From owner-freebsd-security  Wed Apr  3  5:44:54 2002
Delivered-To: freebsd-security@freebsd.org
Received: from crag.niss.com (niss.com [169.207.33.46])
	by hub.freebsd.org (Postfix) with ESMTP id 65AB737B422
	for <freebsd-security@FreeBSD.ORG>; Wed,  3 Apr 2002 05:44:40 -0800 (PST)
Received: from crag.niss.com (localhost.niss.com [127.0.0.1])
	by crag.niss.com (8.11.6/8.11.6) with ESMTP id g33DiRT86944;
	Wed, 3 Apr 2002 07:44:27 -0600 (CST)
	(envelope-from listS+freebsd-security@niss.com)
Message-Id: <200204031344.g33DiRT86944@crag.niss.com>
From: Scott Bolte <listS+freebsd-security@niss.com>
To: Andrew McNaughton <andrew@scoop.co.nz>
Cc: "David G . Andersen" <danderse@cs.utah.edu>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Jail with one IP? 
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <86941.1017841467.1@crag.niss.com>
Date: Wed, 03 Apr 2002 07:44:27 -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, 3 Apr 2002 17:21:11 +1200 (NZST), Andrew McNaughton wrote:

> For ssh access to the jail environments it is easiest to set up on
> separate ports.  I've wondered about setting up user accounts which
> immediately exec a second internal ssh connection to the appropriate jail
> using a key based login, but I don't know quite enough about whether
> there are ways to subvert this.

	I don't think a second ssh connection would be the right
	way to address that. Instead, I'd recommend linking the
	"permitopen" option with specific authorization keys.  See
	the "AUTHORIZED_KEYS FILE FORMAT" section in openssh's sshd
	manual page for more details.

	Permitopen will let you limit an inbound tunnel to a specific
	host and port. In theory, you could let it bind only to
	the jail's address on the 127.0.0.* subnet.  Assuming the
	remote host is 192.3.4.5, then the (untested) ssh command
	on the source host would be:

		ssh -N -f -L 80:jail2:80 -l ruser 192.3.4.5

	On the remote host 192.3.4.5, the ~ruser/.ssh/authorized_keys2
	file would contain:

		permitopen="jail2:80" ssh-dss ...

	I don't believe jail2 needs to be a fully qualified domain
	name.  Instead, it would need to resolve to 127.0.0.2 only
	on 192.3.4.5

	By the way, I created a patch that allows the source end
	of a tunnel to be bound to a specific IP address. (Previously
	it could be bound to localhost or INADDR_ANY.) When I
	submitted the patch I was told the functionality was already
	on the road map and the -L option would be modified to allow
	a local host address.

	Whether you use my patch or wait for official support, in
	theory you could connect ports in two jails, both of which
	are on different 127.* subnets, with a single SSH tunnel.
	Cool trick.

		Scott

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message