LocalForwarding on a SSH connection from my desktop client to a CHROOTED user in an LXD container

Question

I currently have a proxified web host setup for local development, yet I'm trying to make it a proper (documented) setup so I can deploy it on practically any VPS hosting.

Currently everything else but the chrooted user setup is working.

Apache proxies, and SSH bounce is working.

If I disable the chrooting of dev (for developer) user, LocalForwarding works even for the dev user, and I can succesfully access the bounced SSH host and succesfully use SFTP on the forwarded setup using dev user on localhost:5000 which redirects to port 22 on the Development server.

But after I enable chrooting in sshd_config for user dev, I found out I'm missing some files which make it possible to SFTP to this LocalForwarded setup.

channel 5: open failed: connect failed: Device or resource busy

I then tried to mount different areas of the Development container using mount -o bind

sudo mount -o bind /bin /home/remoteusers/bin; 
sudo mount -o bind /dev /home/remoteusers/dev; 
sudo mount -o bind /etc /home/remoteusers/etc; 
sudo mount -o bind /lib64 /home/remoteusers/lib64; 
sudo mount -o bind /opt /home/remoteusers/opt; 
sudo mount -o bind /proc /home/remoteusers/proc; 
sudo mount -o bind /run /home/remoteusers/run; 
sudo mount -o bind /sbin /home/remoteusers/sbin; 
sudo mount -o bind /srv /home/remoteusers/srv; 
sudo mount -o bind /sys /home/remoteusers/sys; 
sudo mount -o bind /tmp /home/remoteusers/tmp; 
sudo mount -o bind /usr /home/remoteusers/usr; 
sudo mount -o bind /var /home/remoteusers/var;

No use so far. I then got to /lib by running the following.

sudo mount -o bind /lib /home/remoteusers/lib

The error message then changed from the previous resource busy, to

channel 5: open failed: connect failed: Temporary failure in name resolution

When mounting both, /lib and /etc using

sudo mount -o bind /etc /home/remoteusers/etc
sudo mount -o bind /lib /home/remoteusers/lib

ssh -v returns

debug1: channel 5: free: direct-tcpip: listening port 5000 for localhost port 22, connect from 127.0.0.1 port 38519 to 127.0.0.1 port 5000, nchannels 6

So it's more fixed by having something in the /etc folder in the chrooted location. Still, my SFTP client says

Error: Received unexpected end-of-file from SFTP server
Error: Could not connect to server

I'm now wondering, as everything else but the chroot(ed setup) works, what am I missing? I now should find out how to make the chroot include the missing piece so I don't have to make the whole filesystem of Development container vulnerable instead of revealing only the chroot.

Did I miss something?

Hosts map:

MAINHOST (running all the containers) {
     Logins {
          admin
          bounce
     }
     PROXY-CONTAINER ("Proxy") { }
     DEVELOPMENT-CONTAINER ("Development") {
          Logins {
               admin
               dev
          }
     }
}

I can publish the documentation on Google Drive if anyone's interested.

(I'm running the setup in a VirtualBox on the same desktop client).

Check /etc/resolv.conf it looks to me that He cant resolv any ips — djdomi, Jul 12 '19 at 18:11
I don't think it's about name resolving. **I'm not sure though.** How can I test that? Copying resolv.conf didn't help, though I tried mounting and ended up copying contents of /etc into /home/remoteusers/etc/. Now it's not complaining about name resolution, but FileZilla (and sftp) still won't connect to the forwarded port, yet I don't know how could I debug that. How could that be done? — Elias, Jul 12 '19 at 19:18
I get the impression you are trying to replicate containers here. Why not create a container the easy way and go with that? It's very easy with `docker`. — Tomáš Pospíšek, Jul 12 '19 at 19:59
Found it out after trying sftp console client to connect, and it returned `Exit status 127`. I then found a reference online. Answering soon after I tidy up the process... I still don't know which files in /etc/ need to be included in chroot. — Elias, Jul 12 '19 at 20:03
@TomášPospíšek I'm not replicating containers. I'm using LXD containers on Ubuntu, in which I'm setting up SSH connectivity for an user without root access. — Elias, Jul 12 '19 at 20:13
Sure, but you are bind mounting nearly you entire filesystem into the LXC container. Certainly that will use less space, but you are paying with a lot of hassle for it. — Tomáš Pospíšek, Jul 12 '19 at 20:17
I was just checking for missing file locations.No harm done as no one was able to access the mountpoints. Is there a better way to check for missing dependencies? Please do tell. — Elias, Jul 12 '19 at 20:19
What do you mean exactly by "dependencies"? Dependencies in the sense "some process is looking for something but not finding it"? That's hard to find out unless you know who's looking for what exactly allready... :-/ — Tomáš Pospíšek, Jul 12 '19 at 20:25

score 0 · Answer 1 · answered Jul 12 '19 at 23:12

There's some bug. Replace Subsystem line in /etc/ssh/sshd_config:

Change

Subsystem sftp /usr/lib/openssh/sftp-server

to

Subsystem sftp internal-sftp

Give write permissions for agent forwarding and protect tmp from user access

sudo rm -v /home/remoteusers/tmp/*
sudo chown sshd:root /home/remoteusers/tmp
sudo chmod 1700 /home/remoteusers/tmp

Copy essential files from /etc to the chroot /home/remoteusers/etc

sudo cp -a -v /etc/{bash.bashrc,group,hostname,hosts,passwd} /home/remoteusers/etc/
sudo cp -a -v /run/systemd/resolve/stub-resolv.conf /home/remoteusers/etc/resolv.conf
sudo chmod 1775 /home/remoteusers/etc/resolv.conf

Basically the filesystem tree should look like following:

/home/chroot {
d 755    bin {
  755        bash
  755        ls
  755        nano
         }
d 755    etc {
  644        bash.bashrc
  644        group
  644        hostname
  644        hosts
  644        passwd
  1775       resolv.conf (owned by systemd-resolve)
         }
d 755    home {
d 755        dev {
                 - Mounted /home/dev
             }
         }
d 755    lib {
  755        libcre.so.3
  755        libpthread.so.0
  755        libselinux.so.1
d 755        terminfo {
d                ...
             }
d 755        x86_64-linux-gnu {
  755            libc.so.6
  644            libdl.so.2
  644            libncursesw.so.5
  644            libnsl.so.1
  644            libnss_compat.so.2
  644            libnss_files.so.2
  644            libnss_nis.so.2
  644            libtinfo.so.5
             }
         }
d 755    lib64 {
  755        ld-linux-x86-6.so.2
         }
d 1700   tmp { } (owned by sshd:root)
d 755    usr {
d 755        bin {
  755            groups
  755            id
  755            locale-check
  755            whoami
             }
         }
}

Finally, restart sshd.

sudo service ssh restart

LocalForwarding on a SSH connection from my desktop client to a CHROOTED user in an LXD container

1 Answers1