Chroot-ed ssh shell in ramdisk on OpenBSD 6.8
    =============================================

 Last edited: $Date: 2020/11/16 19:04:47 $

        Memory File System (a.k.a. "ramdisk")
        -------------------------------------

 OpenBSD  provides  the  wonderful  option to mount a
 memory file system, called "mfs file  system",  with
 the -P switch.

 ### Prototype

 Think  of  this -P switch as "prototype". The option
 -P has to be  followed  by  either  a  directorypath
 ("file") or a block device. When -P is followed by a
 directorypath, the mfs file system will  be  created
 with the contents of that path.

 If  followed  by a block device, the mfs file system
 will be created with the contents of  the  FFS  file
 system contained on the device.

 See  the  example below how to add a mfs file system
 to your `/etc/fstab` file.

 The contents are  ***copied***  into  the  mfs  file
 system  at  the time of creation. So, any changes of
 the prototype directory will only  be  reflected  in
 the  mfs  file system after it has been umounted and
 mounted again.

 See man mount_mfs.

 When the chrooted environment is  small  enough,  it
 can  easily  run  in  ram. So we can create a script
 that populates a directory, and  mount  a  mfs  file
 system filled with the contents of that directory.

                     Adding users
                     ------------

 We  start  with  adding  a  group and some users. By
 making the users member of the group,  we  can  tell
 sshd  that  they  belong to the chroot-users, and we
 can build a script based  on  the  fact  that  these
 users are member of the group.

 We use the group "chroot" for this.

   groupadd chroot

 The  users  must be member of this group and no home
 directory in /etc/passwd.

   useradd -g chroot <username>

 Replace <username> with the username of the user.

           Building the chroot environment
           -------------------------------

 First, think about what utilities are necessary  for
 the user. The less the better, in this case.

 We need some basic infrastructure (some directories,
 some  device-files  in  /dev,  /etc/resolv.conf,  et
 cetera)  and  some  utilities  (programs to run). To
 make this easy adaptable it is best to do this  with
 a script.

 In  the  example  build  script  [^1] there are some
 utilities from /bin (like "date") and from  /usr/bin
 ("ssh") that will be put into the chroot.  These are
 just examples, use what you need.

 Every utility takes up space, and perhaps  also  one
 or more extra library files.

                        /proto
                        ------

 The  script  builds  the  chroot  environment in the
 directory `/proto/chroot`.

 I use several mfs file system mounts, and  for  each
 I have a directory in /proto to populate them with.

                   Home directories
                   ----------------

 The  script doesn't delete user home directories, so
 it can be run several times, rebuilding  the  chroot
 environment, without impact for the users.

                 authorized_keys file
                 --------------------

 The  script  finds  the users that are member of the
 group
  'chroot' and creates  a  home-directory  for  these
 users.   The script touches the authorized_keys file
 for each user in it's $HOME/.ssh directory, but  the
 actual public key of the user have to be copied into
 this file. This can be done  after  the  script  has
 run.

             Mounting the mfs file system
             ----------------------------

 When the /proto/chroot directory is complete, we can
 mount the mfs file system.

 Add the mfs file system to your /etc/fstab;

   swap /chroot mfs ro,nosuid,-P=/proto/chroot,-s=48000 0 0

 In this example the mfs filesytem  will  be  mounted
 read  only.  Depending on your needs, you could also
 mount  it  read-write,  sshd  will  check  that  the
 directory  tree is owned by root and can not be over
 written by other users.

 The -s option sets the size of the  mfs  filesystem.
 This  is  the  maximum size, stating to how much you
 can fill it up.

 If you make this bigger, there will be  less  memory
 left  for  your system. The required size of the mfs
 file system depends on the size of the actual chroot
 environment.

                   Configuring sshd
                   ----------------

 We  use  key  authentication  to  get  access to the
 chroot.

 The chrooted ssh shell is made easy by the  features
 sshd  offers.  We  only  need  to  add  some  chroot
 configuration to sshd.

 Add these lines to sshd_config:

   Match Group chroot
       ChrootDirectory /chroot
       AuthorizedKeysFile /chroot/home/%u/.ssh/authorized_keys
       PasswordAuthentication no

                        Thanks
                        ------

 The example build script mentioned above is based on
 the        work        on       arnor.org,       see
 https://arnor.org/chroot/how_to_setup_shell_chroot_OpenBSD.txt.

 [^1]  The  example  build  script can be found here:
 gopher://box.matto.nl/0/ssh-chroot.txt

You are viewing proxied material from box.matto.nl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.