Date: Tue, 9 Aug 2011 14:45:43 +0200 From: Paul Schenkeveld <freebsd@psconsult.nl> To: freebsd-jail@freebsd.org Subject: Jexec and access to tty Message-ID: <20110809124543.GA22077@psconsult.nl>
next in thread | raw e-mail | index | archive | help
Hi,
There have been several threads about this issue, some people have come
up with work arounds but I think that the issue is more fundamental,
that's why I wanted to start this new thread.
When using jexec to do interactive work inside an existing jail, people
find out that they no longer have access to their tty device. As a
result, programs requiring input of passwords or passphrases behave
unexpectedly in one of several ways.
Ssh says "Host key verification failed." and refuses to log in to
another system (unless pubkey authentication is user in combination with
an agent of course). Some programs fall back to using stdin/stdout
and echo the password as it is typed (the mysql clients are popular
examples).
Work-arounds that have been suggested are
1. Run a sshd inside the jail and log in using ssh
2. Start tmux inside the jail so you get a new pseudo tty slave inside
the jail. People trying screen find that it won't work unlike tmux.
3. I tried using 'script -q /dev/null' inside the jail because it is
part op the base system and it doesn't change your terminal type
and interpret keyboard input and screen output. I found out that I
failed when I resized my window :-(
I don't like 1 on a machine with many jails, especially if some of them
share the same IP address (e.g. sometimes I have to run a mail server on
the same IP adress as a webserver but in a distinct jail).
2 is not ideal either because tmux emulates a different terminal on
the inside than the terminal on the outside that it runs on.
3 is really a kludge and causes problems when you resize your window.
I thought that I found a solution by rewriting jexec such that it will
open a pseudo tty and does the passing of data between the jailed pts
and the tty from where jexec was started but that's not going to work as
the pseudo tty most be opened by the child process inside the jail but
the parent outside the jail must have access to the master side of the
pseudo tty.
So far we are still talking about work-arounds. Why not look at the
root cause. Unfortunately I'm not familiar with kernel sources so if
I'm wrong, please forgive me, I write this with the best intentions.
The root cause of th problem appears to be that pseudo ttys opened
outside a jail are not visible nor accessible inside a jail, pseudo ttys
created inside a jail are visible and accessible though.
Would it be conceivable that by using jexec the controlling tty of jexec
magically becomes visible and accessible inside the jail? Preferrable
only until jexec dies.
I understand that this is not trivial but given the number of threads
about this problem, it's a real issue to many people. To me it's worth
some $ or EUR to solve this in a clean way.
Kind regards,
Paul Schenkeveld
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110809124543.GA22077>