Require password for LXC container shell access

Kcore

11/3/23, 7:35 AM

I'm trying to lockdown shell access to the containers I'm running. In essensse, if someone is on the LXC host computer, I would like for them to have to enter a username/password before they get shell access to the container. Mainly for the sake of logging/tracking whom did what to which container.

So far I've tried the following:

using lxc console mycontainer I get a login prompt requiring username/password. It works but lxc shell mycontainer etc still pop a root shell without so much as a password request.
if I disable the container root user (set shell to no login / disable the account) I need to use lxc exec mycontainer -- sudo --login --user myuser to get a shell, but it does not ask for a password.

Short of restricting the host lxc commands (eg. unless you are in the "lxc admin" group, you are only allowed to use lxc console) I cannot see a way of locking this down. Some form of authentication portal between the container and host machine would be good, but can't run an ssh server on every container.

Anyone got any pointers?

218

0 + 0

authentication

lxc

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Require password for LXC container shell access

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.