Date: Sun, 1 Aug 2021 18:52:15 +0200 From: Michael Gmelin <freebsd@grem.de> To: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>, "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org> Subject: Should we include ttyu* to devfs_ruleset 3 (devfsrules_unhide_login)? Message-ID: <20210801185215.645cf0c8@bsd64.grem.de>
next in thread | raw e-mail | index | archive | help
Hi,
There are many TTY devices in devfsrules_unhide_login=3, but ttyu*
(serial lines) are not part of it.
As a result, certain things won't work as expected when connecting over
a serial console, one example being connecting to a local bhyve vm over
serial console (e.g., `vm console myvm' when using vm-bhyve).
The example that brought this to my attention is using ssh within a
jail that's running inside of a VM, while being connected to that VM
over serial console.
So the setup is:
- FreeBSD 13 host
- bhyve vm running FreeBSD 13 on top
- Jail using mount.devfs running within the bhyve vm, using the default
devfs_ruleset inside of the bhyve vm (which in turn loads
devfsrules_jail=4, which includes devfsrules_unhide_login=3).
Now, ssh within that jail won't work, as /dev/tty can't be accessed.
Example (while being connected to the vm over a serial line):
# jail -c path=/ mount.devfs ip4=inherit command=ssh localhost
Host key verification failed.
jail: ssh localhost: failed
Now, adding in an extra rule to ruleset 3:
# devfs rule -s 3 add 3250 path "ttyu*" unhide
Things work as expected:
# jail -c path=/ mount.devfs ip4=inherit command=ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be
established... Are you sure you want to continue connecting
(yes/no)?
Now the question is, would it make sense to add ttyu* (or at least
ttyu0) to [devfsrules_unhide_login=3] in /etc/defaults/devfs.rules, or
are there any (security) reasons why this might be a bad idea?
Best,
Michael
--
Michael Gmelin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210801185215.645cf0c8>