Maybe I have better luck here: ----- Forwarded message from Dan Epure <gepu_at_iogyte.ro> ----- Date: Thu, 8 Nov 2007 19:30:39 +0200 From: Dan Epure <gepu_at_iogyte.ro> To: freebsd-stable_at_freebsd.org Subject: [gepu_at_iogyte.ro: Re: openpty() and jail in RELENG_7] I can provide more info on request. ----- Forwarded message from Dan Epure <gepu_at_iogyte.ro> ----- Date: Wed, 7 Nov 2007 19:25:08 +0200 From: Dan Epure <gepu_at_iogyte.ro> To: Tom Evans <tevans.uk_at_googlemail.com> Cc: freebsd-stable_at_freebsd.org Subject: Re: openpty() and jail in RELENG_7 Thank you for your answer. This is not Xin Li's scenario. Description: the host of the jail - H (192.168.168.2/24) the jail running on H - J (192.168.168.254/32) the testing system - T (192.168.168.253/24) 1. I start the ssh daemon on H: === cut here === H# /usr/sbin/sshd -d debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 debug1: read PEM private key done: type DSA debug1: private host key: #0 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on 192.168.168.2. Server listening on 192.168.168.2 port 22. === and here === 2. On T I run: === cut here === T# ssh 192.168.168.2 -l test2 === and here === 3. On H I see: === cut here === Debug1: fd 4 clearing O_NONBLOCK Debug1: Server will not fork when running in debugging mode. debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 debug1: res_init() Connection from 192.168.168.253 port 60155 debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-5 debug1: match: OpenSSH_4.6p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 debug1: permanently_set_uid: 22/22 debug1: list_hostkey_types: ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user test2 service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for "test2" debug1: userauth-request for user test2 service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: PAM: setting PAM_RHOST to "192.168.168.253" debug1: test whether pkalg/pkblob are acceptable debug1: trying public key file /home/test2/.ssh/authorized_keys debug1: trying public key file /home/test2/.ssh/authorized_keys2 Failed publickey for test2 from 192.168.168.253 port 60155 ssh2 debug1: audit_event: unhandled event 6 debug1: userauth-request for user test2 service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug1: keyboard-interactive devs debug1: auth2_challenge: user=test2 devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for test2 from 192.168.168.253 port 60155 ssh2 debug1: do_pam_account: called debug1: PAM: num PAM env strings 0 Postponed keyboard-interactive/pam for test2 from 192.168.168.253 port 60155 ssh2 debug1: do_pam_account: called Accepted keyboard-interactive/pam for test2 from 192.168.168.253 port 60155 ssh2 debug1: monitor_child_preauth: test2 has been authenticated by privileged process debug1: PAM: reinitializing credentials debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_new: init debug1: session_new: session 0 debug1: session_pty_req: session 0 alloc /dev/pts/3 debug1: Ignoring unsupported tty mode opcode 37 (0x25) debug1: Ignoring unsupported tty mode opcode 52 (0x34) debug1: Ignoring unsupported tty mode opcode 71 (0x47) debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to "/dev/pts/3" debug1: Setting controlling tty using TIOCSCTTY. === and here === 4. On T I am logged in on H: === cut here === Password: H$ === and here === 5. I start the jail on H: === cut here === H# /etc/rc.d/jail start Configuring jails:. Starting jails: test2.mydomain.org. 6. I start the ssh daemon on J: === cut here === J# /usr/sbin/sshd -d debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 debug1: read PEM private key done: type DSA debug1: private host key: #0 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on 192.168.168.254. Server listening on 192.168.168.254 port 22. === and here === 7. On T I run: === cut here === T# ssh 192.168.168.254 -l test2 === and here === 8. On J I see: === cut here === debug1: fd 4 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 debug1: res_init() Connection from 192.168.168.253 port 52242 debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-5 debug1: match: OpenSSH_4.6p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 debug1: permanently_set_uid: 22/22 debug1: list_hostkey_types: ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user test2 service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for "test2" debug1: PAM: setting PAM_RHOST to "192.168.168.253" debug1: userauth-request for user test2 service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: trying public key file /home/test2/.ssh/authorized_keys debug1: trying public key file /home/test2/.ssh/authorized_keys2 Failed publickey for test2 from 192.168.168.253 port 52242 ssh2 debug1: userauth-request for user test2 service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug1: keyboard-interactive devs debug1: auth2_challenge: user=test2 devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for test2 from 192.168.168.253 port 52242 ssh2 debug1: do_pam_account: called debug1: PAM: num PAM env strings 0 Postponed keyboard-interactive/pam for test2 from 192.168.168.253 port 52242 ssh2 debug1: do_pam_account: called Accepted keyboard-interactive/pam for test2 from 192.168.168.253 port 52242 ssh2 debug1: monitor_child_preauth: test2 has been authenticated by privileged process debug1: PAM: reinitializing credentials debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_new: init debug1: session_new: session 0 openpty: No such file or directory session_pty_req: session 0 alloc failed debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell === and here === 9. On T the session is stuck: === cut here === $ ssh 192.168.168.254 -l test2 Password: Environment: USER=test2 LOGNAME=test2 HOME=/home/test2 MAIL=/var/mail/test2 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/test2/bin TERM=su FTP_PASSIVE_MODE=YES BLOCKSIZE=K SHELL=/usr/local/bin/rbash SSH_CLIENT=192.168.168.253 39090 22 SSH_CONNECTION=192.168.168.253 39090 192.168.168.254 22 === and here === 10. On J the content of /dev/pts and /dev/pty is unchanged: === cut here === J# ls -la /dev/pts total 1 dr-xr-xr-x 2 root wheel 512 Nov 7 16:38 . dr-xr-xr-x 6 root wheel 512 Nov 7 16:38 .. crw-rw-rw- 1 root wheel 0, 97 Nov 7 17:22 0 crw-rw-rw- 1 root wheel 0, 106 Nov 7 16:56 2 crw-rw-rw- 1 root wheel 0, 110 Nov 7 17:16 5 J# ls -la /dev/pty total 1 dr-xr-xr-x 2 root wheel 512 Nov 7 16:38 . dr-xr-xr-x 6 root wheel 512 Nov 7 16:38 .. crw-rw-rw- 1 root wheel 0, 95 Nov 7 17:22 0 crw-rw-rw- 1 root wheel 0, 104 Nov 7 15:36 1 crw-rw-rw- 1 root wheel 0, 105 Nov 7 16:56 2 crw-rw-rw- 1 root wheel 0, 107 Nov 7 15:36 3 crw-rw-rw- 1 root wheel 0, 108 Nov 7 15:36 4 crw-rw-rw- 1 root wheel 0, 109 Nov 7 17:16 5 === and here === regards, Gepu On Wed, Nov 07, 2007 at 10:42:58AM +0000, Tom Evans wrote: > On Tue, 2007-11-06 at 22:19 +0200, Dan Epure wrote: > > Hi All, > > > > > > I'm using on the host system (7.0-BETA2): > > #sysctl kern.pts.enable > > kern.pts.enable: 1 > > I have no problem at all. > > > > The jail is also 7.0-BETA2 > > > > The problem is inside the jail openpty() can not allocate the pty: > > === cut here === > > debug1: monitor_child_preauth: test2 has been authenticated by privileged process > > debug1: PAM: reinitializing credentials > > debug1: Entering interactive session for SSH2. > > debug1: server_init_dispatch_20 > > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 > > debug1: input_session_request > > debug1: channel 0: new [server-session] > > debug1: session_new: init > > debug1: session_new: session 0 > > debug1: session_open: channel 0 > > debug1: session_open: session 0: link with channel 0 > > debug1: server_input_channel_open: confirm session > > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > > debug1: session_by_channel: session 0 channel 0 > > debug1: session_input_channel_req: session 0 req pty-req > > debug1: Allocating pty. > > debug1: session_new: init > > debug1: session_new: session 0 > > openpty: No such file or directory > > session_pty_req: session 0 alloc failed > > debug1: server_input_channel_req: channel 0 request shell reply 0 > > debug1: session_by_channel: session 0 channel 0 > > debug1: session_input_channel_req: session 0 req shell > > === and here === > > the ssh session just hangs. (no pty ?) > > > > I did not forget to mount devfs inside the jail. > > The jail is configured in rc.conf: > > === cut here === > > jail_enable="YES" > > jail_list="test" > > jail_test_hostname="test.mydomain.org" > > jail_test_rootdir="/jails/test" > > jail_test_interface="bge0" > > jail_test_devfs_enable="YES" > > jail_test_ip="192.168.10.2" > > jail_set_hostname_allow="NO" > > jail_sysvipc_allow="NO" > > jail_socket_unixiproute_only="YES" > > === and here === > > I think the problem is related to restrictions imposed by the jail. > > > > Please advise. > > > > Gepu > > This is because you haven't been allocated a pty inside your jail. > Enable sshd inside your jail, ssh to your jail (which will allocate you > a pty). Then from inside your jail, you can use any pty-using > application you wish. > > I am presuming you are doing something like 'jexec 1 /bin/csh' or > similar, and I'm only really repeating Xin Li's advice to me[1]. > > Cheers > > Tom > > [1] > http://lists.freebsd.org/pipermail/freebsd-jail/2007-October/000106.html _______________________________________________ freebsd-stable_at_freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe_at_freebsd.org" ----- End forwarded message ----- -- Gepu _______________________________________________ freebsd-stable_at_freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe_at_freebsd.org" ----- End forwarded message -----Received on Sun Nov 11 2007 - 10:51:48 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:21 UTC