From owner-freebsd-questions@FreeBSD.ORG Thu Mar 17 15:43:26 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 423A516A4D2 for ; Thu, 17 Mar 2005 15:43:26 +0000 (GMT) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id A010D43D48 for ; Thu, 17 Mar 2005 15:43:24 +0000 (GMT) (envelope-from nkinkade@fastmail.fm) Received: from frontend3.messagingengine.com (frontend3.internal [10.202.2.152]) by frontend1.messagingengine.com (Postfix) with ESMTP id AE215C61C0E; Thu, 17 Mar 2005 10:43:23 -0500 (EST) X-Sasl-enc: vgRe3SyIbinfg3QyL0Q06g 1111074203 Received: from gentoo-npk.bmp.ub (unknown [206.27.244.136]) by www.fastmail.fm (Postfix) with ESMTP id 647A225599; Thu, 17 Mar 2005 10:43:22 -0500 (EST) Received: from nkinkade by gentoo-npk.bmp.ub with local (Exim 4.21) id 1DBx9Z-0001oA-JC; Thu, 17 Mar 2005 09:43:17 -0600 Date: Thu, 17 Mar 2005 09:43:17 -0600 From: Nathan Kinkade To: "Eugene M. Minkovskii" Message-ID: <20050317154317.GZ8226@gentoo-npk.bmp.ub> Mail-Followup-To: "Eugene M. Minkovskii" , freebsd-questions@freebsd.org References: <20050316074108.GA18643@mccme.ru> <20050316160044.GS8226@gentoo-npk.bmp.ub> <20050316170448.GA29054@mccme.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lBP+FhBL9XXtPs84" Content-Disposition: inline In-Reply-To: <20050316170448.GA29054@mccme.ru> X-PGP-Fingerprint: 3FDF A406 B149 3959 A8CB C5A9 3B46 4812 D852 7E49 User-Agent: Mutt/1.5.6i Sender: cc: freebsd-questions@freebsd.org Subject: Re: sshd behaviour X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nathan Kinkade List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2005 15:43:26 -0000 --lBP+FhBL9XXtPs84 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 16, 2005 at 08:04:48PM +0300, Eugene M. Minkovskii wrote: > On Wed, Mar 16, 2005 at 10:00:44AM -0600, Nathan Kinkade wrote: > "=20 > " As another poster mentioned, the problem is likely related to DNS, and I > " have experienced it as well. If you are using Privilege Separation, > " then an sshd process will chroot itself into /var/empty before > " performing authentication. /var/empty is itself usually empty. One > " thing you can do is to make the dir /var/empty/etc and then drop a copy > " of your /etc/hosts file into the newly created /var/empty/etc/ > " directory. You might want to make sure that the hosts file contains a > " mapping to the LAN machines which you want to ssh from. > "=20 > " Keep in mind that /var/empty has the schg flag set, so you won't be able > " to copy anything to it without disabling this first. See more at `man > " chflags`. Try something like this: > "=20 > " # chflags -R noschg /var/empty > " # mkdir /var/empty/etc > " # cp /etc/hosts /var/empty/etc > " # chflags -R schg /var/empty > "=20 > " This will likely clear up your problem. > "=20 > " Nathan >=20 > Thank you, Nathan. Can I put soft link into /var/empty/etc (this > is crossdevice link, and I can't put hard link in it)? And does I > realy need -R key in last command which you recomended? This mean > that directory /var/empty/etc has schg flag too. Is it nessesery? =46rom `man sshd`: /var/empty chroot(2) directory used by sshd during privilege separation in the pre-authentication phase. The directory should not contain any files and must be owned by root and not group or world-writable. I assume you can follow these rules. The noschg flags may be something that the FreeBSD developers decided to do for added security, and I don't see any practical reason to alter it. Regarding soft/hard links in the chrooted dir, I don't know if that would work. I suspect no, as it would somewhat defeat the purpose of the chroot. Cross-device link error: hard links will only work within a single filesystem, not across multiple filesystems. Nathan --lBP+FhBL9XXtPs84 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCOaWVO0ZIEthSfkkRAjBoAKCKW3063BV/44vwm2K4jDKhxrJvxgCgy8ms TOrn97Z3JIRT3RIRh4LtiIw= =bSPK -----END PGP SIGNATURE----- --lBP+FhBL9XXtPs84--