Planet OpenSolaris

the-hostname

Product Details
  * Paperback: 312 pages
  * Publisher: Prentice Hall PTR
    1st edition (November 19, 2009)
  * Language: English
  * ISBN-10: 0137012330
  * ISBN-13: 978-0137012336

Subsystem       sftp    /usr/lib/ssh/sftp-server

subsystem request for sftp
subsystem: cannot stat /usr/lib/ssh/sftp-server under
    chroot directory /var/root/chroot/: No such file
    or directory
subsystem: please see the Subsystem option in
    sshd_config(4) for an explanation of 'internal-sftp'.
subsystem request for sftp failed, subsystem not found

./bin/bash
./bin/ls
./lib/libcurses.so.1
./lib/libsocket.so.1
./lib/libnsl.so.1
./lib/libdl.so.1
./lib/libc.so.1
./lib/libmp.so.2
./lib/libmd.so.1
./lib/libscf.so.1
./lib/libuutil.so.1
./lib/libgen.so.1
./lib/libm.so.2
./lib/libresolv.so.2
./lib/libcrypto.so.0.9.8
./lib/libz.so.1
./lib/libsecdb.so.1
./lib/libmapmalloc.so.1
./lib/libcrypt.so.1
./lib/libsec.so.1
./usr/lib/ld.so.1

-bash-3.2$ ls
bin  lib  usr
-bash-3.2$ pwd
/

+ChrootDirectory
+
+  Specifies a path to chroot(2) to after authentication.
+  This path, and all its components, must be root owned 
+  directories that are not writable by any other user or
+  group.
+
+  The server always tries to change to the user's home
+  directory locally under the chrooted environment but a 
+  failure to do so is not considered an error. In addition
+  to that, the path may contain the following tokens that
+  are expanded at runtime once the connecting user has
+  been authenticated: %% is replaced by a literal '%', %h
+  is replaced by the home directory of the user being 
+  authenticated, and %u is replaced by the username of
+  that user. 
+
+  The ChrootDirectory must contain the necessary files and
+  directories to support the user's session.  For an
+  interactive SSH session this requires at least a user's
+  shell, shared libraries needed by the shell, dynamic
+  linker, and possibly basic /dev nodes such as null(4),
+  zero(4), stdin(4), stdout(4), stderr(4), random(4) and
+  tty(4).  Additionaly, terminal databases are
+  needed for screen oriented applications. For file
+  transfer sessions using ``sftp'' with the SSH protocol
+  version 2, no additional configuration of the
+  environment is necessary if the in-process sftp server
+  is used (see Subsystem for details).
+
+  The default is not to chroot(2).
+
+

      Subsystem

    Configures an external subsystem (for  example,  a  file  
    transfer  daemon).  Arguments should be a subsystem name
    and a command to execute  upon  subsystem  request.  The
    command   sftp-server(1M)   implements   the  sftp  file  
-   transfer  subsystem.  By  default,  no  subsystems   are   
+   transfer  subsystem.
+
+   Alternately the name ``internal-sftp'' implements an
+   in-process ``sftp'' server.  This may simplify
+   configurations using ChrootDirectory to force a different
+   filesystem root on clients.
+
+   By  default,  no  subsystems   are  
    defined. This option applies to protocol version 2 only. 

getpassphrase()
strlcpy()
man -s 5 openssl
man -a
  Accessing RSA Keys in PKCS#11 Keystores

     OpenSSL can access RSA keys in PKCS#11 keystores using the
     following functions of the ENGINE API:

       EVP_PKEY *ENGINE_load_private_key(ENGINE *e,
                const char *key_id, UI_METHOD *ui_method,
                void *callback_data)

       EVP_PKEY *ENGINE_load_public_key(ENGINE *e,
                const char *key_id, UI_METHOD *ui_method,
                void *callback_data)

     key_id, formerly for filenames only, can be now also set to
     a PKCS#11 URI. The EVP_PKEY structure is newly allocated and
     caller is responsible to free the structure later. To avoid
     clashes with existing filenames, "file://" prefix for
     filenames is now also accepted but only when the PKCS#11
     engine is in use. The PKCS#11 URI specification follows:

        pkcs11:[token=<label>][;manuf=<label>][;serial=<label>]
               [;model=<label>][;object=<label>]
               [;objecttype=(public|private|cert)]
               [;passphrasedialog=(builtin|exec:<file>)]

     The ordering of keywords is not significant. The PKCS#11
     engine uses the keystore for the slot chosen for public key
     operations whic is metaslot on a standardly configured
     machine. Currently, the PKCS#11 engine ignores "objecttype"
     keyword. The only mandatory keyword is "object" which is
     the key object label. For information on how to use a
     different, possibly hardware, keystore with metaslot see
     libpkcs11(3LIB).

     The token PIN is provided via "passphrasedialog" keyword and
     is either read from the terminal ("builtin") or from the
     output of an external command ("exec:<file>"). The PIN is
     used to log into the token and by default is deleted from
     the memory then. The keyword "pin" is intentionally not
     provided due to inherent security problems of possible use
     of a password in the process arguments.

     Due to fork safety issues the application must re-login if
     the child continues to use the PKCS#11 engine. It is done
     inside of the engine automatically if fork is detected and
     in that case, "exec:<file>" option of the "passphrasedialog"
     keyword can be used. Alternatively, an enviroment variable
     OPENSSL_PKCS11_PIN_CACHING_POLICY can be used to allow the
     PIN to be cached in memory and reused in the child. It can
     be set to "none" which is the default, "memory" to store
     the PIN in memory, and "mlocked-memory" keep the PIN in a
     locked page via mlock(3C). Note that PRIV_PROC_LOCK_MEMORY
     privilege is required in that case.

     Sensitive parts of private keys are never read from the
     token to the process memory no matter whether the key is
     tagged with sensitive flag or not. The PKCS#11 engine uses
     the public compoments as a search key to get a PKCS#11
     object handle to the private key.

     Note that in order to use the RSA keys by reference, high
     level API functions must be used, like RSA_public_decrypt(),
     EVP_PKEY_set1_RSA(), or EVP_SignInit(). Low level functions
     might go around the engine and thus fail to make use of the
     feature.

  Additional Documentation

      Extensive additional documentation for  OpenSSL  modules  is
      available       in      the      /usr/share/man/man1openssl,
      /usr/share/man/man3openssl, /usr/share/man/man5openssl,  and
      /usr/share/man/man7openssl directories.

      To view the license terms, attribution,  and  copyright  for
      OpenSSL, see /var/sadm/pkg/SUNWopensslr/install/copyright.

EXAMPLES

     Example 1: generate and print a public key stored in an
                already initilized PKCS#11 keystore. Note the
                use of "-engine pkcs11" and "-inform e".

        $ pktool gencert keystore=pkcs11 label=mykey \
            subject="CN=test" keytype=rsa keylen=1024 serial=01
        $ openssl rsa -in \
            "pkcs11:object=mykey;passphrasedialog=builtin" \
            -pubout -text -engine pkcs11 -inform e

brendan@deimos:~> nicstat 1
    Time     Int   rKB/s   wKB/s   rPk/s   wPk/s    rAvs    wAvs   %Util    Sat
20:53:30    nge0   10.81   13.13   35.77   37.69   309.4   356.6    0.02   0.00
20:53:30     lo0    0.00    0.00    0.00    0.00    0.00    0.00    0.00   0.00
    Time     Int   rKB/s   wKB/s   rPk/s   wPk/s    rAvs    wAvs   %Util    Sat
20:53:31    nge0   28.17   21.71   89.51   91.50   322.2   243.0    0.04   0.00
20:53:31     lo0    0.00    0.00    0.00    0.00    0.00    0.00    0.00   0.00
    Time     Int   rKB/s   wKB/s   rPk/s   wPk/s    rAvs    wAvs   %Util    Sat
20:53:32    nge0   26.18   19.71   84.15   85.14   318.6   237.0    0.04   0.00
20:53:32     lo0    0.00    0.00    0.00    0.00    0.00    0.00    0.00   0.00
    Time     Int   rKB/s   wKB/s   rPk/s   wPk/s    rAvs    wAvs   %Util    Sat
20:53:33    nge0   26.89   19.93   80.18   85.13   343.4   239.7    0.04   0.00
20:53:33     lo0    0.00    0.00    0.00    0.00    0.00    0.00    0.00   0.00
    Time     Int   rKB/s   wKB/s   rPk/s   wPk/s    rAvs    wAvs   %Util    Sat
20:53:34    nge0   26.89   21.50   88.14   91.11   312.3   241.6    0.04   0.00
20:53:34     lo0    0.00    0.00    0.00    0.00    0.00    0.00    0.00   0.00
^C

root@deimos:/> snoop -r | cut -c1-80
Using device nge0 (promiscuous mode)
192.168.1.109 -> 192.168.2.156 NFS C 4 (lookup valid) PUTFH FH=700C NVERIFY GETA
192.168.2.156 -> 192.168.1.109 NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK
192.168.1.109 -> 192.168.2.156 NFS C 4 (lookup valid) PUTFH FH=700C NVERIFY GETA
192.168.2.156 -> 192.168.1.109 NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK
192.168.1.109 -> 192.168.2.156 NFS C 4 (lookup valid) PUTFH FH=700C NVERIFY GETA
192.168.2.156 -> 192.168.1.109 NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK
192.168.1.109 -> 192.168.2.156 NFS C 4 (lookup valid) PUTFH FH=700C NVERIFY GETA
192.168.2.156 -> 192.168.1.109 NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK
192.168.1.109 -> 192.168.2.156 NFS C 4 (lookup valid) PUTFH FH=700C NVERIFY GETA
192.168.2.156 -> 192.168.1.109 NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK
[...]

brendan@deimos:~> truss -fp `pgrep elinks`
295062: pollsys(0x08047AC0, 3, 0x08047B68, 0x00000000)  = 0 
295062: alarm(0)                                        = 0
295062: open64("/home/brendan/.elinks/formhist", O_RDONLY) Err#2 ENOENT
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: open64("/home/brendan/.elinks/formhist", O_RDONLY) Err#2 ENOENT
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: open64("/home/brendan/.elinks/formhist", O_RDONLY) Err#2 ENOENT
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: open64("/home/brendan/.elinks/formhist", O_RDONLY) Err#2 ENOENT
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: open64("/home/brendan/.elinks/formhist", O_RDONLY) Err#2 ENOENT
[...]

root@deimos:/> dtrace -n 'syscall::open*:entry /execname == "elinks"/ {
        @[copyinstr(arg0)] = count(); } tick-1sec { printa(@); clear(@); }'
dtrace: description 'syscall::open*:entry ' matched 3 probes
CPU     ID                    FUNCTION:NAME
  1  87538                       :tick-1sec
  /home/brendan/.elinks/formhist                                   63

  1  87538                       :tick-1sec
  /home/brendan/.elinks/formhist                                   63

  1  87538                       :tick-1sec
  /home/brendan/.elinks/formhist                                   63

^C

root@deimos:/> dtrace -n 'syscall::open*:entry /execname == "elinks"/ {
        @[copyinstr(arg0), ustack()] = count(); } tick-1sec { printa(@); clear(@); }'
dtrace: description 'syscall::open*:entry ' matched 3 probes
CPU     ID                    FUNCTION:NAME
  1  87538                       :tick-1sec
  /home/brendan/.elinks/formhist
              libc.so.1`__open64+0x7
              libc.so.1`_endopen+0xb8
              libc.so.1`fopen64+0x29
              elinks`load_formhist_from_file+0x57
              elinks`get_form_history_value+0x39
              elinks`draw_forms+0xec
              elinks`draw_view_status+0x1a
              elinks`draw_doc+0x3fd
              elinks`refresh_view+0x1b
              elinks`draw_formatted+0x115
              elinks`tabwin_func+0xb4
              elinks`term_send_event+0x154
              elinks`redraw_terminal+0x36
              elinks`redraw_leds+0xb2
              elinks`check_timers+0x87
              elinks`select_loop+0x19a
              elinks`main+0x43
              elinks`_start+0x80
               63

Planet OpenSolaris

Jim Grisanzio: Bandung OpenSolaris User Group

Simon Phipps: ☞ Time for Questions

Moinak Ghosh: moinakg

Jim Grisanzio: OpenSolaris Day at ITHB Bandung

Jim Grisanzio: Indonesia OpenSolaris User Group

Jim Grisanzio: OpenSolaris Day at Gunadarma University

Jan Pechanec: Solaris 10 Security Essentials book on Amazon

Ben Rockwood: A Little Friday Distraction

Robert Milkowski: Xen 3.4

Jan Pechanec: The `ChrootDirectory` option resynced to SunSSH

Simon Phipps: ☞ Mistakes That Can't Be Admitted

Jim Grisanzio: New Community Translation Interface

Jim Grisanzio: A New BOO

Jim Grisanzio: 127

Theo Schlossnagle: Jive turkey...

Jan Pechanec: PKCS#11 Engine Patch (including the token access) for OpenSSL 0.9.8l (el)

Ben Rockwood: Must Have Apps for the Mac

Jan Pechanec: RSA Keys by Reference (through the OpenSSL PKCS#11 Engine)

Alvaro Lopez Ortega: Cherokee Web Server Introductory Screencast

Simon Phipps: ☞ Sometimes the Improbable is the Answer

Jim Grisanzio: OSDevCon Images

Shawn Walker: Enabling pkg(5) Availability

What is an origin?

What does this change mean?

How do I use this?

Are there are any client compatibility concerns?

Do I need to update my scripts or client usage?

Garrett D'Amore: Bad sound in Virtual Box in recent builds

Simon Phipps: ☞ Getting A Clue

Marcelo Leal: Futebol brasileiro tem que ter decisão!

Ben Rockwood: Intel Capital Invests in Joyent

Ben Rockwood: LISA BoF

Peter Tribble: Not so lucky any more?

Brendan Gregg: NFS Analytics example

Steven Stallion: Working from Home

Planet OpenSolaris

Jim Grisanzio: Bandung OpenSolaris User Group

Simon Phipps: ☞ Time for Questions

Moinak Ghosh: moinakg

Jim Grisanzio: OpenSolaris Day at ITHB Bandung

Jim Grisanzio: Indonesia OpenSolaris User Group

Jim Grisanzio: OpenSolaris Day at Gunadarma University

Jan Pechanec: Solaris 10 Security Essentials book on Amazon

Ben Rockwood: A Little Friday Distraction

Robert Milkowski: Xen 3.4

Jan Pechanec: The ChrootDirectory option resynced to SunSSH

Simon Phipps: ☞ Mistakes That Can't Be Admitted

Jim Grisanzio: New Community Translation Interface

Jim Grisanzio: A New BOO

Jim Grisanzio: 127

Theo Schlossnagle: Jive turkey...

Jan Pechanec: PKCS#11 Engine Patch (including the token access) for OpenSSL 0.9.8l (el)

Ben Rockwood: Must Have Apps for the Mac

Jan Pechanec: RSA Keys by Reference (through the OpenSSL PKCS#11 Engine)

Alvaro Lopez Ortega: Cherokee Web Server Introductory Screencast

Simon Phipps: ☞ Sometimes the Improbable is the Answer

Jim Grisanzio: OSDevCon Images

Shawn Walker: Enabling pkg(5) Availability

What is an origin?

What does this change mean?

How do I use this?

Are there are any client compatibility concerns?

Do I need to update my scripts or client usage?

Garrett D'Amore: Bad sound in Virtual Box in recent builds

Simon Phipps: ☞ Getting A Clue

Marcelo Leal: Futebol brasileiro tem que ter decisão!

Ben Rockwood: Intel Capital Invests in Joyent

Ben Rockwood: LISA BoF

Peter Tribble: Not so lucky any more?

Brendan Gregg: NFS Analytics example

Steven Stallion: Working from Home

Jan Pechanec: The `ChrootDirectory` option resynced to SunSSH