Skip to content

Instantly share code, notes, and snippets.

@sheldonwjones

sheldonwjones/iocage and pam_jail.md

Last active August 29, 2015 14:25
Show Gist options
  • Save sheldonwjones/237ef95ad5a2d3ee7a79 to your computer and use it in GitHub Desktop.
Save sheldonwjones/237ef95ad5a2d3ee7a79 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iocage and pam_jail.md

SSH into an iocage jail using pam_jail without sshd running in the jail

Why?

You don't want to, or can't, run sshd inside your jails.

Requirements

Make sure you have a running iocage jail and you've installed pam_jail.

pkg install pam_jail

Setup SSH on the iocage server

You will need key based authentication to the jail server. Password logins will not be accepted.
Make sure you have authorized_keys setup before you disable password authentication.

/etc/ssh/sshd_config

	PasswordAuthentication no
	ChallengeResponseAuthentication no
	UsePAM yes

Restart sshd once you've made these changes

NOTE sshd isn't needed inside the jails

Users and keys

Add a user to the iocage machine for each jail.

My jail tag is ns1 so I'll add a user called ns1.

	pw useradd ns1 -d /iocage/jails/7195d76a-.../root/./usr/home/ns1 -s /bin/csh

NOTE Don't make a home directory yet. We'll do that inside the jail

The path uses the iocage jail root and the users home directory inside the jail. <jail_path>/./<home_dir> man pam_jail for more info. Use jls to get the jail path for your jail. If you use iocage list don't forget to include the /root/ after the jail uuid. /iocage/jails/UUID/root/./usr/home/ns1

Add the ns1 user to your ns1 iocage jail. The uid must match the user we just created on the iocage server. Use id ns1 to get the uid.

	iocage exec ns1 pw useradd ns1 -u uid -d /usr/home/ns1 -m -s /bin/csh
```

**Note** The ns1 users shell can be `/usr/sbin/nologin` for extra security.

Setup authorized_keys inside the ns1 jail.

```
	iocage console ns1
	su - ns1
	mkdir .ssh
	chmod 700 .ssh
	echo 'your ssh public_key' > .ssh/authorized_keys
	chmod 400 .ssh/authorized_keys
	chown -R ns1:ns1 .ssh

Setup pam_jail

Add the pam_jail.so session module to your /etc/pam.d/sshd file.

	# session
	#session        optional        pam_ssh.so              want_agent
	session         required        pam_permit.so
	# Add this line
	session         required        pam_jail.so

Test it out

ssh ns1@iocage.server If everything goes well you should be placed into the ns1 jail.
sysctl security.jail.jailed should return 1 if you're jailed.

You can now use ansible to manage this jail. Just set the user option user: ns1 in your playbooks.

You can safely ignore
Could not chdir to home directory /iocage/jails/7195d76a-.../root/./usr/home/ns1: No such file or directory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment