## SSH into an iocage jail using pam_jail without sshd running in the jail###

1. ## SSH into an iocage jail using pam_jail without sshd running in the jail
2.  
3. ### Why?
4.  
5. You don't or can't run sshd inside your jails.
6.  
7. ### Requirements
8.  
9. Make sure you have a running iocage jail and you've installed pam_jail.
10.  
11. `pkg install pam_jail`
12.  
13.  
14. ### Setup SSH on the iocage server
15.  
16. Key based authentication. Password logins will not be accepted.
17. Make sure you have authorized_keys setup before you disable password authentication.
18.  
19. **/etc/ssh/sshd_config**
20.  
21. ````
22. PasswordAuthentication no
23. ChallengeResponseAuthentication no
24. UsePAM yes
25. ````
26. *Restart sshd once you've made these changes*
27.  
28. **NOTE** sshd isn't need inside the jails
29.  
30.  
31. ### Users and keys
32.  
33. Add a user to the iocage machine for each jail.
34.  
35. My jail tag is ns1 so I'll add a user called ns1.
36.  
37. ````
38. pw useradd ns1 -d /iocage/jails/7195d76a-.../root/./usr/home/ns1 -s /bin/csh
39. ````
40.  
41. **NOTE** Don't make a home directory yet. We'll do that inside the jail
42.  
43. The path uses the iocage jail root and the users home directory inside the jail. `<jail_path>/./<home_dir>`
44. `man pam_jail` for more info. Use `jls` to get the jail path
45.  
46.  
47. Add the ns1 user to your ns1 iocage jail. The `uid` must match the user we just created on the iocage server. `id ns1` to get the uid.
48.  
49. ````
50. iocage exec ns1 pw useradd ns1 -u uid -d /usr/home/ns1 -m -s /bin/csh
51. ```
52.  
53. **Note** The ns1 users shell can be `/usr/sbin/nologin` for extra security.
54.  
55. Setup authorized_keys inside the ns1 jail
56.  
57. ```
58. iocage console ns1
59. su - ns1
60. mkdir .ssh
61. chmod 700 .ssh
62. echo 'your ssh public_key' > .ssh/authorized_keys
63. chmod 400 .ssh/authorized_keys
64. chown -R ns1:ns1 .ssh
65. ````
66.  
67. ### Setup pam_jail
68.  
69. Add the `pam_jail.so` session module to your `/etc/pam.d/sshd` file
70.  
71. ````
72. # session
73. #session optional pam_ssh.so want_agent
74. session required pam_permit.so
75. # Add this line
76. session required pam_jail.so
77. ````
78.  
79. ### Test it out
80.  
81. `ssh ns1@iocage.server`
82. If everything goes well you should be placed into the ns1 jail.
83. `sysctl security.jail.jailed` should return 1 if you're jailed.
84.  
85. You can now use ansible to manage this jail. Just set the user option `user: ns1` in your playbooks that run on this jail.
86.  
87. **You can safely ignore**
88. `Could not chdir to home directory /iocage/jails/7195d76a-.../root/./usr/home/ns1: No such file or directory`