frebsd jails advice

James B. Byrne byrnejb at harte-lyne.ca
Tue Dec 11 16:32:17 UTC 2018 


On Tue, December 11, 2018 09:45, Andrea Venturoli wrote:
> On 12/11/18 3:23 PM, James B. Byrne via freebsd-questions wrote:
>
>> When I asked about this on this list I recall
>> being told that jails simply do not support X-windowing as a client.
>
> Don't know about gvim, but I'm sure this is completely wrong in
> general,
> as I'm doing this right now (and have been regularly doing it for some
> years). I run xterm, emacs, gnuplot, ...
>
> Do you have xauth installed in the jail?
No. But I do now.

> Does it work with "ssh -Y"?
No. The error has changed however.

[root at hll124 ~]# gvim

X11 connection rejected because of wrong authentication.

> Anything in the logs?
Not that I can see. nothing in messages, auth.log, security, userlog.

> What about ssh_config and sshd_config?
Both the client host and the jail have pretty much the same settings.

# Local overrides
AllowTcpForwarding yes
Banner /etc/ssh/ssh_pre_logon.txt
GatewayPorts yes
IgnoreRhosts yes
IgnoreUserKnownHosts no
KeepAlive yes
LoginGraceTime 60
PermitEmptyPasswords no
PermitRootLogin without-password
PrintMotd yes
PubkeyAuthentication yes
StrictModes yes
ChallengeResponseAuthentication no
MaxAuthTries 6
PasswordAuthentication yes
Protocol 2



>
> Is your jail local? I'm talking about jails on remote systems (as the
> OP did). Perhaps it's a limitation of *local* jails? I admin I never
> tried this...
>

The jail I am testing with runs as a jail on my desktop.  I run ssh
from a mate terminal that I have switched to root using 'su -m' before
running 'ssh -Xt hll124'.  However, I get exactly the same result if I
connect over ssh from a mate terminal using my normal userid.

$ ssh -X hll124
. . .
$ gvim
X11 connection rejected because of wrong authentication.
E233: cannot open display

I have also installed xauth and vim on a separate jail running on
another host and achieve the same results. If there is some other step
required then I would appreciate being told what I am missing.

When I asked about this before this is what I was told:

https://lists.freebsd.org/pipermail/freebsd-questions/2017-April/276842.html

> This is the problem
> E233: cannot open display
>
> gvim will not work if run in a jail. gvim uses x11 and x11
> needs kernel access to talk to the x11 display. Jails are
> designed on purpose to deny kernel access to secure the host
> system from attack. This is why you can never get a desktop
> to run in a jail. The other authentication error messages
> are bogus and can be ignored as misleading.
>
> This is also why gvin works when run on the host system.
>
> The bottom line here is that what your trying to run in a jail
> will NEVER work. Ezjail has no baring on this problem, its a
> design feature of jsil(8).

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list