From owner-freebsd-stable@FreeBSD.ORG Sun Nov 11 18:12:18 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94E4A16A41A for ; Sun, 11 Nov 2007 18:12:18 +0000 (UTC) (envelope-from gepu@iogyte.ro) Received: from iogyte.ro (mail.iogyte.ro [62.231.111.163]) by mx1.freebsd.org (Postfix) with SMTP id B9BF013C4AC for ; Sun, 11 Nov 2007 18:12:17 +0000 (UTC) (envelope-from gepu@iogyte.ro) Received: (qmail 20842 invoked by uid 1001); 11 Nov 2007 18:11:57 -0000 Date: Sun, 11 Nov 2007 20:11:57 +0200 From: Dan Epure To: "Christian S.J. Peron" Message-ID: <20071111181157.GB19354@iogyte.ro> References: <20071108173039.GA97983@bigskyservices.com> <20071111153112.GA7656@sub.vaned.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071111153112.GA7656@sub.vaned.net> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-stable@freebsd.org Subject: Re: [gepu@iogyte.ro: Re: openpty() and jail in RELENG_7] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dan Epure List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Nov 2007 18:12:18 -0000 I just used the patch and it is working. Thank you, Gepu On Sun, Nov 11, 2007 at 09:31:12AM -0600, Christian S.J. Peron wrote: > Please try the attached patch. I have committed this to head > and it somehow slipped through the cracks in terms of an MFC > > (patch /etc/defaults/devfs.rules) > > On Thu, Nov 08, 2007 at 07:30:39PM +0200, Dan Epure wrote: > > I can provide more info on request. > > > > > > ----- Forwarded message from Dan Epure ----- > > > > Date: Wed, 7 Nov 2007 19:25:08 +0200 > > From: Dan Epure > > To: Tom Evans > > Cc: freebsd-stable@freebsd.org > > Subject: Re: openpty() and jail in RELENG_7 > > > > Thank you for your answer. > > > > This is not Xin Li's scenario. > > > > Description: > > > > the host of the jail - H (192.168.168.2/24) > > the jail running on H - J (192.168.168.254/32) > > the testing system - T (192.168.168.253/24) > > > > 1. I start the ssh daemon on H: > > === cut here === > > H# /usr/sbin/sshd -d > > debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 > > debug1: read PEM private key done: type DSA > > debug1: private host key: #0 type 2 DSA > > debug1: rexec_argv[0]='/usr/sbin/sshd' > > debug1: rexec_argv[1]='-d' > > debug1: Bind to port 22 on 192.168.168.2. > > Server listening on 192.168.168.2 port 22. > > === and here === > > > > 2. On T I run: > > === cut here === > > T# ssh 192.168.168.2 -l test2 > > === and here === > > > > 3. On H I see: > > === cut here === > > Debug1: fd 4 clearing O_NONBLOCK > > Debug1: Server will not fork when running in debugging mode. > > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 > > debug1: inetd sockets after dupping: 3, 3 > > debug1: res_init() > > Connection from 192.168.168.253 port 60155 > > debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-5 > > debug1: match: OpenSSH_4.6p1 Debian-5 pat OpenSSH* > > debug1: Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 > > debug1: permanently_set_uid: 22/22 > > debug1: list_hostkey_types: ssh-dss > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug1: kex: client->server aes128-cbc hmac-md5 none > > debug1: kex: server->client aes128-cbc hmac-md5 none > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: expecting SSH2_MSG_NEWKEYS > > debug1: SSH2_MSG_NEWKEYS received > > debug1: KEX done > > debug1: userauth-request for user test2 service ssh-connection method none > > debug1: attempt 0 failures 0 > > debug1: PAM: initializing for "test2" > > debug1: userauth-request for user test2 service ssh-connection method publickey > > debug1: attempt 1 failures 1 > > debug1: PAM: setting PAM_RHOST to "192.168.168.253" > > debug1: test whether pkalg/pkblob are acceptable > > debug1: trying public key file /home/test2/.ssh/authorized_keys > > debug1: trying public key file /home/test2/.ssh/authorized_keys2 > > Failed publickey for test2 from 192.168.168.253 port 60155 ssh2 > > debug1: audit_event: unhandled event 6 > > debug1: userauth-request for user test2 service ssh-connection method keyboard-interactive > > debug1: attempt 2 failures 2 > > debug1: keyboard-interactive devs > > debug1: auth2_challenge: user=test2 devs= > > debug1: kbdint_alloc: devices 'pam' > > debug1: auth2_challenge_start: trying authentication method 'pam' > > Postponed keyboard-interactive for test2 from 192.168.168.253 port 60155 ssh2 > > debug1: do_pam_account: called > > debug1: PAM: num PAM env strings 0 > > Postponed keyboard-interactive/pam for test2 from 192.168.168.253 port 60155 ssh2 > > debug1: do_pam_account: called > > Accepted keyboard-interactive/pam for test2 from 192.168.168.253 port 60155 ssh2 > > debug1: monitor_child_preauth: test2 has been authenticated by privileged process > > debug1: PAM: reinitializing credentials > > debug1: Entering interactive session for SSH2. > > debug1: server_init_dispatch_20 > > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 > > debug1: input_session_request > > debug1: channel 0: new [server-session] > > debug1: session_new: init > > debug1: session_new: session 0 > > debug1: session_open: channel 0 > > debug1: session_open: session 0: link with channel 0 > > debug1: server_input_channel_open: confirm session > > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > > debug1: session_by_channel: session 0 channel 0 > > debug1: session_input_channel_req: session 0 req pty-req > > debug1: Allocating pty. > > debug1: session_new: init > > debug1: session_new: session 0 > > debug1: session_pty_req: session 0 alloc /dev/pts/3 > > debug1: Ignoring unsupported tty mode opcode 37 (0x25) > > debug1: Ignoring unsupported tty mode opcode 52 (0x34) > > debug1: Ignoring unsupported tty mode opcode 71 (0x47) > > debug1: server_input_channel_req: channel 0 request shell reply 0 > > debug1: session_by_channel: session 0 channel 0 > > debug1: session_input_channel_req: session 0 req shell > > debug1: PAM: setting PAM_TTY to "/dev/pts/3" > > debug1: Setting controlling tty using TIOCSCTTY. > > === and here === > > > > 4. On T I am logged in on H: > > === cut here === > > Password: > > H$ > > === and here === > > > > 5. I start the jail on H: > > === cut here === > > H# /etc/rc.d/jail start > > Configuring jails:. > > Starting jails: test2.mydomain.org. > > > > 6. I start the ssh daemon on J: > > === cut here === > > J# /usr/sbin/sshd -d > > debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 > > debug1: read PEM private key done: type DSA > > debug1: private host key: #0 type 2 DSA > > debug1: rexec_argv[0]='/usr/sbin/sshd' > > debug1: rexec_argv[1]='-d' > > debug1: Bind to port 22 on 192.168.168.254. > > Server listening on 192.168.168.254 port 22. > > === and here === > > > > 7. On T I run: > > === cut here === > > T# ssh 192.168.168.254 -l test2 > > === and here === > > > > 8. On J I see: > > === cut here === > > debug1: fd 4 clearing O_NONBLOCK > > debug1: Server will not fork when running in debugging mode. > > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 > > debug1: inetd sockets after dupping: 3, 3 > > debug1: res_init() > > Connection from 192.168.168.253 port 52242 > > debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-5 > > debug1: match: OpenSSH_4.6p1 Debian-5 pat OpenSSH* > > debug1: Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 > > debug1: permanently_set_uid: 22/22 > > debug1: list_hostkey_types: ssh-dss > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug1: kex: client->server aes128-cbc hmac-md5 none > > debug1: kex: server->client aes128-cbc hmac-md5 none > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: expecting SSH2_MSG_NEWKEYS > > debug1: SSH2_MSG_NEWKEYS received > > debug1: KEX done > > debug1: userauth-request for user test2 service ssh-connection method none > > debug1: attempt 0 failures 0 > > debug1: PAM: initializing for "test2" > > debug1: PAM: setting PAM_RHOST to "192.168.168.253" > > debug1: userauth-request for user test2 service ssh-connection method publickey > > debug1: attempt 1 failures 1 > > debug1: test whether pkalg/pkblob are acceptable > > debug1: trying public key file /home/test2/.ssh/authorized_keys > > debug1: trying public key file /home/test2/.ssh/authorized_keys2 > > Failed publickey for test2 from 192.168.168.253 port 52242 ssh2 > > debug1: userauth-request for user test2 service ssh-connection method keyboard-interactive > > debug1: attempt 2 failures 2 > > debug1: keyboard-interactive devs > > debug1: auth2_challenge: user=test2 devs= > > debug1: kbdint_alloc: devices 'pam' > > debug1: auth2_challenge_start: trying authentication method 'pam' > > Postponed keyboard-interactive for test2 from 192.168.168.253 port 52242 ssh2 > > debug1: do_pam_account: called > > debug1: PAM: num PAM env strings 0 > > Postponed keyboard-interactive/pam for test2 from 192.168.168.253 port 52242 ssh2 > > debug1: do_pam_account: called > > Accepted keyboard-interactive/pam for test2 from 192.168.168.253 port 52242 ssh2 > > debug1: monitor_child_preauth: test2 has been authenticated by privileged process > > debug1: PAM: reinitializing credentials > > debug1: Entering interactive session for SSH2. > > debug1: server_init_dispatch_20 > > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 > > debug1: input_session_request > > debug1: channel 0: new [server-session] > > debug1: session_new: init > > debug1: session_new: session 0 > > debug1: session_open: channel 0 > > debug1: session_open: session 0: link with channel 0 > > debug1: server_input_channel_open: confirm session > > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > > debug1: session_by_channel: session 0 channel 0 > > debug1: session_input_channel_req: session 0 req pty-req > > debug1: Allocating pty. > > debug1: session_new: init > > debug1: session_new: session 0 > > openpty: No such file or directory > > session_pty_req: session 0 alloc failed > > debug1: server_input_channel_req: channel 0 request shell reply 0 > > debug1: session_by_channel: session 0 channel 0 > > debug1: session_input_channel_req: session 0 req shell > > === and here === > > > > 9. On T the session is stuck: > > === cut here === > > $ ssh 192.168.168.254 -l test2 > > Password: > > Environment: > > USER=test2 > > LOGNAME=test2 > > HOME=/home/test2 > > MAIL=/var/mail/test2 > > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/test2/bin > > TERM=su > > FTP_PASSIVE_MODE=YES > > BLOCKSIZE=K > > SHELL=/usr/local/bin/rbash > > SSH_CLIENT=192.168.168.253 39090 22 > > SSH_CONNECTION=192.168.168.253 39090 192.168.168.254 22 > > === and here === > > > > 10. On J the content of /dev/pts and /dev/pty is unchanged: > > === cut here === > > J# ls -la /dev/pts > > total 1 > > dr-xr-xr-x 2 root wheel 512 Nov 7 16:38 . > > dr-xr-xr-x 6 root wheel 512 Nov 7 16:38 .. > > crw-rw-rw- 1 root wheel 0, 97 Nov 7 17:22 0 > > crw-rw-rw- 1 root wheel 0, 106 Nov 7 16:56 2 > > crw-rw-rw- 1 root wheel 0, 110 Nov 7 17:16 5 > > J# ls -la /dev/pty > > total 1 > > dr-xr-xr-x 2 root wheel 512 Nov 7 16:38 . > > dr-xr-xr-x 6 root wheel 512 Nov 7 16:38 .. > > crw-rw-rw- 1 root wheel 0, 95 Nov 7 17:22 0 > > crw-rw-rw- 1 root wheel 0, 104 Nov 7 15:36 1 > > crw-rw-rw- 1 root wheel 0, 105 Nov 7 16:56 2 > > crw-rw-rw- 1 root wheel 0, 107 Nov 7 15:36 3 > > crw-rw-rw- 1 root wheel 0, 108 Nov 7 15:36 4 > > crw-rw-rw- 1 root wheel 0, 109 Nov 7 17:16 5 > > === and here === > > > > regards, > > Gepu > > > > On Wed, Nov 07, 2007 at 10:42:58AM +0000, Tom Evans wrote: > > > On Tue, 2007-11-06 at 22:19 +0200, Dan Epure wrote: > > > > Hi All, > > > > > > > > > > > > I'm using on the host system (7.0-BETA2): > > > > #sysctl kern.pts.enable > > > > kern.pts.enable: 1 > > > > I have no problem at all. > > > > > > > > The jail is also 7.0-BETA2 > > > > > > > > The problem is inside the jail openpty() can not allocate the pty: > > > > === cut here === > > > > debug1: monitor_child_preauth: test2 has been authenticated by privileged process > > > > debug1: PAM: reinitializing credentials > > > > debug1: Entering interactive session for SSH2. > > > > debug1: server_init_dispatch_20 > > > > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 > > > > debug1: input_session_request > > > > debug1: channel 0: new [server-session] > > > > debug1: session_new: init > > > > debug1: session_new: session 0 > > > > debug1: session_open: channel 0 > > > > debug1: session_open: session 0: link with channel 0 > > > > debug1: server_input_channel_open: confirm session > > > > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > > > > debug1: session_by_channel: session 0 channel 0 > > > > debug1: session_input_channel_req: session 0 req pty-req > > > > debug1: Allocating pty. > > > > debug1: session_new: init > > > > debug1: session_new: session 0 > > > > openpty: No such file or directory > > > > session_pty_req: session 0 alloc failed > > > > debug1: server_input_channel_req: channel 0 request shell reply 0 > > > > debug1: session_by_channel: session 0 channel 0 > > > > debug1: session_input_channel_req: session 0 req shell > > > > === and here === > > > > the ssh session just hangs. (no pty ?) > > > > > > > > I did not forget to mount devfs inside the jail. > > > > The jail is configured in rc.conf: > > > > === cut here === > > > > jail_enable="YES" > > > > jail_list="test" > > > > jail_test_hostname="test.mydomain.org" > > > > jail_test_rootdir="/jails/test" > > > > jail_test_interface="bge0" > > > > jail_test_devfs_enable="YES" > > > > jail_test_ip="192.168.10.2" > > > > jail_set_hostname_allow="NO" > > > > jail_sysvipc_allow="NO" > > > > jail_socket_unixiproute_only="YES" > > > > === and here === > > > > I think the problem is related to restrictions imposed by the jail. > > > > > > > > Please advise. > > > > > > > > Gepu > > > > > > This is because you haven't been allocated a pty inside your jail. > > > Enable sshd inside your jail, ssh to your jail (which will allocate you > > > a pty). Then from inside your jail, you can use any pty-using > > > application you wish. > > > > > > I am presuming you are doing something like 'jexec 1 /bin/csh' or > > > similar, and I'm only really repeating Xin Li's advice to me[1]. > > > > > > Cheers > > > > > > Tom > > > > > > [1] > > > http://lists.freebsd.org/pipermail/freebsd-jail/2007-October/000106.html > > > > > > _______________________________________________ > > freebsd-stable@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > > > > ----- End forwarded message ----- > > > > -- > > Gepu > > > > _______________________________________________ > > freebsd-stable@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > > -- > Christian S.J. Peron > csjp@FreeBSD.ORG > FreeBSD Committer > Index: devfs.rules > =================================================================== > RCS file: /usr/ncvs/src/etc/defaults/devfs.rules,v > retrieving revision 1.4 > retrieving revision 1.5 > diff -u -r1.4 -r1.5 > --- devfs.rules 22 Apr 2006 13:42:49 -0000 1.4 > +++ devfs.rules 12 Oct 2007 14:55:41 -0000 1.5 > @@ -13,7 +13,7 @@ > # references must include a dollar sign '$' in front of the > # name to be expanded properly. > # > -# $FreeBSD: src/etc/defaults/devfs.rules,v 1.4 2006/04/22 13:42:49 brueffer Exp $ > +# $FreeBSD: src/etc/defaults/devfs.rules,v 1.5 2007/10/12 14:55:41 csjp Exp $ > # > > # Very basic and secure ruleset: Hide everything. > @@ -52,6 +52,8 @@ > add path 'ttyQ*' unhide > add path 'ttyR*' unhide > add path 'ttyS*' unhide > +add path 'pts/*' unhide > +add path 'pty/*' unhide > add path fd unhide > add path 'fd/*' unhide > add path stdin unhide > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"