From owner-freebsd-questions Wed Apr 17 11: 1:31 2002 Delivered-To: freebsd-questions@freebsd.org Received: from crag.niss.com (niss.com [169.207.33.46]) by hub.freebsd.org (Postfix) with ESMTP id 3A3A037B400 for ; Wed, 17 Apr 2002 11:01:22 -0700 (PDT) Received: from crag.niss.com (localhost.niss.com [127.0.0.1]) by crag.niss.com (8.11.6/8.11.6) with ESMTP id g3HC4tT20622; Wed, 17 Apr 2002 07:04:55 -0500 (CDT) (envelope-from listS+freebsd-questions@niss.com) Message-Id: <200204171204.g3HC4tT20622@crag.niss.com> From: Scott Bolte To: Patrick Thomas Cc: freebsd-questions@FreeBSD.ORG Subject: Re: getting new ssh keys for an exploded jail MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <20619.1019045095.1@crag.niss.com> Date: Wed, 17 Apr 2002 07:04:55 -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 16 Apr 2002 08:55:47 -0700 (PDT), Patrick Thomas wrote: > > Hi, > > I am running a few (3-4) jails on a server, and instead of doing a `make > world`, etc., to create the jail, I just untar a filesystem that I have > for this purpose. > > Works fine. > > However, each untarred filesystem is exactly the same, which means each > one has the same private keys for ssh, etc. - again, sshd works fine, but > I think this is an improper setup - to have multiple hosts with the same > sshd keys. > > What actions can I take on each jail, once they are running, but before I > give them to the test people, to make sshd as secure as it should be ? You should not copy the ssh host credentials. If you delete them, they should automatically be regenerated the next time /etc/rc.network runs. Other things you need to make unique for each jail: * syslogd needs to bind only to the jail's address. Need to modify /etc/rc.conf so -ss is a command option. * sendmail needs to bind only to the jail's address. Requires new .mc and then .cf file using DAEMON_OPTIONS(`Addr='). * sshd needs to bind only to the jail's address. ListenAddress needs to be set in sshd_config. * restore flags set by chflags. I have a package in beta test for managing jails. It has a script that clones a template jail in just a few minutes, handling all the above mentioned issues. It also has standard startup, shutdown, trace, and enter support with a bunch of other goodies I've found helpful. People should drop me a line if they want to receive a copy of the package. Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message