Two jail questions
Mark Moellering
markmoellering at psyberation.com
Thu Oct 19 17:57:35 UTC 2017
> 2) Suppose I have to classes of users on a system: normal users and
> guest users. For normal users (including those that are members
> of the wheel group), I would like those individuals to be able
> to use ssh to connect to the host system. For guest users, I
> want to isolate those users in a jailed environment. Thus, I'll
> have sshd running in both the host and jail. How do I setup
> such a scheme?
>
*sshd in the jail needs to run on a different port if you're using the same
*ip, otherwise if you use an independent networking stack you would
*configure as normal.
*User X on host != User X on jail
To expand on what was previously said;
Normally, when you set up a jail, you set it up like a mini virtual server
(with a few caveats...). So it should have its own IP address and it will
have its own instance of sshd and its own set of users.
For completeness; you would create a virtual IP (or one for each jail, in
the case of multiple jails) and assign the virtual IP to the jail. It will
appear as a separate server on the network.
You can't run pf from a jail, that has to be on the main host. You also
can't run NFS from a jail (something I spent many hours some time ago).
You do need to make sure that daemons on the main host don't try to listen
on all ports. I used "Absolute FreeBSD" by Michael Lucas as a guide for
this. (Full disclosure, I know him personally).
Mark Moellering
On Thu, Oct 19, 2017 at 1:46 PM, Adam Vande More <amvandemore at gmail.com>
wrote:
> On Thu, Oct 19, 2017 at 12:32 PM, Steve Kargl
> <sgk at troutmask.apl.washington.
> edu> wrote:
>
> >
> > 1) If an application (e.g., sshd) needs to reach the internet from a
> > jail, is it required to have the host system running pf (or other
> > packet filtering software)?
> >
>
> No. See VNET/VIMAGE
>
>
> > 2) Suppose I have to classes of users on a system: normal users and
> > guest users. For normal users (including those that are members
> > of the wheel group), I would like those individuals to be able
> > to use ssh to connect to the host system. For guest users, I
> > want to isolate those users in a jailed environment. Thus, I'll
> > have sshd running in both the host and jail. How do I setup
> > such a scheme?
> >
>
> sshd in the jail needs to run on a different port if you're using the same
> ip, otherwise if you use an independent networking stack you would
> configure as normal.
>
> User X on host != User X on jail
>
> --
> Adam
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list