# ssh tunnel and jails



## Remington (Dec 19, 2012)

Is there a way to do ssh tunnel to the jails thru the host's ssh without using the jails' own ssh?  I do not want to open up all ssh ports in order to access mysql 127.0.0.1:3306 or glassfish 127.0.0.1:4848 ports securely.

My pf.conf:

```
ext_if      = "em0"
int_if      = "lo0"
int_net     = "255.255.255.0"
mysql_addr  = "192.168.1.126"
web_addr    = "192.168.1.127"
webapp_addr = "192.168.1.128"
kvm_addr    = "192.168.1.130"
ext_addr    = "192.168.1.131"

set skip on $int_if

nat on $ext_if from $int_net to any -> ($ext_if)

# Forward host port to web jails (experimental only)
rdr on $ext_if proto tcp from any to $ext_addr/32 port 80 -> $web_addr port 80
rdr on $ext_if proto tcp from any to $ext_addr/32 port 81 -> $web_addr port 81
rdr on $ext_if proto tcp from any to $ext_addr/32 port 82 -> $web_addr port 82
rdr on $ext_if proto tcp from any to $ext_addr/32 port 83 -> $web_addr port 83

block in all
pass out all

pass in on $ext_if proto tcp from any to $ext_addr port 22

pass in on $ext_if proto tcp from any to $web_addr port 80
pass in on $ext_if proto tcp from any to $web_addr port 81
pass in on $ext_if proto tcp from any to $web_addr port 82
pass in on $ext_if proto tcp from any to $web_addr port 83

pass in on $ext_if proto tcp from any to $webapp_addr port 22
pass in on $ext_if proto tcp from any to $webapp_addr port 80
pass in on $ext_if proto tcp from any to $webapp_addr port 443

#pass in on $int_if proto tcp from any to $mysql_addr port 3306
#pass in on $int_if proto tcp from any to $webapp_addr port 4848
```


----------



## SirDice (Dec 19, 2012)

Why don't you simply jexec(8) into the jail from the host?

`# jexec <jailid/jailname> /bin/su -`


----------



## Remington (Dec 19, 2012)

The above didn't work.  However, I think I found a way.

Since the firewall blocked most ports into the server.  I was able to access 192.168.1.128:4848 with my browser with proxy and ssh tunnel to the server which bypassed the firewall.  So I was able to see the Glassfish's admin panel inside the ssh tunnel.  I also tried it without the proxy and the port 4848 is blocked.  So I don't think 127.0.0.1 is really necessary since I can ssh tunnel into the main host and pretty much do everything behind the firewall using jail's ip addresses and ports.

Is this secure way of doing it so I can disable ssh in all jails except host with authorized_keys?


----------



## gkontos (Dec 19, 2012)

The safest method is what SirDice told you above.

Assuming you can ssh to the host using public/private key authentication, then typing:

[CMD=""]#jexec <JID> tcsh[/CMD]

Will put you in the desired jail. If you want to be even more secure, create a jump host that is allowed access to the host of the jails.


----------



## SirDice (Dec 19, 2012)

gkontos said:
			
		

> Assuming you can ssh to the host using public/private key authentication, then typing:
> 
> [CMD=""]#jexec <JID> tcsh[/CMD]


I'd use su(1) though, as that also sets the environment variables correctly for the jail. Simply running a shell tends to 'inherit' variables from the host, which might have unintended consequences.


----------



## bbzz (Dec 19, 2012)

```
ssh -NL localPort:jailIP:jailPort user@host
```

There's no need to have ssh enabled for jail unless you have a specific reason, since you are going to have same key for host/jails per machine anyway.


----------



## Remington (Dec 19, 2012)

bbzz said:
			
		

> ```
> ssh -NL localPort:jailIP:jailPort user@host
> ```
> 
> There's no need to have ssh enabled for jail unless you have a specific reason, since you are going to have same key for host/jails per machine anyway.



I already had all jails' ssh disabled since I'm using the host's ssh access with jexec or ezjail-admin console command.  Having a public/private key for ssh is quite secure so I don't have to worry about unauthorized access to the host.


----------



## bbzz (Dec 19, 2012)

Sometimes you want to access specific jail port directly, that's what tunnel does; I figured that's the whole point of the question.


----------



## gkontos (Dec 19, 2012)

SirDice said:
			
		

> I'd use su(1) though, as that also sets the environment variables correctly for the jail. Simply running a shell tends to 'inherit' variables from the host, which might have unintended consequences.



Only if you modify root environment variables which you should not!


----------



## SirDice (Dec 20, 2012)

gkontos said:
			
		

> Only if you modify root environment variables which you should not!


I'm not so sure, I've had some issues but can't remember what exactly. Added bonus with su(1) is that things like ~/.cshrc get executed too. If you set the prompt to print the hostname it'll help avoid confusion (Am I on the host or the jail?)


```
root@molly:~#
root@molly:~# jsu build -
root@j-build-amd64:~#
root@j-build-amd64:~#
```

The jsu is just a small shell script I put in my ~/bin/:

```
root@molly:~# cat bin/jsu
#!/bin/sh

jexec $1 /usr/bin/su $2 $3 $4 $5 $6
```


----------

