Drop user into lxc container

Hello,

i’ve been looking for a while for a way to lock ssh (unix user) users directly into a container.

This user is called ssh user1@lxc.host and is then passed to the container user1.

I used up a while in the forum and searched for possibilities, but didn’t find anything.

The idea came to me because something similar works with jails in FreeBSD, in this case the pam module is used.

Maybe you have an idea! I am happy about any suggestion. :slight_smile:

Hi!

There are many ways to do this and you may get spoiled for choice.
One way is to create a container that has no network connectivity. At all.
First, create a copy of the default profile and edit it to remove the networking. Subsequently, launch a container with that profile.

lxc profile copy default nonetwork
lxc profile edit nonetwork
lxc launch ubuntu:18.04 mycontainer --profile nonetwork

Then, you get the users to connect with SSH to the container through a LXD proxy device.
For example,

 lxc config device add mycontainer myssh proxy listen=tcp:0.0.0.0:2222 connect=tcp:127.0.0.1:22
1 Like

Hello

for an unprivileged container, users are entirely container specific at least on lxd, so when an user is created in a container, it does not exist in the host (it’s possible to create a host user with same username and password of course, but it’s a separate user nonetheless). I think it’s the same on plain lxc.

Hey thanks for the quick answers! I will have a look at both and then get back to you!

What does it look like with multiple containers. Can your idea be applied to more than one container?

It can be applied to as many containers are you wish.
Consider though that you need to specify a different port (like 2222) for each container.

It is not clear what you want to achieve at the end (is it for educational purposes?).

You can create also a nested container (lxc launch ubuntu:18.04 mycontainer -c security.nesting=true) which will allow you to create nested containers inside mycontainer).
Then, run sudo lxd init inside mycontainer to create many more containers.
To provide access into those nested containers, see also
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts

You’re right, I’m trying to make this a little clearer. I’m building a dev stack for a university project.

In the end, we want to be able to spawn X containers, on which a web server can run, the http traffic is then forwarded to a central Nginx, which is connected with a public IP address.

But so that we can access the individual containers, we would like to be able to access the individual containers without opening additional public IP addresses or additional ports.

To do this, we have tried several ways, such as routing SSH traffic over the Nginx, but the SSH protocol does not provide SNI, so matching was not possible.

Then we tested an SSH multiplexer, but it didn’t work the way it was supposed to.

I hope something is clearer now what we want to do. :slight_smile:

Do you have requirements on the authentication ? I can see a childishly easy to do that using password authentication, but it may be an impossibility for you.

Not sure if the SSH access is a hard requirement, or rather you just need the users have access to a Unix shell.

In any case, have a look at https://linuxcontainers.org/lxd/try-it/
If it suits you, here’s the source, https://github.com/lxc/lxd-demo-server

Yes the SSH access is a hard requirement.

In any case, have a look at https://linuxcontainers.org/lxd/try-it/
If it suits you, here’s the source, https://github.com/lxc/lxd-demo-server

You think I should look at the code and rebuild it?

It would be really good if both password auth and key auth would work.

ATM I can’t see a really easy way to do it with key auth.

But here is the childishly easy way with password auth.

Create a special container in LXD, let’s call it grasshopper. Grasshopper will be the entry point.
The port 22 on the host will be redirected to the port 22 on grasshopper. Grasshopper will be setup on ssh with only one user, let’s call it grasshopper and access will be granted with a key for easy automation (the key will be the same for all students)

When logged in, the user grasshopper will have a special login with a script only running ssh and disconnecting after the session is finished. When running this secondary ssh session, the students will be inside the lxd network and as such will be able to connect to any container with its name. So if student John Doe as access to container named ‘student4235’, he will be able to ssh as ‘user@student4235’.
Routing and firewalling of the lxd network can easily be setup on the host to block any access to the host from the internal lxd network (except dns, the containers need access to the dnsmasq instance that is providing them their address)

That’s all. All that would be necessary for each student

  • setup the initial password on the container
  • give the password and the container name to the student
  • provide some way to setup the hop connexion to the lxd host port 22 using user ‘grasshopper’ with the key provided on some internal web server.