Date: Wed, 03 Apr 2002 07:44:27 -0600 From: Scott Bolte <listS+freebsd-security@niss.com> To: Andrew McNaughton <andrew@scoop.co.nz> Cc: "David G . Andersen" <danderse@cs.utah.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Jail with one IP? Message-ID: <200204031344.g33DiRT86944@crag.niss.com>
next in thread | raw e-mail | index | archive | help
On Wed, 3 Apr 2002 17:21:11 +1200 (NZST), Andrew McNaughton wrote: > For ssh access to the jail environments it is easiest to set up on > separate ports. I've wondered about setting up user accounts which > immediately exec a second internal ssh connection to the appropriate jail > using a key based login, but I don't know quite enough about whether > there are ways to subvert this. I don't think a second ssh connection would be the right way to address that. Instead, I'd recommend linking the "permitopen" option with specific authorization keys. See the "AUTHORIZED_KEYS FILE FORMAT" section in openssh's sshd manual page for more details. Permitopen will let you limit an inbound tunnel to a specific host and port. In theory, you could let it bind only to the jail's address on the 127.0.0.* subnet. Assuming the remote host is 192.3.4.5, then the (untested) ssh command on the source host would be: ssh -N -f -L 80:jail2:80 -l ruser 192.3.4.5 On the remote host 192.3.4.5, the ~ruser/.ssh/authorized_keys2 file would contain: permitopen="jail2:80" ssh-dss ... I don't believe jail2 needs to be a fully qualified domain name. Instead, it would need to resolve to 127.0.0.2 only on 192.3.4.5 By the way, I created a patch that allows the source end of a tunnel to be bound to a specific IP address. (Previously it could be bound to localhost or INADDR_ANY.) When I submitted the patch I was told the functionality was already on the road map and the -L option would be modified to allow a local host address. Whether you use my patch or wait for official support, in theory you could connect ports in two jails, both of which are on different 127.* subnets, with a single SSH tunnel. Cool trick. Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204031344.g33DiRT86944>