[idea] Alternative way to ssh into jails by using jexec users on the host

[grembo]

Instead of launching sshd on every jail, allow sshing into various jails by using jexec. One approach to accomplish this is to add dedicated users on the host system (use either user name or gecos to define jail name).

E.g.

• host
  • jail1
  • jail2
  • potentiallyverylongjailname

/etc/group on host:

jexec:*:2000:

/usr/local/etc/sudoers on host:

%jexec  ALL=(root) NOPASSWD: /usr/sbin/jexec

/etc/master.passwd on host:

jail1:*:2001:2000::0:0:jail1:/home/jexec/jail1:/usr/local/bin/jexecsh
jail2:*:2002:2000::0:0:jail2:/home/jexec/jail2:/usr/local/bin/jexecsh
potentiallyveryl:*:2003:2000::0:0:potentiallyverylongjailname:/home/jexec/potentiallyveryl:/usr/local/bin/jexecsh

The following shell script could be used in the example above (/usr/local/bin/jexecsh):

#!/bin/sh

JAILNAME="$USER"
jls -j "$USER" >/dev/null 2>&1 || JAILNAME=`pw usershow "$USER" | cut -d ':' -f 8 | sed "s/[^a-z0-9_]//g"`

if [ "x$JAILNAME" != "x$USER" ]; then
        echo "Jail \"$JAILNAME\" not found" 2>&1
        jls -j "$JAILNAME" >/dev/null 2>&1 || exit 1
fi

exec sudo jexec -n "$JAILNAME" sh "$@"

This takes advantage of jail names being defined in FreeBSD 10 (my.jail.name turns into my_jail_name).

Instead of using name/gecos, different mechanisms could be used to determine which jail to use to execute commands, including the users home directory (pwd) or storing it in a dedicated configuration file like $HOME/.jexec or simply adding dedicated commands to .ssh/authorized_keys.

One could think of other mechanisms of multiplexing jexec calls for multiple jails over a single user (or various users for accountability). The advantage of the approach above is, that is allows for a relatively natural syntax when accessing the jail from the outside:

ssh jail1@host
ssh jail2@host

Yet another approach could be playing with Match rules in the host's /etc/ssh/sshd_config.

Discuss ;)

[tomster]

revisiting this i think it would be a good step in the direction of 'container-ization'. containers are defined as being 'managed from the outside' whereas 'traditional' virtualisation is 'managed from the inside'.

it would need to be a per-jail configuration, obviously.

basically it would mean, we have

a) ssh access via proxy command + sshd inside jail
b) ssh access via port forwarding + sshd inside jail
c) ssh access via 'multiplex' without sshd inside jail

a) would be convenient for cases where devops have full access to the jailhost anyway
b) is most convenient when users are only supposed to have access to a particular jail, a break-in would only affect the individual jail, not the entire host
c) seems attractive due to the lack of sshd inside the jail (i.e. why would a database jail even need ssh access?) but i'm currently still concerned about the implications of piping ssh access to a custom script. this seems like two steps away from implementing our own security daemon like i.e. docker :-)

at any rate, i want to take another look and most importantly test the abovementioned shell script. this post is just a public reminder for me to do this :)

[fschulze]

It would probably be quite hard to get working with Fabric, one would have to fiddle with env.shell somehow. Not impossible, but tricky to get right.
For Ansible we have a foot in the door via execnet, but it might require some fiddling in it's innards.
For ezjail and co I just added an Executor helper in ploy 1.2.0 which can be extended accordingly.

[mwpher]

I have very little experience with this sort of thing and don't know if this works, but could this be done with ssh key commands?

cat .ssh/authorized_keys

command="sudo /usr/local/sbin/script",no-X11-forwarding ssh-rsa AAAA...

... Where 'sbin/script' will receive the name of the jail through stdin (probably from 'ploy ssh') and run ezjail console. This assumes the script is running checks to make sure the specified value doesn't contain special shell characters or anything.

Of course, you don't want the root account to always redirect to a jail, so you could have a dedicated user that has the NOPASSWD privilege to run ezjail console. The script can even be expanded to limit certain ssh keys to one set of jails (ploy ssh is still specifying one jail; the arguments after script are the list of allowed jails)

cat /home/jail/.ssh/authorized_keys

# Can access any jail
command="sudo /usr/local/sbin/script",no-X11-forwarding ssh-rsa AAAAA...
# Can access one jail
command="sudo /usr/local/sbin/script myjail",no-X11-forwarding ssh-rsa AAAAB...
# Accesses any jail specified in list
command="sudo /usr/local/sbin/script jail1 jail2 jail3",no-X11-forwarding ssh-rsa AAAAB...

If the jail requested by 'ploy ssh' isn't specified in the arguments, it prints an error, logs a message, and halts.

What do you think? Does this make any sense?