Jailkit and SSH agents

Discussion in 'Installation/Configuration' started by ambidex, Jan 10, 2019.

  1. ambidex

    ambidex New Member

    I'm currently trying to get jailed users working with SSH agent forwarding. My shell users should be able to receive SSH agents to be able to login into third party servers. I've already setup all needed applications (ssh-add, ssh-agent etc..) for the jailed user. Also, I've added SSH_AUTH_SOCK to jk_chrootsh.ini's env variable. The only thing I think I'm missing is the `/tmp` from the global system where the socket is stored. I've read that I'd need to use a bind mount to make /tmp available to the jailed user. That's all fun and games, but I don't want to have to create a new bind for every single user that is created in ISPConfig. I'm out of ideas how to realise this. Any thoughts?

  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I've not tried to set this up, so take this as just a few thoughts on the topic.

    Bind mounting the entire /tmp directory inside each jail is bad as it increases the available attack surface from jailed users, which in most environments you want to avoid. That would allow a user inside one jail to access all running ssh-agents on the box, as their sockets would then be accessible (granted, that requires the jailed user to gain root access inside their jail, but you can/should expect that will happen). Other things inside /tmp can allow jailbreaking and in worst case complete server takover, due to race conditions and programs not checking/creating their tmp files properly (which is actually very common).

    You would be better served to specify a custom socket file location to ssh-agent (use -a switch) inside a directory created for that purpose, and either bind mount that or simply create the socket in a path already inside the jail. Eg. have ssh-agent put the socket under /var/www/clients/client#/web#/private/ and it will be available under /private/ from within the jail.

    I don't know how/where ssh-agent is invoked right offhand, so you'd have to determine how/where to fit the -a switch in. If you need something run every time an ssh user is created, you'd want to look at creating an ispconfig server plugin (and that holds true for your initial proposal of setting up a bind mount for the entire /tmp inside each jail, if you go that route).

Share This Page