From owner-freebsd-stable@FreeBSD.ORG Sun Nov 11 15:52:18 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFE7A16A417 for ; Sun, 11 Nov 2007 15:52:17 +0000 (UTC) (envelope-from csjp@sub.vaned.net) Received: from sub.vaned.net (sub.vaned.net [205.200.235.40]) by mx1.freebsd.org (Postfix) with ESMTP id 3BB8713C4AC for ; Sun, 11 Nov 2007 15:52:17 +0000 (UTC) (envelope-from csjp@sub.vaned.net) Received: by sub.vaned.net (Postfix, from userid 1001) id E2FC317368; Sun, 11 Nov 2007 09:31:12 -0600 (CST) Date: Sun, 11 Nov 2007 09:31:12 -0600 From: "Christian S.J. Peron" To: Dan Epure Message-ID: <20071111153112.GA7656@sub.vaned.net> References: <20071108173039.GA97983@bigskyservices.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="h31gzZEtNLTqOjlF" Content-Disposition: inline In-Reply-To: <20071108173039.GA97983@bigskyservices.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-stable@freebsd.org Subject: Re: [gepu@iogyte.ro: Re: openpty() and jail in RELENG_7] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Nov 2007 15:52:18 -0000 --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Please try the attached patch. I have committed this to head and it somehow slipped through the cracks in terms of an MFC (patch /etc/defaults/devfs.rules) On Thu, Nov 08, 2007 at 07:30:39PM +0200, Dan Epure wrote: > I can provide more info on request. > > > ----- Forwarded message from Dan Epure ----- > > Date: Wed, 7 Nov 2007 19:25:08 +0200 > From: Dan Epure > To: Tom Evans > Cc: freebsd-stable@freebsd.org > Subject: Re: openpty() and jail in RELENG_7 > > Thank you for your answer. > > This is not Xin Li's scenario. > > Description: > > the host of the jail - H (192.168.168.2/24) > the jail running on H - J (192.168.168.254/32) > the testing system - T (192.168.168.253/24) > > 1. I start the ssh daemon on H: > === cut here === > H# /usr/sbin/sshd -d > debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 > debug1: read PEM private key done: type DSA > debug1: private host key: #0 type 2 DSA > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-d' > debug1: Bind to port 22 on 192.168.168.2. > Server listening on 192.168.168.2 port 22. > === and here === > > 2. On T I run: > === cut here === > T# ssh 192.168.168.2 -l test2 > === and here === > > 3. On H I see: > === cut here === > Debug1: fd 4 clearing O_NONBLOCK > Debug1: Server will not fork when running in debugging mode. > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 > debug1: inetd sockets after dupping: 3, 3 > debug1: res_init() > Connection from 192.168.168.253 port 60155 > debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-5 > debug1: match: OpenSSH_4.6p1 Debian-5 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 > debug1: permanently_set_uid: 22/22 > debug1: list_hostkey_types: ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user test2 service ssh-connection method none > debug1: attempt 0 failures 0 > debug1: PAM: initializing for "test2" > debug1: userauth-request for user test2 service ssh-connection method publickey > debug1: attempt 1 failures 1 > debug1: PAM: setting PAM_RHOST to "192.168.168.253" > debug1: test whether pkalg/pkblob are acceptable > debug1: trying public key file /home/test2/.ssh/authorized_keys > debug1: trying public key file /home/test2/.ssh/authorized_keys2 > Failed publickey for test2 from 192.168.168.253 port 60155 ssh2 > debug1: audit_event: unhandled event 6 > debug1: userauth-request for user test2 service ssh-connection method keyboard-interactive > debug1: attempt 2 failures 2 > debug1: keyboard-interactive devs > debug1: auth2_challenge: user=test2 devs= > debug1: kbdint_alloc: devices 'pam' > debug1: auth2_challenge_start: trying authentication method 'pam' > Postponed keyboard-interactive for test2 from 192.168.168.253 port 60155 ssh2 > debug1: do_pam_account: called > debug1: PAM: num PAM env strings 0 > Postponed keyboard-interactive/pam for test2 from 192.168.168.253 port 60155 ssh2 > debug1: do_pam_account: called > Accepted keyboard-interactive/pam for test2 from 192.168.168.253 port 60155 ssh2 > debug1: monitor_child_preauth: test2 has been authenticated by privileged process > debug1: PAM: reinitializing credentials > debug1: Entering interactive session for SSH2. > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug1: session_new: init > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug1: session_new: init > debug1: session_new: session 0 > debug1: session_pty_req: session 0 alloc /dev/pts/3 > debug1: Ignoring unsupported tty mode opcode 37 (0x25) > debug1: Ignoring unsupported tty mode opcode 52 (0x34) > debug1: Ignoring unsupported tty mode opcode 71 (0x47) > debug1: server_input_channel_req: channel 0 request shell reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req shell > debug1: PAM: setting PAM_TTY to "/dev/pts/3" > debug1: Setting controlling tty using TIOCSCTTY. > === and here === > > 4. On T I am logged in on H: > === cut here === > Password: > H$ > === and here === > > 5. I start the jail on H: > === cut here === > H# /etc/rc.d/jail start > Configuring jails:. > Starting jails: test2.mydomain.org. > > 6. I start the ssh daemon on J: > === cut here === > J# /usr/sbin/sshd -d > debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 > debug1: read PEM private key done: type DSA > debug1: private host key: #0 type 2 DSA > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-d' > debug1: Bind to port 22 on 192.168.168.254. > Server listening on 192.168.168.254 port 22. > === and here === > > 7. On T I run: > === cut here === > T# ssh 192.168.168.254 -l test2 > === and here === > > 8. On J I see: > === cut here === > debug1: fd 4 clearing O_NONBLOCK > debug1: Server will not fork when running in debugging mode. > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 > debug1: inetd sockets after dupping: 3, 3 > debug1: res_init() > Connection from 192.168.168.253 port 52242 > debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-5 > debug1: match: OpenSSH_4.6p1 Debian-5 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 > debug1: permanently_set_uid: 22/22 > debug1: list_hostkey_types: ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user test2 service ssh-connection method none > debug1: attempt 0 failures 0 > debug1: PAM: initializing for "test2" > debug1: PAM: setting PAM_RHOST to "192.168.168.253" > debug1: userauth-request for user test2 service ssh-connection method publickey > debug1: attempt 1 failures 1 > debug1: test whether pkalg/pkblob are acceptable > debug1: trying public key file /home/test2/.ssh/authorized_keys > debug1: trying public key file /home/test2/.ssh/authorized_keys2 > Failed publickey for test2 from 192.168.168.253 port 52242 ssh2 > debug1: userauth-request for user test2 service ssh-connection method keyboard-interactive > debug1: attempt 2 failures 2 > debug1: keyboard-interactive devs > debug1: auth2_challenge: user=test2 devs= > debug1: kbdint_alloc: devices 'pam' > debug1: auth2_challenge_start: trying authentication method 'pam' > Postponed keyboard-interactive for test2 from 192.168.168.253 port 52242 ssh2 > debug1: do_pam_account: called > debug1: PAM: num PAM env strings 0 > Postponed keyboard-interactive/pam for test2 from 192.168.168.253 port 52242 ssh2 > debug1: do_pam_account: called > Accepted keyboard-interactive/pam for test2 from 192.168.168.253 port 52242 ssh2 > debug1: monitor_child_preauth: test2 has been authenticated by privileged process > debug1: PAM: reinitializing credentials > debug1: Entering interactive session for SSH2. > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug1: session_new: init > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug1: session_new: init > debug1: session_new: session 0 > openpty: No such file or directory > session_pty_req: session 0 alloc failed > debug1: server_input_channel_req: channel 0 request shell reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req shell > === and here === > > 9. On T the session is stuck: > === cut here === > $ ssh 192.168.168.254 -l test2 > Password: > Environment: > USER=test2 > LOGNAME=test2 > HOME=/home/test2 > MAIL=/var/mail/test2 > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/test2/bin > TERM=su > FTP_PASSIVE_MODE=YES > BLOCKSIZE=K > SHELL=/usr/local/bin/rbash > SSH_CLIENT=192.168.168.253 39090 22 > SSH_CONNECTION=192.168.168.253 39090 192.168.168.254 22 > === and here === > > 10. On J the content of /dev/pts and /dev/pty is unchanged: > === cut here === > J# ls -la /dev/pts > total 1 > dr-xr-xr-x 2 root wheel 512 Nov 7 16:38 . > dr-xr-xr-x 6 root wheel 512 Nov 7 16:38 .. > crw-rw-rw- 1 root wheel 0, 97 Nov 7 17:22 0 > crw-rw-rw- 1 root wheel 0, 106 Nov 7 16:56 2 > crw-rw-rw- 1 root wheel 0, 110 Nov 7 17:16 5 > J# ls -la /dev/pty > total 1 > dr-xr-xr-x 2 root wheel 512 Nov 7 16:38 . > dr-xr-xr-x 6 root wheel 512 Nov 7 16:38 .. > crw-rw-rw- 1 root wheel 0, 95 Nov 7 17:22 0 > crw-rw-rw- 1 root wheel 0, 104 Nov 7 15:36 1 > crw-rw-rw- 1 root wheel 0, 105 Nov 7 16:56 2 > crw-rw-rw- 1 root wheel 0, 107 Nov 7 15:36 3 > crw-rw-rw- 1 root wheel 0, 108 Nov 7 15:36 4 > crw-rw-rw- 1 root wheel 0, 109 Nov 7 17:16 5 > === and here === > > regards, > Gepu > > On Wed, Nov 07, 2007 at 10:42:58AM +0000, Tom Evans wrote: > > On Tue, 2007-11-06 at 22:19 +0200, Dan Epure wrote: > > > Hi All, > > > > > > > > > I'm using on the host system (7.0-BETA2): > > > #sysctl kern.pts.enable > > > kern.pts.enable: 1 > > > I have no problem at all. > > > > > > The jail is also 7.0-BETA2 > > > > > > The problem is inside the jail openpty() can not allocate the pty: > > > === cut here === > > > debug1: monitor_child_preauth: test2 has been authenticated by privileged process > > > debug1: PAM: reinitializing credentials > > > debug1: Entering interactive session for SSH2. > > > debug1: server_init_dispatch_20 > > > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 > > > debug1: input_session_request > > > debug1: channel 0: new [server-session] > > > debug1: session_new: init > > > debug1: session_new: session 0 > > > debug1: session_open: channel 0 > > > debug1: session_open: session 0: link with channel 0 > > > debug1: server_input_channel_open: confirm session > > > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > > > debug1: session_by_channel: session 0 channel 0 > > > debug1: session_input_channel_req: session 0 req pty-req > > > debug1: Allocating pty. > > > debug1: session_new: init > > > debug1: session_new: session 0 > > > openpty: No such file or directory > > > session_pty_req: session 0 alloc failed > > > debug1: server_input_channel_req: channel 0 request shell reply 0 > > > debug1: session_by_channel: session 0 channel 0 > > > debug1: session_input_channel_req: session 0 req shell > > > === and here === > > > the ssh session just hangs. (no pty ?) > > > > > > I did not forget to mount devfs inside the jail. > > > The jail is configured in rc.conf: > > > === cut here === > > > jail_enable="YES" > > > jail_list="test" > > > jail_test_hostname="test.mydomain.org" > > > jail_test_rootdir="/jails/test" > > > jail_test_interface="bge0" > > > jail_test_devfs_enable="YES" > > > jail_test_ip="192.168.10.2" > > > jail_set_hostname_allow="NO" > > > jail_sysvipc_allow="NO" > > > jail_socket_unixiproute_only="YES" > > > === and here === > > > I think the problem is related to restrictions imposed by the jail. > > > > > > Please advise. > > > > > > Gepu > > > > This is because you haven't been allocated a pty inside your jail. > > Enable sshd inside your jail, ssh to your jail (which will allocate you > > a pty). Then from inside your jail, you can use any pty-using > > application you wish. > > > > I am presuming you are doing something like 'jexec 1 /bin/csh' or > > similar, and I'm only really repeating Xin Li's advice to me[1]. > > > > Cheers > > > > Tom > > > > [1] > > http://lists.freebsd.org/pipermail/freebsd-jail/2007-October/000106.html > > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > > ----- End forwarded message ----- > > -- > Gepu > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer --h31gzZEtNLTqOjlF Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="devfs.rules.diff" Index: devfs.rules =================================================================== RCS file: /usr/ncvs/src/etc/defaults/devfs.rules,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- devfs.rules 22 Apr 2006 13:42:49 -0000 1.4 +++ devfs.rules 12 Oct 2007 14:55:41 -0000 1.5 @@ -13,7 +13,7 @@ # references must include a dollar sign '$' in front of the # name to be expanded properly. # -# $FreeBSD: src/etc/defaults/devfs.rules,v 1.4 2006/04/22 13:42:49 brueffer Exp $ +# $FreeBSD: src/etc/defaults/devfs.rules,v 1.5 2007/10/12 14:55:41 csjp Exp $ # # Very basic and secure ruleset: Hide everything. @@ -52,6 +52,8 @@ add path 'ttyQ*' unhide add path 'ttyR*' unhide add path 'ttyS*' unhide +add path 'pts/*' unhide +add path 'pty/*' unhide add path fd unhide add path 'fd/*' unhide add path stdin unhide --h31gzZEtNLTqOjlF--