Not long ago we rebuilt a number of servers within our production environment at work, migrating from FreeBSD to CentOS. One of the requirements in this migration was that we needed a server that would act as an SSH-only Jail on the new platform. This meant I needed to setup a system where users could SSH into a machine but the only thing they could do on that machine was SSH back out again. We used this as our “bounce” machine. Users would have outside access to their Desktops or other machines only by way of this secured SSH-only machine. The solution I found was a tool called “JailKit“, which allows you to create chroot jails is a very simple way. Below I’ll outline the requirements for installing JailKit and using it to create an SSH chrooted “Jail”. Step 1: Install JailKit I was unable to find an up to date package for JailKit on CentOS, so I did the following to install from source: Read more
I spent some time this afternoon trying to setup named (BIND 9.5) within a FreeBSD jail for internal use. I ran into an issue where it was unable to mount devfs and failed on me. After a little bit of digging I found a solution. This is the error that was reported (see link): /etc/rc.d/named: WARNING: devfs_domount(): Unable to mount devfs on /var/named/dev<br /> devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted<br /> devfs rule: ioctl DEVFSIO_RAPPLY: Operation not permitted In a nutshell, add the following line to the jail /etc/rc.conf and you should be OK. named_chrootdir="" Yes, this means that you’re not running named within a chroot like it would by default but remember its in a jail anyway–a really fancy, hardened chroot.