export/home/sunfreeware

For whatever reason, the default $PATH for Solaris 10 is as bare as it comes, leaving out lots of cool, already installed tools, like wget for example. I created a .profile and added this PATH:

PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/sfw/bin:/usr/local/sbin

This covers everything I found useful without absolutes (and without actually knowing where the f’ it is !!!)…

Here is a listing of what I needed: (You may or may not need all of these)

gcc-3.4.6-sol10-x86-local.gz
make-3.81-sol10-x86-local.gz
openssl-1.0.0-sol10-x86-local.gz
proftpd-1.3.2-sol10-x86-local.gz
rssh-2.3.2-sol10-x86-local.gz

So lets quickly grab these…

cd /export/home/sunfreeware (in case you were not there already ūüôā )

for i in gcc-3.4.6-sol10-x86-local.gz make-3.81-sol10-x86-local.gz   openssl-1.0.0-sol10-x86-local.gz proftpd-1.3.2-sol10-x86-local.gz rssh-2.3.2-sol10-x86-local.gz; do wget ftp://ftp.sunfreeware.com/pub/freeware/intel/10/$i; done

Then gunzip them:

for i in `ls`; do gunzip $i; done

The pkgadd them:

for i in `ls`; do pkgadd -d $i; done (You will need to answer at least the creation of the /usr/local/bin dir if it is not already there and the default ‘ALL’ question for each recursion)

Before you get yourself all in a tizzy… lets stop the defalt FTP service:

svcadm disable network/ftp

OK… now lets install webmin:

webminsetup (see how handy our PATH has been so far… ūüôā )

Answer the questions however you like… and wallah… Done ūüôā

Now we need to make a few tweaks to the ProFTPd settings:

So you may have to click on this pic to see the line to which I am referring but in any event you want to uncomment this line so that ALL users are jailed to their defined home dir… and let me tell you that this is as easy as that process gets.¬† There is one other designation we need to make to ensure this takes place but it is in fact a radio button, so nothing overly complex there.¬† I also made the usual permissions changes on the user dirs to ensure the most security possible and a few other changes… well lets look at that step one by one shall we…

OK, so as you can see (from the wget up above) I grabbed rssh, a restricted shell.  Weather or not any of this is actually necessary is highly speculative, but I will at least illustrate what I did.

/usr/local/etc/rssh.conf

allowsftp <– This is all I wanted to allow

# If you want to chroot users, use this to set the directory where the root of
# the chroot jail will be located.
#
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
chrootpath = /export/home/chroot <– Make this whatever you are jailing your users to

You will also need to make an entry in /etc/shells (and create it if it is not there):

/usr/local/bin/rssh

ftptest:x:104:100:FTP Test User:/export/home/chroot/ftptest:/usr/local/bin/rssh

# id ftptest
uid=104(ftptest) gid=100(ftptest)

drwx——¬†¬† 2 ftptest ftptest¬†¬†¬†¬†¬† 512 May 20 15:17 ftptest

From the main module screen simply select the “Files and Directories” option to open the module.¬† I should mention that we are already in the ProFTPd module at this point so if you are not there, simply click on the “Servers” link in the top left and then select “ProFTPD Server” and you will be at this very page.¬† Take note of where things are in Webmin as surely you will want to go back and make lots of additional amendments to whatever else you have running on the system.

All we are looking at here is making sure that you restrict the user to their home directory. This may be kind of obvious, but make sure you START the service as well… It can be done from any module.¬† Up in the right corner you will see a “Start ProFTPd Service” button… click it.¬† I would also run a few commands from the console just to see what you have going on as well maybe you just should have some understanding outside of a graphical environment of what is really taking place here.¬† So lets run some simple commands shall we???

# ps -ef |grep ftp
ftptest2  4951  4430   0 10:38:45 ?           0:00 /usr/local/sbin/proftpd
nobody  4430     1   0 10:20:35 ?           0:00 /usr/local/sbin/proftpd
root  5193  4197   0 12:43:10 pts/2       0:00 grep ftp

Make sure you don’t see anything other than the proftpd service running… (remember we stopped the default ftp service earlier right??? )

# /usr/local/sbin/proftpd -vv
– mod_tls/2.2.1: compiled using OpenSSL version ‘OpenSSL 0.9.8k 25 Mar 2009’ headers, but linked to OpenSSL version ‘OpenSSL 0.9.8n 24 Mar 2010’ library
ProFTPD Version: 1.3.2 (stable)
Scoreboard Version: 01040002
Built: Wed May 13 16:36:46 EDT 2009

Loaded modules:
mod_tls/2.2.1
mod_md5fs.c
mod_readme.c
mod_auth_pam/1.1
mod_ident/1.0
mod_facts/0.1
mod_delay/0.6
mod_site.c
mod_log.c
mod_ls.c
mod_auth.c
mod_auth_file/0.8.3
mod_auth_unix.c
mod_xfer.c
mod_core.c

And that’s it ūüôā Go and test it to ensure you have achieved the expected results:

This is exactly what I was expecting. Make sure you cannot move out of this dir and you are all set… ūüôā

So this is all fine and dandy, but who wants to use regular FTP?¬† I would hope no one in a business environment anyway… Part II deals with using the mod_tls module packaged with proftpd.¬† For whatever reason, it was actually a pretty big pain in the a$$ to get this whole thing working…

, , , , , , , , , , , ,

1 Comment