You can forward the SSH Agent into a chroot but you have to jump through a few hoops, the first of which is making the socket accessible in the chroot and the second is telling users within chroot about it.
To make the socket available, the OP's suggestion to use socat
works as long as permissions are set properly. Assuming that you're using a script to launch the chroot, the following snippet uses socat
to provide the agent socket in the chroot:
# Set up a SSH AGENT forward socket
if [ -n "$SSH_AUTH_SOCK" ]
then
_dir="$mnt$(dirname $SSH_AUTH_SOCK)"
_owner=$(awk -F':' '{if ($1=="alice") {print $3":"$4}}' $mnt/etc/passwd)
mkdir "$_dir"
chown "$_owner" "$_dir"
socat UNIX-CONNECT:$SSH_AUTH_SOCK \
UNIX-LISTEN:$mnt$SSH_AUTH_SOCK,fork,user=${_owner%:*} &
socat_pid=$!
export SSH_AUTH_SOCK
fi
It establishes the uid
and gid
of the user (alice in the example) within the chroot that should be able to access the agent. It then creates that directory and establishes a socat
in pretty-much the same manner as the OP. The addition is the user=${_owner%:*}
pirce which sets the uid on the socket within the chroot so that alice can access it.
It then remembers the socat
PID so that it can be torn down when the chroot exits. Finally it exports the SSH_AUTH_SOCK
variable to make it available within the chroot.
Now, chroot
can only be done by root
so my guess would be that the script is run with sudo
from a regular user who owns the agent process. If this is accurate, then there is one more thing to do which is to permit sudo
to pass the environment varaible into the script. To do this, edit /etc sudoers
(the approved mechanism is to so sudo visudo
) and add the following:
Defaults env_keep+=SSH_AUTH_SOCK
This change also needs to be made to /etc/sudoers
within the chroot if sudo
will be used within the chroot (i.e. to switch from root
to alice
).
Here is an example of an agent socket within a chroot viewed by a regular user.
$ ls -l $SSH_AUTH_SOCK
srwxr-xr-x 1 alice root 0 Feb 1 15:06 /tmp/ssh-q1ntaubl6I2z/agent.1443
socat can do serial line stuff, netcat cannot. socat can do fairly advanced functionality, like having multiple clients listen on a port, or reusing connections.
Best Answer
Another netcat-like tool is the nmap version,
ncat
, that has lots of built in goodies to simplify things like this. This would work:-e means it executes /bin/cat (to echo back what you type)
-k means keep-alive, that it keeps listening after each connection
-u means udp
-l 1235 means that it listens on port 1235