From owner-freebsd-questions Sat Mar 15 11: 8:49 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 445E037B401 for ; Sat, 15 Mar 2003 11:08:47 -0800 (PST) Received: from mail.liwing.de (mail.liwing.de [213.70.188.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id E233543F75 for ; Sat, 15 Mar 2003 11:08:45 -0800 (PST) (envelope-from rehsack@liwing.de) Received: (qmail 58752 invoked from network); 15 Mar 2003 19:08:43 -0000 Received: from stingray.liwing.de (HELO liwing.de) ([213.70.188.164]) (envelope-sender ) by mail.liwing.de (qmail-ldap-1.03) with SMTP for ; 15 Mar 2003 19:08:43 -0000 Message-ID: <3E737A3B.8010305@liwing.de> Date: Sat, 15 Mar 2003 20:08:43 +0100 From: Jens Rehsack Organization: LiWing IT-Services User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Cary Mathews Cc: freebsd-questions@freebsd.org Subject: Re: ssh'ing into jail(8) References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Cary Mathews wrote: > If this is not the right fourm to ask this question, please redirect me to > the correct place, or documentation which addresses this issue. Maybe security@freebsd.org may a better place, maybe not. By the way, now you're here ... > nslookup and dig tools. So I am confident that name resolution is working. Ok. > Within the jailed hosts, I have turned off the portmap, syslogd, sendmail, > and inetd daemons and am running only cron and sshd daemons upon start up. > > But when I attempt to ssh into one of the jailed hosts, the connection > times out and reports: "Connection closed by 192.168.1.100". Maybe starting sshd in debug mode could be very helpful. > A partial sockstat reading while the hosts are attempting to connect > shows: > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > sshd sshd 59613 4 tcp4 192.168.1.100:22 192.168.1.100:2604 > sshd sshd 59613 7 udp4 192.168.1.100:2625 192.168.1.1:53 > root sshd 59612 4 tcp4 192.168.1.100:22 192.168.1.100:2604 > cary ssh 59611 3 tcp4 192.168.1.100:2604 192.168.1.100:22 > > A quick description of the addresses: > 150.252.106.57 - external IP address of host computer, also running > dnscache for external lookups > 192.168.1.1 - IP address of internal dnscache for 192.168.x.x addresses > 192.168.1.100 - IP address of jail(8)'d host > 192.168.53.1 - IP address of jail(8)'d tinydns server host ssh used with which command? And - using 3 -v's may help get more info, too. > ssh debugging output shows: > [snip initial key-exchange] > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: done: ssh_kex2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > {and ssh "hangs" here...} It doesn't hang. If it would hang, it wouldn't tell you that the remote host has closed the connection. Enabling syslog in the jail (you didn't have to enable networking syslog!) and starting sshd in debug mode will give you some important information. > The messages, security, and auth logs under /var/log in the jail'd host > are completly empty. Under the host machine logs , there is nothing as > well. This is, because you have disabled syslogd. You should thinking about enabling it but protect it against external access using ipfiler or ipfirewall. > I'm at a loss of what else to trouble shoot. I'm not subscribed to the > list so if you could Cc: me, I would appreciate it. > > Thank you in advance for any help offered! > > Cary Mathews So long, Jens To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message