💾 Archived View for 1436.ninja › Phlog › 20180930.post captured on 2020-09-24 at 01:23:51.

View Raw

More Information

-=-=-=-=-=-=-

# Adventures in chroot!
### 20180930

So, it is likely an obvious thing for some of you, but you can setup 
a chroot so you can ssh into it. Since I made the gosher chroot live,
I have been kludging scripts together and copying Phlog updates to
the chroot directory from outside. Now there is one script that git
pushes and then ssh's into the chroot, git pulls and builds the atom
feed. I am very happy with this! I also resumed scp'ing to sdf, but
now all links point to 1436.ninja...

To pull this off I made a user on RPoD with the same name as my chroot
user: gopher. User gopher on "real" RPoD is UID 1002 so I chrooted and 

> sudo usermod -u 1002 gopher

followed by

> cd /var/gopher; sudo chown -R gopher:gopher *

So now the gopher root is owned by gopher who is now UID 1002.
I squared away the ~/.ssh key for user gopher on "real" RPoD, because
this is the user we are going to ssh into.

The magic is in /etc/ssh/sshd_config on RPoD (not in the chroot):

Match User gopher
    ChrootDirectory /gopher
    AllowTCPForwarding no
    X11Forwarding no

/gopher is the chroot root. So now ssh gopher@rpod takes me into the 
chroot from in my network (no port forwarding to RPoD for ssh). The
chroot on RPoD is a full Debian debootstrap, with its own software 
installations and full directory structure (some bind'ed).

This all seems very clean to me, at least very much cleaner than 
before. Everything is isolated and only 80/443/70/7070 make it to the 
outside net. I plan on removing the httpd from "real" RPoD next and 
moving it into the chroot as well. Maybe I'll use a bash based httpd
as well. Just to host something simple and static... my current www
site just says "use gopher" so it doesn't get much simpler than that.