読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

FreeBSD10.1-RC4のqjail環境にssh接続してみた。

■FreeBSD10.1-RC4のqjail環境にssh接続してみた。
 環境は以下。

 FreeBSD10.1-RC4でqjail3.6をインストールしてみた。
 http://labunix.hateblo.jp/entry/20141122/1416649086

$ cat /etc/jail.conf 
qjail001 { 
host.hostname       =  "qjail001";
path                =  "/usr/jails/qjail001";
mount.fstab         =  "/usr/local/etc/qjail.fstab/qjail001";
exec.start          =  "/bin/sh /etc/rc";
exec.stop           =  "/bin/sh /etc/rc.shutdown";
exec.consolelog     =  "/var/log/qjail.qjail001.console.log";
mount.devfs;
ip4.addr            =  192.168.100.1;
interface           =  "em0";
devfs_ruleset       =  "4";
}

$ sudo qjail list

STA JID  NIC IP              Jailname
--- ---- --- --------------- --------------------------------------------------
DR  3    em0 192.168.100.1   qjail001

■ホスト側のsshdの設定を変更

$ grep "^AddressFamily\|^ListenAddress" /etc/ssh/sshd_config
AddressFamily inet
ListenAddress 172.16.115.128
$ sudo /etc/rc.d/sshd restart

■jail側のsshdの設定を変更

$ sudo qjail console qjail001
qjail001 /root >sh
# echo 'sshd_enable="YES"' | tee -a /etc/rc.conf > /dev/null
# grep "^AddressFamily\|^ListenAddress" /etc/ssh/sshd_config
AddressFamily inet
ListenAddress 192.168.100.1
# /etc/rc.d/sshd restart
Performing sanity check on sshd configuration.
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.

■sshdのホスト鍵は「service」コマンドで自動的に作成される。

# service sshd start
Generating RSA1 host key.
2048 0a:30:a5:4f:d8:aa:e3:18:6e:36:3c:78:83:17:55:a5  root@qjail001 (RSA1)
Generating RSA host key.
2048 f1:8d:6d:39:55:42:1e:46:47:d2:d1:b2:f4:58:0d:98  root@qjail001 (RSA)
Generating DSA host key.
1024 0d:ea:70:29:80:9e:12:90:6a:d1:4f:a4:7d:9d:b5:c5  root@qjail001 (DSA)
Generating ECDSA host key.
256 75:63:ea:c0:79:7a:a6:fb:90:9a:d5:2f:9a:76:3e:2c  root@qjail001 (ECDSA)
Generating ED25519 host key.
256 cc:e2:38:61:21:2b:ee:b4:85:b1:32:ee:08:ab:03:55  root@qjail001 (ED25519)
Performing sanity check on sshd configuration.
Starting sshd.
# exit
qjail001 /root >exit

■ユーザの作成、ssh鍵の作成

$ sudo qjail console qjail001
qjail001 /root >sh
# adduser labunix
Username: labunix
Full name: labunix
Uid (Leave empty for default): 
Login group [labunix]: 
Login group is labunix. Invite labunix into other groups? []:wheel
Login class [default]: 
Shell (sh csh tcsh nologin) [sh]: 
Home directory [/home/labunix]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: 
Use an empty password? (yes/no) [no]: 
Use a random password? (yes/no) [no]: 
Enter password: 
Enter password again: 
Lock out the account after creation? [no]: 
Username   : labunix
Password   : *****
Full Name  : labunix
Uid        : 1001
Class      : 
Groups     : labunix wheel
Home       : /home/labunix
Home Mode  : 
Shell      : /bin/shWindows Server Technical Preview
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (labunix) to the user database.
Add another user? (yes/no): no
Goodbye!

# su labunix -c 'ssh-keygen -t ecdsa'
Generating public/private ECDSA key pair.
Enter file in which to save the key (/home/labunix/.ssh/id_ecdsa): 
Created directory '/home/labunix/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/labunix/.ssh/id_ecdsa.
Your public key has been saved in /home/labunix/.ssh/id_ecdsa.pub.
The key fingerprint is:
ef:4a:60:6b:45:25:3a:f1:99:fd:00:0b:18:3e:eb:9c labunix@qjail001
The key's randomart image is:
+--[ECDSA  256]---+
|    .oo o .      |
|   ..  = O       |
|    o o * o      |
|     o o   o     |
|    . o S   .    |
|   o o + .       |
|    E o . .      |
|     . . .       |
|        ...      |
+-----------------+
■jail側にログインプロンプトを設定

$ sudo qjail console qjail001
qjail001 /root >sh
# echo 'export PS1="[( jail ) \u@\h \w]\\$ "' | tee -a /etc/profile > /dev/null
# exit
qjail001 /root >exit
logout

■ホスト上から待ち受けポートの確認

$ netstat -an | grep ^tcp4.*.22
tcp4       0      0 192.168.100.1.22       *.*                    LISTEN
tcp4       0      0 172.16.115.128.22      *.*                    LISTEN


■jailにsshログインして確認。「\u」のユーザ名が取得出来ていない。

$ ssh 192.168.100.1
Password for labunix@qjail001:
Last login: Sat Nov 22 23:11:32 2014 from 192.168.100.1
FreeBSD 10.1-RC4-p1 (GENERIC) #0: Tue Nov  4 16:14:17 UTC 2014

Welcome to your FreeBSD jail.
[( jail ) \u@qjail001 /usr/home/labunix]$ 

■jailにsshログインする際に
 ユーザ名の取得が出来ないのは残念だけどこれで十分。

$ tail -1 /etc/profile 
export PS1="[( jail ) \h:\w]\\$ "

$ ssh 192.168.100.1
Password for labunix@qjail001:
Last login: Sat Nov 22 23:17:59 2014 from 192.168.100.1
FreeBSD 10.1-RC4-p1 (GENERIC) #0: Tue Nov  4 16:14:17 UTC 2014

Welcome to your FreeBSD jail.
[( jail ) qjail001:/usr/home/labunix]$