Bootstrap OpenBSD with Jail Partition
Bootstrapping VM
This is similar to the previous Post, but with a small difference.
Here, we add an other Partition /jail with 2GB Size. On this Partition, we remove the nodev & nosuid Flag, so we can use this Partition as Root for some Jailed Users. And last but not least, we fireup a new VM, configure a Jailed User and make it Public Available …
VM with 20G Disk
*** Bootstrap OpenBSD 6.8 ***
2CPU, 2GB, 20GB Disk
install: i
keyboard: sg
hostname: template-20g
nic: vio0
ipv4: dhcp
ipv6: none
domain: noflow.ch
passwd: xxxxxx
ssh: yes
xwin: no
com0: no
user: no
ssh root: yes
timez: Europe/Zurich
disk: sd0
mbr: w
layout: c
a a 2G /
a b 1G swap
a d 1G /tmp
a e 2G /home
a f 2G /jail
a g 4G /usr
a h * /var
w
x
set: cd0
path: 6.8/amd64
-x*
xb*
done
SHA256: yes
installing ...
remove iso, reboot and login via ssh
mkdir /root/.ssh && chmod 600 /root/.ssh
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv1QwiWujY3x8F6TUe5iDy6syr8avQUw1rtinpiD0zb key1" >> /root/.ssh/authorized_keys
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBF8pdGKSMMtCdLzBvMKGTJnIZ1VYwG4ZysYFxLJSXY key2" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
syspatch
# df -h |sort |grep -v File
/dev/sd0a 1.9G 64.7M 1.8G 3% /
/dev/sd0d 987M 1018K 936M 0% /tmp
/dev/sd0e 1.9G 2.0K 1.8G 0% /home
/dev/sd0f 1.9G 2.0K 1.8G 0% /jail
/dev/sd0g 4.8G 1.2G 3.4G 26% /usr
/dev/sd0h 5.8G 6.9M 5.5G 0% /var
# cat /etc/fstab -> remove nodev & nosuid for /jail
897f836661456f4f.b none swap sw
897f836661456f4f.a / ffs rw 1 1
897f836661456f4f.e /home ffs rw,nodev,nosuid 1 2
897f836661456f4f.f /jail ffs rw 1 2
897f836661456f4f.d /tmp ffs rw,nodev,nosuid 1 2
897f836661456f4f.g /usr ffs rw,wxallowed,nodev 1 2
897f836661456f4f.h /var ffs rw,nodev,nosuid 1 2
rm /etc/ssh/ssh_host_*
halt -p
-> snapshot template-20g-jail-xxx
Fireup VM
Now, you have a Template. Build a new Maschine based on this Template. Use the WebGUI, Terraform, HCloud Cli, …
SSH to BOX
ssh -A -l root 116.203.23.30
RootPW
set a famous root password
# passwd root
Hostname
n=Jailbox
echo "$n" > /etc/myname
hostname $n
Syspatch
you should always patch your boxes first !
syspatch && reboot
Basic Packages
add some important packages …
pkg_add bash-- coreutils-- curl-- git-- gsed-- \
gnuwatch-- pstree-- vim--no_x11 wget--
Enable IPv6
hcloud server list -> get your ipv6 prefix
ipv6=2001:db8:aaaa:aaaa::
ipv6=$(echo $ipv6 |sed 's/::.*/::2\/64/')
cat <<EOF>> /etc/hostname.vio0
inet6 ${ipv6}
up
!route add -inet6 default fe80::1%vio0
EOF
sh /etc/netstart
Check IPv4 and IPv6
ftp https://ip.inno.ch/download/i3.tar.gz
tar -C /tmp -xzf i3.tar.gz
mv /tmp/i3/i3 /usr/local/bin/
# i3
IPv4: 116.203.23.30
IPv6: 2a01:4f8:c0c:c820::2
Setup JailStuff
Description may follow later …
Add Jailed User bob
Description may follow later …
Deploy Applcations
Description may follow later …
Test SSH Connection
Test from Remote … and yes, it’s open for the public Internet !
$ ssh -l bob 116.203.23.30
[email protected]'s password: (hint: 123456)
Last login: Wed Mar 31 07:08:28 2021 from x.x.x.x
thanks for your visit. have a nice day.
I’ll keep it open for a while. Have Fun !
Any Comments ?
sha256: c69eaf4af386152a39d83456448b7741c60f084a2307d516d322f30ea731b9be