Date: Sat, 15 Mar 2003 20:08:43 +0100 From: Jens Rehsack <rehsack@liwing.de> To: Cary Mathews <scattered@babel.acu.edu> Cc: freebsd-questions@freebsd.org Subject: Re: ssh'ing into jail(8) Message-ID: <3E737A3B.8010305@liwing.de> References: <Pine.BSO.4.40.0303111552120.2409-100000@babel.acu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Cary Mathews wrote:
> If this is not the right fourm to ask this question, please redirect me to
> the correct place, or documentation which addresses this issue.
Maybe security@freebsd.org may a better place, maybe not. By the way,
now you're here ...
> nslookup and dig tools. So I am confident that name resolution is working.
Ok.
> Within the jailed hosts, I have turned off the portmap, syslogd, sendmail,
> and inetd daemons and am running only cron and sshd daemons upon start up.
>
> But when I attempt to ssh into one of the jailed hosts, the connection
> times out and reports: "Connection closed by 192.168.1.100".
Maybe starting sshd in debug mode could be very helpful.
> A partial sockstat reading while the hosts are attempting to connect
> shows:
> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
> sshd sshd 59613 4 tcp4 192.168.1.100:22 192.168.1.100:2604
> sshd sshd 59613 7 udp4 192.168.1.100:2625 192.168.1.1:53
> root sshd 59612 4 tcp4 192.168.1.100:22 192.168.1.100:2604
> cary ssh 59611 3 tcp4 192.168.1.100:2604 192.168.1.100:22
>
> A quick description of the addresses:
> 150.252.106.57 - external IP address of host computer, also running
> dnscache for external lookups
> 192.168.1.1 - IP address of internal dnscache for 192.168.x.x addresses
> 192.168.1.100 - IP address of jail(8)'d host
> 192.168.53.1 - IP address of jail(8)'d tinydns server host
ssh used with which command? And - using 3 -v's may help get more info, too.
> ssh debugging output shows:
> [snip initial key-exchange]
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: done: ssh_kex2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> {and ssh "hangs" here...}
It doesn't hang. If it would hang, it wouldn't tell you that the remote
host has closed the connection. Enabling syslog in the jail (you didn't
have to enable networking syslog!) and starting sshd in debug mode will
give you some important information.
> The messages, security, and auth logs under /var/log in the jail'd host
> are completly empty. Under the host machine logs , there is nothing as
> well.
This is, because you have disabled syslogd. You should thinking about
enabling it but protect it against external access using ipfiler or
ipfirewall.
> I'm at a loss of what else to trouble shoot. I'm not subscribed to the
> list so if you could Cc: me, I would appreciate it.
>
> Thank you in advance for any help offered!
>
> Cary Mathews
So long,
Jens
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E737A3B.8010305>