[gepu@iogyte.ro: Re: openpty() and jail in RELENG_7]

Dan Epure gepu at iogyte.ro
Sun Nov 11 10:12:18 PST 2007


I just used the patch and it is working.

Thank you,
Gepu

On Sun, Nov 11, 2007 at 09:31:12AM -0600, Christian S.J. Peron wrote:
> Please try the attached patch.  I have committed this to head
> and it somehow slipped through the cracks in terms of an MFC
> 
> (patch /etc/defaults/devfs.rules)
> 
> On Thu, Nov 08, 2007 at 07:30:39PM +0200, Dan Epure wrote:
> > I can provide more info on request.
> > 
> > 
> > ----- Forwarded message from Dan Epure <gepu at iogyte.ro> -----
> > 
> > Date: Wed, 7 Nov 2007 19:25:08 +0200
> > From: Dan Epure <gepu at iogyte.ro>
> > To: Tom Evans <tevans.uk at googlemail.com>
> > Cc: freebsd-stable at freebsd.org
> > Subject: Re: openpty() and jail in RELENG_7
> > 
> > Thank you for your answer.
> > 
> > This is not Xin Li's scenario.
> > 
> > Description:
> > 
> > the host of the jail - H (192.168.168.2/24)
> > the jail running on H - J (192.168.168.254/32)
> > the testing system - T (192.168.168.253/24)
> > 
> > 1. I start the ssh daemon on H:
> > === cut here ===
> > H# /usr/sbin/sshd -d
> > debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110
> > debug1: read PEM private key done: type DSA
> > debug1: private host key: #0 type 2 DSA
> > debug1: rexec_argv[0]='/usr/sbin/sshd'
> > debug1: rexec_argv[1]='-d'
> > debug1: Bind to port 22 on 192.168.168.2.
> > Server listening on 192.168.168.2 port 22.
> > === and here ===
> > 
> > 2. On T I run:
> > === cut here ===
> > T# ssh 192.168.168.2 -l test2
> > === and here ===
> >  
> > 3. On H I see:
> > === cut here ===
> > Debug1: fd 4 clearing O_NONBLOCK
> > Debug1: Server will not fork when running in debugging mode.
> > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
> > debug1: inetd sockets after dupping: 3, 3
> > debug1: res_init()
> > Connection from 192.168.168.253 port 60155
> > debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-5
> > debug1: match: OpenSSH_4.6p1 Debian-5 pat OpenSSH*
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
> > debug1: permanently_set_uid: 22/22
> > debug1: list_hostkey_types: ssh-dss
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug1: kex: client->server aes128-cbc hmac-md5 none
> > debug1: kex: server->client aes128-cbc hmac-md5 none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: expecting SSH2_MSG_NEWKEYS
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: KEX done
> > debug1: userauth-request for user test2 service ssh-connection method none
> > debug1: attempt 0 failures 0
> > debug1: PAM: initializing for "test2"
> > debug1: userauth-request for user test2 service ssh-connection method publickey
> > debug1: attempt 1 failures 1
> > debug1: PAM: setting PAM_RHOST to "192.168.168.253"
> > debug1: test whether pkalg/pkblob are acceptable
> > debug1: trying public key file /home/test2/.ssh/authorized_keys
> > debug1: trying public key file /home/test2/.ssh/authorized_keys2
> > Failed publickey for test2 from 192.168.168.253 port 60155 ssh2
> > debug1: audit_event: unhandled event 6
> > debug1: userauth-request for user test2 service ssh-connection method keyboard-interactive
> > debug1: attempt 2 failures 2
> > debug1: keyboard-interactive devs 
> > debug1: auth2_challenge: user=test2 devs=
> > debug1: kbdint_alloc: devices 'pam'
> > debug1: auth2_challenge_start: trying authentication method 'pam'
> > Postponed keyboard-interactive for test2 from 192.168.168.253 port 60155 ssh2
> > debug1: do_pam_account: called
> > debug1: PAM: num PAM env strings 0
> > Postponed keyboard-interactive/pam for test2 from 192.168.168.253 port 60155 ssh2
> > debug1: do_pam_account: called
> > Accepted keyboard-interactive/pam for test2 from 192.168.168.253 port 60155 ssh2
> > debug1: monitor_child_preauth: test2 has been authenticated by privileged process
> > debug1: PAM: reinitializing credentials
> > debug1: Entering interactive session for SSH2.
> > debug1: server_init_dispatch_20
> > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
> > debug1: input_session_request
> > debug1: channel 0: new [server-session]
> > debug1: session_new: init
> > debug1: session_new: session 0
> > debug1: session_open: channel 0
> > debug1: session_open: session 0: link with channel 0
> > debug1: server_input_channel_open: confirm session
> > debug1: server_input_channel_req: channel 0 request pty-req reply 0
> > debug1: session_by_channel: session 0 channel 0
> > debug1: session_input_channel_req: session 0 req pty-req
> > debug1: Allocating pty.
> > debug1: session_new: init
> > debug1: session_new: session 0
> > debug1: session_pty_req: session 0 alloc /dev/pts/3
> > debug1: Ignoring unsupported tty mode opcode 37 (0x25)
> > debug1: Ignoring unsupported tty mode opcode 52 (0x34)
> > debug1: Ignoring unsupported tty mode opcode 71 (0x47)
> > debug1: server_input_channel_req: channel 0 request shell reply 0
> > debug1: session_by_channel: session 0 channel 0
> > debug1: session_input_channel_req: session 0 req shell
> > debug1: PAM: setting PAM_TTY to "/dev/pts/3"
> > debug1: Setting controlling tty using TIOCSCTTY.
> > === and here ===
> > 
> > 4. On T I am logged in on H:
> > === cut here ===
> > Password:
> > H$ 
> > === and here ===
> > 
> > 5. I start the jail on H:
> > === cut here ===
> > H# /etc/rc.d/jail start
> > Configuring jails:.
> > Starting jails: test2.mydomain.org.
> > 
> > 6. I start the ssh daemon on J:
> > === cut here ===
> > J# /usr/sbin/sshd -d
> > debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110
> > debug1: read PEM private key done: type DSA
> > debug1: private host key: #0 type 2 DSA
> > debug1: rexec_argv[0]='/usr/sbin/sshd'
> > debug1: rexec_argv[1]='-d'
> > debug1: Bind to port 22 on 192.168.168.254.
> > Server listening on 192.168.168.254 port 22.
> > === and here ===
> > 
> > 7. On T I run:
> > === cut here ===
> > T# ssh 192.168.168.254 -l test2
> > === and here ===
> > 
> > 8. On J I see:
> > === cut here ===
> > debug1: fd 4 clearing O_NONBLOCK
> > debug1: Server will not fork when running in debugging mode.
> > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
> > debug1: inetd sockets after dupping: 3, 3
> > debug1: res_init()
> > Connection from 192.168.168.253 port 52242
> > debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-5
> > debug1: match: OpenSSH_4.6p1 Debian-5 pat OpenSSH*
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
> > debug1: permanently_set_uid: 22/22
> > debug1: list_hostkey_types: ssh-dss
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug1: kex: client->server aes128-cbc hmac-md5 none
> > debug1: kex: server->client aes128-cbc hmac-md5 none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: expecting SSH2_MSG_NEWKEYS
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: KEX done
> > debug1: userauth-request for user test2 service ssh-connection method none
> > debug1: attempt 0 failures 0
> > debug1: PAM: initializing for "test2"
> > debug1: PAM: setting PAM_RHOST to "192.168.168.253"
> > debug1: userauth-request for user test2 service ssh-connection method publickey
> > debug1: attempt 1 failures 1
> > debug1: test whether pkalg/pkblob are acceptable
> > debug1: trying public key file /home/test2/.ssh/authorized_keys
> > debug1: trying public key file /home/test2/.ssh/authorized_keys2
> > Failed publickey for test2 from 192.168.168.253 port 52242 ssh2
> > debug1: userauth-request for user test2 service ssh-connection method keyboard-interactive
> > debug1: attempt 2 failures 2
> > debug1: keyboard-interactive devs 
> > debug1: auth2_challenge: user=test2 devs=
> > debug1: kbdint_alloc: devices 'pam'
> > debug1: auth2_challenge_start: trying authentication method 'pam'
> > Postponed keyboard-interactive for test2 from 192.168.168.253 port 52242 ssh2
> > debug1: do_pam_account: called
> > debug1: PAM: num PAM env strings 0
> > Postponed keyboard-interactive/pam for test2 from 192.168.168.253 port 52242 ssh2
> > debug1: do_pam_account: called
> > Accepted keyboard-interactive/pam for test2 from 192.168.168.253 port 52242 ssh2
> > debug1: monitor_child_preauth: test2 has been authenticated by privileged process
> > debug1: PAM: reinitializing credentials
> > debug1: Entering interactive session for SSH2.
> > debug1: server_init_dispatch_20
> > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
> > debug1: input_session_request
> > debug1: channel 0: new [server-session]
> > debug1: session_new: init
> > debug1: session_new: session 0
> > debug1: session_open: channel 0
> > debug1: session_open: session 0: link with channel 0
> > debug1: server_input_channel_open: confirm session
> > debug1: server_input_channel_req: channel 0 request pty-req reply 0
> > debug1: session_by_channel: session 0 channel 0
> > debug1: session_input_channel_req: session 0 req pty-req
> > debug1: Allocating pty.
> > debug1: session_new: init
> > debug1: session_new: session 0
> > openpty: No such file or directory
> > session_pty_req: session 0 alloc failed
> > debug1: server_input_channel_req: channel 0 request shell reply 0
> > debug1: session_by_channel: session 0 channel 0
> > debug1: session_input_channel_req: session 0 req shell
> > === and here ===
> > 
> > 9. On T the session is stuck:
> > === cut here ===
> > $ ssh 192.168.168.254 -l test2
> > Password:
> > Environment:
> >               USER=test2
> >                           LOGNAME=test2
> >                                          HOME=/home/test2
> >                                                            MAIL=/var/mail/test2
> >                                                                                  PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/home/test2/bin
> >                TERM=su
> >                         FTP_PASSIVE_MODE=YES
> >                                               BLOCKSIZE=K
> >                                                            SHELL=/usr/local/bin/rbash
> >        SSH_CLIENT=192.168.168.253 39090 22
> >                                             SSH_CONNECTION=192.168.168.253 39090 192.168.168.254 22
> > === and here ===
> > 
> > 10. On J the content of /dev/pts and /dev/pty is unchanged:
> > === cut here ===
> > J# ls -la /dev/pts
> > total 1
> > dr-xr-xr-x  2 root  wheel       512 Nov  7 16:38 .
> > dr-xr-xr-x  6 root  wheel       512 Nov  7 16:38 ..
> > crw-rw-rw-  1 root  wheel    0,  97 Nov  7 17:22 0
> > crw-rw-rw-  1 root  wheel    0, 106 Nov  7 16:56 2
> > crw-rw-rw-  1 root  wheel    0, 110 Nov  7 17:16 5
> > J# ls -la /dev/pty
> > total 1
> > dr-xr-xr-x  2 root  wheel       512 Nov  7 16:38 .
> > dr-xr-xr-x  6 root  wheel       512 Nov  7 16:38 ..
> > crw-rw-rw-  1 root  wheel    0,  95 Nov  7 17:22 0
> > crw-rw-rw-  1 root  wheel    0, 104 Nov  7 15:36 1
> > crw-rw-rw-  1 root  wheel    0, 105 Nov  7 16:56 2
> > crw-rw-rw-  1 root  wheel    0, 107 Nov  7 15:36 3
> > crw-rw-rw-  1 root  wheel    0, 108 Nov  7 15:36 4
> > crw-rw-rw-  1 root  wheel    0, 109 Nov  7 17:16 5
> > === and here ===
> > 
> > regards,
> > Gepu
> > 
> > On Wed, Nov 07, 2007 at 10:42:58AM +0000, Tom Evans wrote:
> > > On Tue, 2007-11-06 at 22:19 +0200, Dan Epure wrote:
> > > > Hi All,
> > > > 
> > > > 
> > > > I'm using on the host system (7.0-BETA2):
> > > > #sysctl kern.pts.enable
> > > > kern.pts.enable: 1
> > > > I have no problem at all.
> > > > 
> > > > The jail is also 7.0-BETA2
> > > > 
> > > > The problem is inside the jail openpty() can not allocate the pty:
> > > > === cut here ===
> > > > debug1: monitor_child_preauth: test2 has been authenticated by privileged process
> > > > debug1: PAM: reinitializing credentials
> > > > debug1: Entering interactive session for SSH2.
> > > > debug1: server_init_dispatch_20
> > > > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
> > > > debug1: input_session_request
> > > > debug1: channel 0: new [server-session]
> > > > debug1: session_new: init
> > > > debug1: session_new: session 0
> > > > debug1: session_open: channel 0
> > > > debug1: session_open: session 0: link with channel 0
> > > > debug1: server_input_channel_open: confirm session
> > > > debug1: server_input_channel_req: channel 0 request pty-req reply 0
> > > > debug1: session_by_channel: session 0 channel 0
> > > > debug1: session_input_channel_req: session 0 req pty-req
> > > > debug1: Allocating pty.
> > > > debug1: session_new: init
> > > > debug1: session_new: session 0
> > > > openpty: No such file or directory
> > > > session_pty_req: session 0 alloc failed
> > > > debug1: server_input_channel_req: channel 0 request shell reply 0
> > > > debug1: session_by_channel: session 0 channel 0
> > > > debug1: session_input_channel_req: session 0 req shell
> > > > === and here ===
> > > > the ssh session just hangs. (no pty ?) 
> > > > 
> > > > I did not forget to mount devfs inside the jail.
> > > > The jail is configured in rc.conf:
> > > > === cut here ===
> > > > jail_enable="YES"
> > > > jail_list="test"
> > > > jail_test_hostname="test.mydomain.org"
> > > > jail_test_rootdir="/jails/test"
> > > > jail_test_interface="bge0"
> > > > jail_test_devfs_enable="YES"
> > > > jail_test_ip="192.168.10.2"
> > > > jail_set_hostname_allow="NO"
> > > > jail_sysvipc_allow="NO"
> > > > jail_socket_unixiproute_only="YES"
> > > > === and here ===
> > > > I think the problem is related to restrictions imposed by the jail.
> > > > 
> > > > Please advise.
> > > > 
> > > > Gepu
> > > 
> > > This is because you haven't been allocated a pty inside your jail.
> > > Enable sshd inside your jail, ssh to your jail (which will allocate you
> > > a pty). Then from inside your jail, you can use any pty-using
> > > application you wish. 
> > > 
> > > I am presuming you are doing something like 'jexec 1 /bin/csh' or
> > > similar, and I'm only really repeating Xin Li's advice to me[1].
> > > 
> > > Cheers
> > > 
> > > Tom
> > > 
> > > [1]
> > > http://lists.freebsd.org/pipermail/freebsd-jail/2007-October/000106.html
> > 
> > 
> > _______________________________________________
> > freebsd-stable at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> > 
> > ----- End forwarded message -----
> > 
> > -- 
> > Gepu
> > 
> > _______________________________________________
> > freebsd-stable at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> 
> -- 
> Christian S.J. Peron
> csjp at FreeBSD.ORG
> FreeBSD Committer

> Index: devfs.rules
> ===================================================================
> RCS file: /usr/ncvs/src/etc/defaults/devfs.rules,v
> retrieving revision 1.4
> retrieving revision 1.5
> diff -u -r1.4 -r1.5
> --- devfs.rules	22 Apr 2006 13:42:49 -0000	1.4
> +++ devfs.rules	12 Oct 2007 14:55:41 -0000	1.5
> @@ -13,7 +13,7 @@
>  # references must include a dollar sign '$' in front of the
>  # name to be expanded properly.
>  #
> -# $FreeBSD: src/etc/defaults/devfs.rules,v 1.4 2006/04/22 13:42:49 brueffer Exp $
> +# $FreeBSD: src/etc/defaults/devfs.rules,v 1.5 2007/10/12 14:55:41 csjp Exp $
>  #
>  
>  # Very basic and secure ruleset: Hide everything.
> @@ -52,6 +52,8 @@
>  add path 'ttyQ*' unhide
>  add path 'ttyR*' unhide
>  add path 'ttyS*' unhide
> +add path 'pts/*' unhide
> +add path 'pty/*' unhide
>  add path fd unhide
>  add path 'fd/*' unhide
>  add path stdin unhide

> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"


More information about the freebsd-stable mailing list