Bootstrap OpenBSD with Jail Partition

Page content

Bootstrapping VM

This is similar to the previous Post, but with a small difference.

Here, we add an other Partition /jail with 2GB Size. On this Partition, we remove the nodev & nosuid Flag, so we can use this Partition as Root for some Jailed Users. And last but not least, we fireup a new VM, configure a Jailed User and make it Public Available …

VM with 20G Disk

*** Bootstrap OpenBSD 6.8 ***

2CPU, 2GB, 20GB Disk

install:  i
keyboard: sg
hostname: template-20g
nic:      vio0
ipv4:     dhcp
ipv6:     none
domain:   noflow.ch
passwd:   xxxxxx
ssh:      yes
xwin:     no
com0:     no
user:     no
ssh root: yes
timez:    Europe/Zurich

disk:     sd0
mbr:      w
layout:   c

a a 2G  /
a b 1G  swap
a d 1G  /tmp
a e 2G  /home
a f 2G  /jail
a g 4G  /usr
a h *   /var
w
x

set:  cd0
path: 6.8/amd64

-x*
xb*
done
SHA256: yes

installing ...

remove iso, reboot and login via ssh

mkdir /root/.ssh && chmod 600 /root/.ssh
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv1QwiWujY3x8F6TUe5iDy6syr8avQUw1rtinpiD0zb key1" >> /root/.ssh/authorized_keys
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBF8pdGKSMMtCdLzBvMKGTJnIZ1VYwG4ZysYFxLJSXY key2" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

syspatch

# df -h |sort |grep -v File
/dev/sd0a      1.9G   64.7M    1.8G     3%    /
/dev/sd0d      987M   1018K    936M     0%    /tmp
/dev/sd0e      1.9G    2.0K    1.8G     0%    /home
/dev/sd0f      1.9G    2.0K    1.8G     0%    /jail
/dev/sd0g      4.8G    1.2G    3.4G    26%    /usr
/dev/sd0h      5.8G    6.9M    5.5G     0%    /var

# cat /etc/fstab  -> remove nodev & nosuid for /jail
897f836661456f4f.b none swap sw
897f836661456f4f.a / ffs rw 1 1
897f836661456f4f.e /home ffs rw,nodev,nosuid 1 2
897f836661456f4f.f /jail ffs rw 1 2
897f836661456f4f.d /tmp ffs rw,nodev,nosuid 1 2
897f836661456f4f.g /usr ffs rw,wxallowed,nodev 1 2
897f836661456f4f.h /var ffs rw,nodev,nosuid 1 2


rm /etc/ssh/ssh_host_*
halt -p
-> snapshot template-20g-jail-xxx

Fireup VM

Now, you have a Template. Build a new Maschine based on this Template. Use the WebGUI, Terraform, HCloud Cli, …

SSH to BOX

ssh -A -l root 116.203.23.30

RootPW

set a famous root password

# passwd root

Hostname

n=Jailbox
echo "$n" > /etc/myname
hostname $n

Syspatch

you should always patch your boxes first !

syspatch && reboot

Basic Packages

add some important packages …

pkg_add bash-- coreutils-- curl-- git-- gsed-- \
        gnuwatch-- pstree-- vim--no_x11 wget--

Enable IPv6

hcloud server list -> get your ipv6 prefix

ipv6=2001:db8:aaaa:aaaa::

ipv6=$(echo $ipv6 |sed 's/::.*/::2\/64/')
cat <<EOF>> /etc/hostname.vio0
inet6 ${ipv6}
up
!route add -inet6 default fe80::1%vio0
EOF

sh /etc/netstart

Check IPv4 and IPv6

ftp https://ip.inno.ch/download/i3.tar.gz
tar -C /tmp -xzf i3.tar.gz
mv /tmp/i3/i3 /usr/local/bin/

# i3
IPv4: 116.203.23.30
IPv6: 2a01:4f8:c0c:c820::2

Setup JailStuff

Description may follow later …

Add Jailed User bob

Description may follow later …

Deploy Applcations

Description may follow later …

Test SSH Connection

Test from Remote … and yes, it’s open for the public Internet !

$ ssh -l bob 116.203.23.30
bob@116.203.23.30's password: (hint: 123456)
Last login: Wed Mar 31 07:08:28 2021 from x.x.x.x
thanks for your visit. have a nice day.

I’ll keep it open for a while. Have Fun !


Any Comments ?

sha256: c69eaf4af386152a39d83456448b7741c60f084a2307d516d322f30ea731b9be