Date: Thu, 17 Mar 2005 09:43:17 -0600 From: Nathan Kinkade <nkinkade@ub.edu.bz> To: "Eugene M. Minkovskii" <emin@mccme.ru> Cc: freebsd-questions@freebsd.org Subject: Re: sshd behaviour Message-ID: <20050317154317.GZ8226@gentoo-npk.bmp.ub> In-Reply-To: <20050316170448.GA29054@mccme.ru> References: <20050316074108.GA18643@mccme.ru> <20050316160044.GS8226@gentoo-npk.bmp.ub> <20050316170448.GA29054@mccme.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--lBP+FhBL9XXtPs84 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 16, 2005 at 08:04:48PM +0300, Eugene M. Minkovskii wrote: > On Wed, Mar 16, 2005 at 10:00:44AM -0600, Nathan Kinkade wrote: > "=20 > " As another poster mentioned, the problem is likely related to DNS, and I > " have experienced it as well. If you are using Privilege Separation, > " then an sshd process will chroot itself into /var/empty before > " performing authentication. /var/empty is itself usually empty. One > " thing you can do is to make the dir /var/empty/etc and then drop a copy > " of your /etc/hosts file into the newly created /var/empty/etc/ > " directory. You might want to make sure that the hosts file contains a > " mapping to the LAN machines which you want to ssh from. > "=20 > " Keep in mind that /var/empty has the schg flag set, so you won't be able > " to copy anything to it without disabling this first. See more at `man > " chflags`. Try something like this: > "=20 > " # chflags -R noschg /var/empty > " # mkdir /var/empty/etc > " # cp /etc/hosts /var/empty/etc > " # chflags -R schg /var/empty > "=20 > " This will likely clear up your problem. > "=20 > " Nathan >=20 > Thank you, Nathan. Can I put soft link into /var/empty/etc (this > is crossdevice link, and I can't put hard link in it)? And does I > realy need -R key in last command which you recomended? This mean > that directory /var/empty/etc has schg flag too. Is it nessesery? =46rom `man sshd`: /var/empty chroot(2) directory used by sshd during privilege separation in the pre-authentication phase. The directory should not contain any files and must be owned by root and not group or world-writable. I assume you can follow these rules. The noschg flags may be something that the FreeBSD developers decided to do for added security, and I don't see any practical reason to alter it. Regarding soft/hard links in the chrooted dir, I don't know if that would work. I suspect no, as it would somewhat defeat the purpose of the chroot. Cross-device link error: hard links will only work within a single filesystem, not across multiple filesystems. Nathan --lBP+FhBL9XXtPs84 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCOaWVO0ZIEthSfkkRAjBoAKCKW3063BV/44vwm2K4jDKhxrJvxgCgy8ms TOrn97Z3JIRT3RIRh4LtiIw= =bSPK -----END PGP SIGNATURE----- --lBP+FhBL9XXtPs84--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050317154317.GZ8226>