Date: Wed, 17 Apr 2002 07:04:55 -0500 From: Scott Bolte <listS+freebsd-questions@niss.com> To: Patrick Thomas <root@utility.clubscholarship.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: getting new ssh keys for an exploded jail Message-ID: <200204171204.g3HC4tT20622@crag.niss.com>
next in thread | raw e-mail | index | archive | help
On Tue, 16 Apr 2002 08:55:47 -0700 (PDT), Patrick Thomas wrote: > > Hi, > > I am running a few (3-4) jails on a server, and instead of doing a `make > world`, etc., to create the jail, I just untar a filesystem that I have > for this purpose. > > Works fine. > > However, each untarred filesystem is exactly the same, which means each > one has the same private keys for ssh, etc. - again, sshd works fine, but > I think this is an improper setup - to have multiple hosts with the same > sshd keys. > > What actions can I take on each jail, once they are running, but before I > give them to the test people, to make sshd as secure as it should be ? You should not copy the ssh host credentials. If you delete them, they should automatically be regenerated the next time /etc/rc.network runs. Other things you need to make unique for each jail: * syslogd needs to bind only to the jail's address. Need to modify /etc/rc.conf so -ss is a command option. * sendmail needs to bind only to the jail's address. Requires new .mc and then .cf file using DAEMON_OPTIONS(`Addr=<jail IP address>'). * sshd needs to bind only to the jail's address. ListenAddress needs to be set in sshd_config. * restore flags set by chflags. I have a package in beta test for managing jails. It has a script that clones a template jail in just a few minutes, handling all the above mentioned issues. It also has standard startup, shutdown, trace, and enter support with a bunch of other goodies I've found helpful. People should drop me a line if they want to receive a copy of the package. Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204171204.g3HC4tT20622>