I've recently had this script pointed out to me by Bertl: http://vserver.13thfloor.at/Stuff/SCRIPT/trampoline.sh
I also found this IRC log which details the creation of it, and how to use it: http://www.sculpturedlife.com/vserver/irc-logs/index.php?date=2004-07-08 The basic idea is that you put this script in /root, then you add to .ssh/authorized_keys something like the following: command="/root/trampoline.sh",environment="CTX=$NAME" ssh-dss AAAAB3NzaC1kc3MAAACBAN1V+DSc1RC... substitute $NAME for the context that the user should be bounced into, and change the ssh-dss AAAAAB3... into the actual ssh id_dsa.pub or id_rsa.pub for the user. This works great for the root user, however, if you try to do this for a non-root user you run into problems: ARGS: CONTEXT: flat ---------------------- /bin/rm: cannot remove /usr/local/var/run/vservers/flat': Permission denied 'vserver ... suexec' is support for running vservers only; aborting... the vserver is running for sure, so I changed the /root/trampoline.sh script to add a --debug to see what is going on. The relevant portion is below: +++ _ivr_procnum=0 ++ test 0 = 0 +++ /usr/local/lib/util-vserver/readlink /usr/local/etc/vservers/flat/run ++ local runfile=/usr/local/var/run/vservers/flat ++ test -z 1 ++ /bin/rm -f /usr/local/var/run/vservers/flat /bin/rm: cannot remove /usr/local/var/run/vservers/flat': Permission denied ++ return 1 ++ return 1 ++ is_stopped=1 ++ test -z 1 -o '' ++ echo ''\''vserver ... suexec'\'' is support for running vservers only; aborting...' 'vserver ... suexec' is support for running vservers only; aborting... ++ exit 1 Apparantly vserver $CTX exec /bin/bash is trying to remove /usr/local/var/run/vservers/flat which cannot happen because that is owned by root, not by the user that I am running as, so it fails to allow me to enter. Is there a way around this, or perhaps a better way to do this? Should I suid the trampoline.sh script (yikes!)? Some additional questions: 1. What about users who do not have a ssh-key, but have a password instead? 2. Will this work for sftp? 3. Can a user be bounced as that particular user into the vserver? 4. can I create a vserver whose purpose is to do this bouncing? If I created a vserver called "sshtrampoline" this vserver would somehow need to run the vserver command, but wouldn't be able to because it was in its own context already Micah _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
