On the ROOT console
Having created a fresh jail with FreeNAS 11.3, there are a number of things to do to get the jail where I want it to be. The following is a simple log of activities.
The first thing is to update the package lists and to install a number of packages that we need later on anyway.
> pkg update > pkg install vim git sudo zsh
Next, a new user needs to be created, so we can enable SSH and allow for login. Please don’t forget to put the user into the wheel group.
> adduser
Still being root, we now have to invoke visudo and uncomment the line responsible for users in the wheel group to be allowed become sudo.
## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL %wheel ALL=(ALL) ALL
Last thing on the root console is to enable the SSH daemon and to start it.
> echo 'sshd_enable="YES"' >> /etc/rc.conf > service sshd start
On the USER console
Evidently you will log into the new jail via ssh (not covered here). The first thing we want to make sure is that copy and paste works properly. That said, we need to add the following two lines to /etc/login.conf first.
default:\
:passwd_format=sha512:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\
:nologin=/var/run/nologin:\
:cputime=unlimited:\
:datasize=unlimited:\
:stacksize=unlimited:\
:memorylocked=64K:\
:memoryuse=unlimited:\
:filesize=unlimited:\
:coredumpsize=unlimited:\
:openfiles=unlimited:\
:maxproc=unlimited:\
:sbsize=unlimited:\
:vmemoryuse=unlimited:\
:swapuse=unlimited:\
:pseudoterminals=unlimited:\
:kqueues=unlimited:\
:umtxp=unlimited:\
:priority=0:\
:ignoretime@:\
:umask=022:\
:charset=UTF-8:\
:lang=en_US.UTF-8:\
:setenv=LC_COLLATE=C:
For these changes (above) to take effect, we have to rebuild the capability database.
> sudo cap_mkdb /etc/login.conf
Now it’s time to adjust vim so it will not jump into visual mode every time we select file content with the mouse. Kind of a hack, but we will append a line into the global vim defaults:
> sudo sh -c 'echo "set mouse-=a" >> /usr/local/share/vim/vim82/defaults.vim'
Now we install oh my zsh for better efficiency.
> sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
Last, but not least we will customize our command prompt. We add the following line at the end of the .zshrc file.
PROMPT="%{$fg[white]%}%n@%{$fg[green]%}%m%{$reset_color%} ${PROMPT}"
Import SSL Root CA
Create a new file under /etc/ssl/tinkivity.pem, paste the SSL root certificate into it and change it to read only for everybody.
> sudo vim /etc/ssl/tinkivity.pem > sudo chmod 444 /etc/ssl/tinkivity.pem
Get the hash for the root certificate and link it under /etc/ssl/certs by appending a .0 (dot-zero) postfix.
> openssl x509 -hash -noout -in /etc/ssl/tinkivity.pem 97efb5b5 > sudo ln -s /etc/ssl/tinkivity.pem /etc/ssl/certs/97efb5b5.0
OPTIONAL: append the root certificate to /etc/ssl/cert.pem
This should not be necessary, but in dire cases you can append the contents of /etc/ssl/tinkivity.pem to /etc/ssl/cert.pem
> cat /etc/ssl/tinkivity.pem | sudo tee -a /etc/ssl/cert.pem > /dev/null
Import SSH Root CA
Copy and paste the CAs public keys under the /etc/ssh folder and make them read only afterwards. There are 3 host keys (ecdsa, ed25519 and rsa) as well as 3 user keys.
> sudo vim /etc/ssh/ssh_tinkivity_host_ecdsa_key.pub > sudo vim /etc/ssh/ssh_tinkivity_host_ed25519_key.pub > sudo vim /etc/ssh/ssh_tinkivity_host_rsa_key.pub > sudo vim /etc/ssh/ssh_tinkivity_user_ecdsa_key.pub > sudo vim /etc/ssh/ssh_tinkivity_user_ed25519_key.pub > sudo vim /etc/ssh/ssh_tinkivity_user_rsa_key.pub > sudo chmod 444 /etc/ssh/ssh_tinkivity_*
Include the public host keys into your known_hosts file as certification authority.
> echo -n '@cert-authority *.tinkivity.home ' | cat - /etc/ssh/ssh_tinkivity_host_ecdsa_key.pub | tee -a ~/.ssh/known_hosts > /dev/null > echo -n '@cert-authority *.tinkivity.home ' | cat - /etc/ssh/ssh_tinkivity_host_ed25519_key.pub | tee -a ~/.ssh/known_hosts > /dev/null > echo -n '@cert-authority *.tinkivity.home ' | cat - /etc/ssh/ssh_tinkivity_host_rsa_key.pub | tee -a ~/.ssh/known_hosts > /dev/null
Include the public user keys into the /etc/ssh/sshd_config file as trusted user ca keys.
> echo 'TrustedUserCAKeys /etc/ssh/ssh_tinkivity_user_ecdsa_key.pub' | sudo tee -a /etc/ssh/sshd_config > /dev/null > echo 'TrustedUserCAKeys /etc/ssh/ssh_tinkivity_user_ed25519_key.pub' | sudo tee -a /etc/ssh/sshd_config > /dev/null > echo 'TrustedUserCAKeys /etc/ssh/ssh_tinkivity_user_rsa_key.pub' | sudo tee -a /etc/ssh/sshd_config > /dev/null
Finally, you need to start the SSH daemon to apply the updated configuration.
> sudo service sshd restart
Obtain Certificates (host and user)
Submit public keys
The following commands will generate 3 keypairs (ecdsa, ed25519 and rsa respectively) without a password. The public keys can be submitted to the SSH CA in order to obtain signed certificates from the CA.
> ssh-keygen -t ecdsa -N "" -f ~/.ssh/id_ecdsa > ssh-keygen -t ed25519 -N "" -f ~/.ssh/id_ed25519 > ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
Now you need to submit all 6 public keys to the CA (3 public host keys and 3 public user keys).
> scp /etc/ssh/ssh_host_ecdsa_key.pub user@rootca:/SSH-PKI/incoming > scp /etc/ssh/ssh_host_ed25519_key.pub user@rootca:/SSH-PKI/incoming > scp /etc/ssh/ssh_host_rsa_key.pub user@rootca:/SSH-PKI/incoming > scp ~/.ssh/id_ecdsa.pub user@rootca:/SSH-PKI/incoming > scp ~/.ssh/id_ed25519.pub user@rootca:/SSH-PKI/incoming > scp ~/.ssh/id_rsa.pub user@rootca:/SSH-PKI/incoming
Import Certificates (host and user)
Host certificates go in the /etc/ssh directory and need to be included as such into the /etc/ssh/sshd_config file.
> echo 'HostCertificate /etc/ssh/ssh_tinkivity_host_ecdsa_key-cert.pub' | sudo tee -a /etc/ssh/sshd_config > /dev/null > echo 'HostCertificate /etc/ssh/ssh_tinkivity_host_ed25519_key-cert.pub' | sudo tee -a /etc/ssh/sshd_config > /dev/null > echo 'HostCertificate /etc/ssh/ssh_tinkivity_host_rsa_key-cert.pub' | sudo tee -a /etc/ssh/sshd_config > /dev/null
Restart the SSH daemon.
> sudo service sshd restart
User certificates go in the ~/.ssh directory of your local user.
> vim ~/.ssh/id_ecdsa-cert.pub > vim ~/.ssh/id_ed25519-cert.pub > vim ~/.ssh/id_rsa-cert.pub