Joined: 13 Feb 2016
|Posted: Fri Aug 17, 2018 7:12 am Post subject: Users within a ssh shell granting access to X11
|So I initially was asking a question that I have since figured out with some further google searching and since I found something that works, which was actually a solution that was viable already in initial questions I posted so I decide to type up the steps to replicate the working situation. This is something that should work to create a chroot that houses wine and then gaining access over SSH to it using X11 forwarding into the chroot.
I) Create a 32-bit chroot in a new partition on the host disk
a. From my amd64 host I downloaded and installed using x86 stage3 tarball
b. Installing and updating the stable branch of 17.0 profile. (This is obviously the time consuming process to begin with)
c. Preparing and installing wine of course.
d. Lastly loading the Wine prefixes and making sure things work within the chroot.
e. Following the guide for chroot to setup a switcher, which is here https://wiki.gentoo.org/wiki/Project:AMD64/32-bit_Chroot_Guide I made some slight mods to the init script for the chroot switcher, to further some of the mount and unmount actions for the partition and also adding something specifically for wine compatibility in there which is the bind mount for /run/udev this helps with inputs in the chroot.
II) Create SSH connection with X11 Forwarding into the chroot where Wine is installed
a. To be able to run the Wine apps from the server remotely the basic modification was just to configure SSH with X11Forwarding but also with ChrootDirectory, which is best done on a user/group basis using Match group or Match user
b. Obviously then since I decided to keep this on the less fancy end I just mapped users as described earlier so that both host environments the root and chroot would be more or less identical, and at least from perspective of a SSH connection it is.
c. Now once logging in with ssh -X email@example.com the SSH match rule immediately dumps that user into the chroot "jail" but not before it can first authoritatively accept X forwarding, and then guess what happens next,
d. In short what did was follow advice on web about to syncronize files for /etc/passwd and /etc/groups so that chroot and root filesystem have more or less the same user mappings.
An image displays the results, the system that is tunneling via SSH (probably not correct terminology, ok connecting via SSH) is ubuntu cosmic, but the two shells shown are both connected to Gentoo desktop running (on the left one) the / of the amd64 installation, and on the right side of second monitor is the x86 chroot forwarding Wine over X11:
Still, I would prefer another more secure route that doesn't open a path for more vectors i.e. through additional users with login permissions when it really isn't that useful other than as a proxy to the chroot on the host. But without duplicating users it would be a much more tedious task involving the inner working of the permissions within X session. However, Now I can ssh into my wine installation on a separate server...the beauty of this is I did not need to run a 2nd service of the same type from that machine (that is no dual SSH servers for the different environments).
Here was a snippet from the initial post:
Long story short I am trying to access a chroot jail as a specific user in the chroot . However my user (wineuser) that I have created in the chroot is not a user in the root system that houses the chroot. (This was not solved) So far I have been playing with the Match group setting in the config at the bottom of the sshd_config file and by adding a temporary user or group with this I have been successful at launching the chroot with X forwarding with some users e.g. root.
|Match group chroots
Recapping: despite being able to access the ChrootDirectory and X11 forwarding, initially I did have to add the same user to both environments or stage3 installs of gentoo...would like to find out next what the advantage of using some packages that make chrooting more flexible like schchroot or some others.
Final Note: Done editing
Last edited by LIsLinuxIsSogood on Fri Aug 17, 2018 8:23 am; edited 1 time in total