Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## SSH into an iocage jail using pam_jail without sshd running in the jail
- ### Why?
- You don't or can't run sshd inside your jails.
- ### Requirements
- Make sure you have a running iocage jail and you've installed pam_jail.
- `pkg install pam_jail`
- ### Setup SSH on the iocage server
- Key based authentication. Password logins will not be accepted.
- Make sure you have authorized_keys setup before you disable password authentication.
- **/etc/ssh/sshd_config**
- ````
- PasswordAuthentication no
- ChallengeResponseAuthentication no
- UsePAM yes
- ````
- *Restart sshd once you've made these changes*
- **NOTE** sshd isn't need inside the jails
- ### Users and keys
- Add a user to the iocage machine for each jail.
- My jail tag is ns1 so I'll add a user called ns1.
- ````
- pw useradd ns1 -d /iocage/jails/7195d76a-.../root/./usr/home/ns1 -s /bin/csh
- ````
- **NOTE** Don't make a home directory yet. We'll do that inside the jail
- The path uses the iocage jail root and the users home directory inside the jail. `<jail_path>/./<home_dir>`
- `man pam_jail` for more info. Use `jls` to get the jail path
- Add the ns1 user to your ns1 iocage jail. The `uid` must match the user we just created on the iocage server. `id ns1` to get the uid.
- ````
- iocage exec ns1 pw useradd ns1 -u uid -d /usr/home/ns1 -m -s /bin/csh
- ```
- **Note** The ns1 users shell can be `/usr/sbin/nologin` for extra security.
- Setup authorized_keys inside the ns1 jail
- ```
- iocage console ns1
- su - ns1
- mkdir .ssh
- chmod 700 .ssh
- echo 'your ssh public_key' > .ssh/authorized_keys
- chmod 400 .ssh/authorized_keys
- chown -R ns1:ns1 .ssh
- ````
- ### Setup pam_jail
- Add the `pam_jail.so` session module to your `/etc/pam.d/sshd` file
- ````
- # session
- #session optional pam_ssh.so want_agent
- session required pam_permit.so
- # Add this line
- session required pam_jail.so
- ````
- ### Test it out
- `ssh ns1@iocage.server`
- If everything goes well you should be placed into the ns1 jail.
- `sysctl security.jail.jailed` should return 1 if you're jailed.
- You can now use ansible to manage this jail. Just set the user option `user: ns1` in your playbooks that run on this jail.
- **You can safely ignore**
- `Could not chdir to home directory /iocage/jails/7195d76a-.../root/./usr/home/ns1: No such file or directory`
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement