[gepu_at_iogyte.ro: [gepu_at_iogyte.ro: Re: openpty() and jail in RELENG_7]]

From: Dan Epure <gepu_at_iogyte.ro>
Date: Sun, 11 Nov 2007 13:24:56 +0200
Maybe I have better luck here:


----- Forwarded message from Dan Epure <gepu_at_iogyte.ro> -----

Date: Thu, 8 Nov 2007 19:30:39 +0200
From: Dan Epure <gepu_at_iogyte.ro>
To: freebsd-stable_at_freebsd.org
Subject: [gepu_at_iogyte.ro: Re: openpty() and jail in RELENG_7]

I can provide more info on request.


----- Forwarded message from Dan Epure <gepu_at_iogyte.ro> -----

Date: Wed, 7 Nov 2007 19:25:08 +0200
From: Dan Epure <gepu_at_iogyte.ro>
To: Tom Evans <tevans.uk_at_googlemail.com>
Cc: freebsd-stable_at_freebsd.org
Subject: Re: openpty() and jail in RELENG_7

Thank you for your answer.

This is not Xin Li's scenario.

Description:

the host of the jail - H (192.168.168.2/24)
the jail running on H - J (192.168.168.254/32)
the testing system - T (192.168.168.253/24)

1. I start the ssh daemon on H:
=== cut here ===
H# /usr/sbin/sshd -d
debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110
debug1: read PEM private key done: type DSA
debug1: private host key: #0 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 192.168.168.2.
Server listening on 192.168.168.2 port 22.
=== and here ===

2. On T I run:
=== cut here ===
T# ssh 192.168.168.2 -l test2
=== and here ===
 
3. On H I see:
=== cut here ===
Debug1: fd 4 clearing O_NONBLOCK
Debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
debug1: res_init()
Connection from 192.168.168.253 port 60155
debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-5
debug1: match: OpenSSH_4.6p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user test2 service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "test2"
debug1: userauth-request for user test2 service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: PAM: setting PAM_RHOST to "192.168.168.253"
debug1: test whether pkalg/pkblob are acceptable
debug1: trying public key file /home/test2/.ssh/authorized_keys
debug1: trying public key file /home/test2/.ssh/authorized_keys2
Failed publickey for test2 from 192.168.168.253 port 60155 ssh2
debug1: audit_event: unhandled event 6
debug1: userauth-request for user test2 service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 2
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=test2 devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for test2 from 192.168.168.253 port 60155 ssh2
debug1: do_pam_account: called
debug1: PAM: num PAM env strings 0
Postponed keyboard-interactive/pam for test2 from 192.168.168.253 port 60155 ssh2
debug1: do_pam_account: called
Accepted keyboard-interactive/pam for test2 from 192.168.168.253 port 60155 ssh2
debug1: monitor_child_preauth: test2 has been authenticated by privileged process
debug1: PAM: reinitializing credentials
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: init
debug1: session_new: session 0
debug1: session_pty_req: session 0 alloc /dev/pts/3
debug1: Ignoring unsupported tty mode opcode 37 (0x25)
debug1: Ignoring unsupported tty mode opcode 52 (0x34)
debug1: Ignoring unsupported tty mode opcode 71 (0x47)
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: PAM: setting PAM_TTY to "/dev/pts/3"
debug1: Setting controlling tty using TIOCSCTTY.
=== and here ===

4. On T I am logged in on H:
=== cut here ===
Password:
H$ 
=== and here ===

5. I start the jail on H:
=== cut here ===
H# /etc/rc.d/jail start
Configuring jails:.
Starting jails: test2.mydomain.org.

6. I start the ssh daemon on J:
=== cut here ===
J# /usr/sbin/sshd -d
debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110
debug1: read PEM private key done: type DSA
debug1: private host key: #0 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 192.168.168.254.
Server listening on 192.168.168.254 port 22.
=== and here ===

7. On T I run:
=== cut here ===
T# ssh 192.168.168.254 -l test2
=== and here ===

8. On J I see:
=== cut here ===
debug1: fd 4 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
debug1: res_init()
Connection from 192.168.168.253 port 52242
debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-5
debug1: match: OpenSSH_4.6p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user test2 service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "test2"
debug1: PAM: setting PAM_RHOST to "192.168.168.253"
debug1: userauth-request for user test2 service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: trying public key file /home/test2/.ssh/authorized_keys
debug1: trying public key file /home/test2/.ssh/authorized_keys2
Failed publickey for test2 from 192.168.168.253 port 52242 ssh2
debug1: userauth-request for user test2 service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 2
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=test2 devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for test2 from 192.168.168.253 port 52242 ssh2
debug1: do_pam_account: called
debug1: PAM: num PAM env strings 0
Postponed keyboard-interactive/pam for test2 from 192.168.168.253 port 52242 ssh2
debug1: do_pam_account: called
Accepted keyboard-interactive/pam for test2 from 192.168.168.253 port 52242 ssh2
debug1: monitor_child_preauth: test2 has been authenticated by privileged process
debug1: PAM: reinitializing credentials
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: init
debug1: session_new: session 0
openpty: No such file or directory
session_pty_req: session 0 alloc failed
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
=== and here ===

9. On T the session is stuck:
=== cut here ===
$ ssh 192.168.168.254 -l test2
Password:
Environment:
              USER=test2
                          LOGNAME=test2
                                         HOME=/home/test2
                                                           MAIL=/var/mail/test2
                                                                                 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/test2/bin
               TERM=su
                        FTP_PASSIVE_MODE=YES
                                              BLOCKSIZE=K
                                                           SHELL=/usr/local/bin/rbash
       SSH_CLIENT=192.168.168.253 39090 22
                                            SSH_CONNECTION=192.168.168.253 39090 192.168.168.254 22
=== and here ===

10. On J the content of /dev/pts and /dev/pty is unchanged:
=== cut here ===
J# ls -la /dev/pts
total 1
dr-xr-xr-x  2 root  wheel       512 Nov  7 16:38 .
dr-xr-xr-x  6 root  wheel       512 Nov  7 16:38 ..
crw-rw-rw-  1 root  wheel    0,  97 Nov  7 17:22 0
crw-rw-rw-  1 root  wheel    0, 106 Nov  7 16:56 2
crw-rw-rw-  1 root  wheel    0, 110 Nov  7 17:16 5
J# ls -la /dev/pty
total 1
dr-xr-xr-x  2 root  wheel       512 Nov  7 16:38 .
dr-xr-xr-x  6 root  wheel       512 Nov  7 16:38 ..
crw-rw-rw-  1 root  wheel    0,  95 Nov  7 17:22 0
crw-rw-rw-  1 root  wheel    0, 104 Nov  7 15:36 1
crw-rw-rw-  1 root  wheel    0, 105 Nov  7 16:56 2
crw-rw-rw-  1 root  wheel    0, 107 Nov  7 15:36 3
crw-rw-rw-  1 root  wheel    0, 108 Nov  7 15:36 4
crw-rw-rw-  1 root  wheel    0, 109 Nov  7 17:16 5
=== and here ===

regards,
Gepu

On Wed, Nov 07, 2007 at 10:42:58AM +0000, Tom Evans wrote:
> On Tue, 2007-11-06 at 22:19 +0200, Dan Epure wrote:
> > Hi All,
> > 
> > 
> > I'm using on the host system (7.0-BETA2):
> > #sysctl kern.pts.enable
> > kern.pts.enable: 1
> > I have no problem at all.
> > 
> > The jail is also 7.0-BETA2
> > 
> > The problem is inside the jail openpty() can not allocate the pty:
> > === cut here ===
> > debug1: monitor_child_preauth: test2 has been authenticated by privileged process
> > debug1: PAM: reinitializing credentials
> > debug1: Entering interactive session for SSH2.
> > debug1: server_init_dispatch_20
> > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
> > debug1: input_session_request
> > debug1: channel 0: new [server-session]
> > debug1: session_new: init
> > debug1: session_new: session 0
> > debug1: session_open: channel 0
> > debug1: session_open: session 0: link with channel 0
> > debug1: server_input_channel_open: confirm session
> > debug1: server_input_channel_req: channel 0 request pty-req reply 0
> > debug1: session_by_channel: session 0 channel 0
> > debug1: session_input_channel_req: session 0 req pty-req
> > debug1: Allocating pty.
> > debug1: session_new: init
> > debug1: session_new: session 0
> > openpty: No such file or directory
> > session_pty_req: session 0 alloc failed
> > debug1: server_input_channel_req: channel 0 request shell reply 0
> > debug1: session_by_channel: session 0 channel 0
> > debug1: session_input_channel_req: session 0 req shell
> > === and here ===
> > the ssh session just hangs. (no pty ?) 
> > 
> > I did not forget to mount devfs inside the jail.
> > The jail is configured in rc.conf:
> > === cut here ===
> > jail_enable="YES"
> > jail_list="test"
> > jail_test_hostname="test.mydomain.org"
> > jail_test_rootdir="/jails/test"
> > jail_test_interface="bge0"
> > jail_test_devfs_enable="YES"
> > jail_test_ip="192.168.10.2"
> > jail_set_hostname_allow="NO"
> > jail_sysvipc_allow="NO"
> > jail_socket_unixiproute_only="YES"
> > === and here ===
> > I think the problem is related to restrictions imposed by the jail.
> > 
> > Please advise.
> > 
> > Gepu
> 
> This is because you haven't been allocated a pty inside your jail.
> Enable sshd inside your jail, ssh to your jail (which will allocate you
> a pty). Then from inside your jail, you can use any pty-using
> application you wish. 
> 
> I am presuming you are doing something like 'jexec 1 /bin/csh' or
> similar, and I'm only really repeating Xin Li's advice to me[1].
> 
> Cheers
> 
> Tom
> 
> [1]
> http://lists.freebsd.org/pipermail/freebsd-jail/2007-October/000106.html


_______________________________________________
freebsd-stable_at_freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe_at_freebsd.org"

----- End forwarded message -----

-- 
Gepu

_______________________________________________
freebsd-stable_at_freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe_at_freebsd.org"

----- End forwarded message -----
Received on Sun Nov 11 2007 - 10:51:48 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:21 UTC