Date: Mon, 7 Apr 2003 22:28:11 -0600 From: Colin Harford <charford@infinithost.com> To: Colin Harford <charford-list@infinithost.com> Cc: questions@freebsd.org Subject: Re: Jail and FreeBSD 5.0-Release Message-ID: <81E5D2D3-697A-11D7-B41C-000393A6FBE8@infinithost.com> In-Reply-To: <071383E8-6974-11D7-B41C-000393A6FBE8@infinithost.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday, April 7, 2003, at 09:41 PM, Colin Harford wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> So, we are having a few problems with FreeBSD 5.0-Release and
> jail.... The two currently killing us are:
>
>
> 1) Logging over ssh to the jailed IP# takes over a minute to
> complete... I checked the ssd_config in the jail environment and
> reverse lookup is not enabled...
>
Little more on this one..
running ssh -vvv
penSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to IP [IP] port 22.
debug1: Connection established.
debug1: identity file /Users/charford/.ssh/identity type -1
debug1: identity file /Users/charford/.ssh/id_rsa type -1
debug1: identity file /Users/charford/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.5p1 FreeBSD-20021029
debug1: match: OpenSSH_3.5p1 FreeBSD-20021029 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 123/256
debug1: bits set: 1621/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename
/Users/charford/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 35
debug1: Host 'IP' is known and matches the DSA host key.
debug1: Found key in /Users/charford/.ssh/known_hosts:35
debug1: bits set: 1617/3191
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
this be where she would choke..
this is what happens next...
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug3: start over, passed a different list
publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /Users/charford/.ssh/identity
debug3: no such identity: /Users/charford/.ssh/identity
debug1: try privkey: /Users/charford/.ssh/id_rsa
debug3: no such identity: /Users/charford/.ssh/id_rsa
debug1: try privkey: /Users/charford/.ssh/id_dsa
debug3: no such identity: /Users/charford/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
And since someone is going to ask:
/etc/resolv.conf in the jail
domain infinithost.com
nameserver 129.128.5.233
nameserver 129.128.76.233
namserver 209.115.152.130
jail# cd /etc
jail# ls | grep resolv
resolv.conf
jail# ls -l | grep res
- -rwxr-xr-x 1 root wheel 1886 Apr 6 17:13 rc.resume
- -rw-r--r-- 1 root wheel 101 Apr 7 22:57 resolv.conf
From inside the jail I can ssh out no problem....
Yet, when I do the sshd in debug, the time is it trying to do a rlookup
even when i explicitly disable it in the jail sshd_conf
>
> 2) After about 10 minutes, the jail environment gets toasted, as in
> that it becomes impossible to login over ssh to the jail > environment...
>
>
> This is the error message:
>
> Password:
> Warning: no access to tty (Bad file descriptor).
> Thus no job control in
> this shell.
>
>
Running SSH in debug mode:
(Colin-Harfords-Computer!/Users/charford) [charford-ttyp3]
# ssh -vvv root@<IP>
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to <IP> [<IP>] port 22.
debug1: Connection established.
debug1: identity file /Users/charford/.ssh/identity type -1
debug1: identity file /Users/charford/.ssh/id_rsa type -1
debug1: identity file /Users/charford/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.5p1 FreeBSD-20021029
debug1: match: OpenSSH_3.5p1 FreeBSD-20021029 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 128/256
debug1: bits set: 1601/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename
/Users/charford/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 35
debug1: Host '<IP>' is known and matches the DSA host key.
debug1: Found key in /Users/charford/.ssh/known_hosts:35
debug1: bits set: 1545/3191
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug3: start over, passed a different list
publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /Users/charford/.ssh/identity
debug3: no such identity: /Users/charford/.ssh/identity
debug1: try privkey: /Users/charford/.ssh/id_rsa
debug3: no such identity: /Users/charford/.ssh/id_rsa
debug1: try privkey: /Users/charford/.ssh/id_dsa
debug3: no such identity: /Users/charford/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 20 padlen 12 extra_pad 64)
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 21 padlen 11 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: ssh-userauth2 successful: method keyboard-interactive
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug1: send channel open 0
debug1: Entering interactive session.
debug2: callback start
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug3: tty_make_modes: ospeed 9600
debug3: tty_make_modes: ispeed 9600
debug3: tty_make_modes: 1 3
debug3: tty_make_modes: 2 28
debug3: tty_make_modes: 3 8
debug3: tty_make_modes: 4 21
debug3: tty_make_modes: 5 4
debug3: tty_make_modes: 6 255
debug3: tty_make_modes: 7 255
debug3: tty_make_modes: 8 17
debug3: tty_make_modes: 9 19
debug3: tty_make_modes: 10 26
debug3: tty_make_modes: 11 25
debug3: tty_make_modes: 12 18
debug3: tty_make_modes: 13 23
debug3: tty_make_modes: 14 22
debug3: tty_make_modes: 17 20
debug3: tty_make_modes: 18 15
debug3: tty_make_modes: 30 0
debug3: tty_make_modes: 31 0
debug3: tty_make_modes: 32 0
debug3: tty_make_modes: 33 0
debug3: tty_make_modes: 34 0
debug3: tty_make_modes: 35 0
debug3: tty_make_modes: 36 1
debug3: tty_make_modes: 38 1
debug3: tty_make_modes: 39 1
debug3: tty_make_modes: 40 0
debug3: tty_make_modes: 41 1
debug3: tty_make_modes: 50 1
debug3: tty_make_modes: 51 1
debug3: tty_make_modes: 53 1
debug3: tty_make_modes: 54 1
debug3: tty_make_modes: 55 0
debug3: tty_make_modes: 56 0
debug3: tty_make_modes: 57 0
debug3: tty_make_modes: 58 0
debug3: tty_make_modes: 59 1
debug3: tty_make_modes: 60 1
debug3: tty_make_modes: 61 1
debug3: tty_make_modes: 62 1
debug3: tty_make_modes: 70 1
debug3: tty_make_modes: 72 1
debug3: tty_make_modes: 90 1
debug3: tty_make_modes: 91 1
debug3: tty_make_modes: 92 0
debug3: tty_make_modes: 93 0
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug2: callback done
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug2: channel 0: rcvd ext data 176
debug2: channel 0: rcvd ext data 112
debug2: channel 0: rcvd ext data 50
debug2: channel 0: rcvd ext data 151
debug2: channel 0: rcvd ext data 164
Warning: no access to tty (Bad file descriptor).
Thus no job control in
this shell.
debug3: Copy environment:
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/
local/bin:/usr/X11R6/bin:/root/bin
debug3: Copy environment: MAIL=/var/mail/root
debug3: Copy environment: BLOCKSIZE=K
debug3: Copy environment: FTP_PASSIVE_MODE=YES
Environment:
USER=root
LOGNAME=root
HOME=/root
MAIL=/var/mail/root
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/
local/bin:/usr/X11R6/bin:/root/bin
TERM=su
BLOCKSIZE=K
FTP_PASSIVE_MODE=YES
SHELL=/bin/csh
SSH_CLIENT=<My IP> 41414 22
SSH_CONNECTION=<My IP> 41414 <IP> 22
debug3:
channel_close_fds: channel 0: r -1 w -1 e -1
debug2: channel 0: written 653 to efd 6
And SSHD in -ddd
jail# /usr/sbin/sshd -ddd
debug1: sshd version OpenSSH_3.5p1 FreeBSD-20021029
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 22 on <IP>.
Server listening on <IP> port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from <My IP> port 41414
debug1: Client protocol version 2.0; client software version
OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.5p1 FreeBSD-20021029
debug2: Network child is on pid 89503
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 22:22
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: monitor_read: checking request 0
debug3: mm_request_receive entering
debug3: mm_answer_moduli: got parameters: 1024 2048 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 106/256
debug1: bits set: 1545/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1601/3191
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: monitor_read: checking request 4
debug3: mm_request_receive entering
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x8074200(55)
debug3: mm_request_send entering: type 5
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Trying to reverse map address <My IP>.
debug1: userauth-request for user root service ssh-connection method
none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_answer_pwnamallow
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for root
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 41
debug3: monitor_read: checking request 41
debug1: Starting up PAM with username "root"
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: Trying to reverse map address <My IP>.
debug1: PAM setting rhost to "mail.infinithost.com"
debug2: monitor_read: 41 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed none for root from <My IP> port 41414 ssh2
Failed none for root from <My IP> port 41414 ssh2
debug3: mm_request_receive entering
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: mm_pam_init_ctx
debug3: mm_request_send entering: type 42
debug3: mm_pam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX
debug3: monitor_read: checking request 42
debug3: mm_request_receive_expect entering: type 43
debug3: mm_answer_pam_init_ctx
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 43
debug3: mm_pam_query
debug3: mm_request_send entering: type 44
debug3: mm_pam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 45
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 44
debug3: mm_answer_pam_query
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 1
debug3: mm_request_send entering: type 45
debug3: ssh_msg_recv entering
debug3: mm_request_receive entering
debug3: mm_pam_query: pam_query returned 0
Postponed keyboard-interactive for root from <My IP> port 41414 ssh2
debug3: mm_pam_respond
debug3: mm_request_send entering: type 46
debug3: mm_pam_respond: waiting for MONITOR_ANS_PAM_RESPOND
debug3: mm_request_receive_expect entering: type 47
debug3: mm_request_receive entering
debug3: monitor_read: checking request 46
debug3: mm_answer_pam_respond
debug2: pam_respond
debug3: ssh_msg_send: type 6
debug3: mm_request_send entering: type 47
debug3: mm_pam_respond: pam_respond returned 1
debug3: mm_request_receive entering
debug3: mm_pam_query
debug3: mm_request_send entering: type 44
debug3: monitor_read: checking request 44
debug3: mm_answer_pam_query
debug3: ssh_msg_recv entering
debug3: mm_pam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 45
debug3: mm_request_receive entering
debug3: ssh_msg_send: type 9
authentication error
debug3: mm_request_send entering: type 45
debug3: mm_request_receive entering
debug3: mm_pam_query: pam_query returned -1
debug2: auth2_challenge_start: devices <empty>
debug3: mm_pam_free_ctx
debug3: mm_request_send entering: type 48
debug3: mm_pam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX
debug3: mm_request_receive_expect entering: type 49
debug3: mm_request_receive entering
debug3: monitor_read: checking request 48
debug3: mm_answer_pam_free_ctx
debug3: mm_request_send entering: type 49
debug2: monitor_read: 48 used once, disabling now
Failed keyboard-interactive/pam for root from <My IP> port 41414 ssh2
Failed keyboard-interactive/pam for root from <My IP> port 41414 ssh2
debug3: mm_request_receive entering
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: mm_pam_init_ctx
debug3: mm_request_send entering: type 42
debug3: mm_pam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX
debug3: mm_request_receive_expect entering: type 43
debug3: monitor_read: checking request 42
debug3: mm_request_receive entering
debug3: mm_answer_pam_init_ctx
debug3: mm_request_send entering: type 43
debug3: mm_pam_query
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 44
debug3: mm_pam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 45
debug3: mm_request_receive entering
debug3: monitor_read: checking request 44
debug3: mm_answer_pam_query
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug3: mm_request_send entering: type 45
debug3: mm_request_receive entering
debug3: mm_pam_query: pam_query returned 0
Postponed keyboard-interactive for root from <My IP> port 41414 ssh2
debug3: mm_pam_respond
debug3: mm_request_send entering: type 46
debug3: mm_pam_respond: waiting for MONITOR_ANS_PAM_RESPOND
debug3: mm_request_receive_expect entering: type 47
debug3: mm_request_receive entering
debug3: monitor_read: checking request 46
debug3: mm_answer_pam_respond
debug2: pam_respond
debug3: ssh_msg_send: type 6
debug3: mm_request_send entering: type 47
debug3: mm_request_receive entering
debug3: mm_pam_respond: pam_respond returned 1
debug3: mm_pam_query
debug3: mm_request_send entering: type 44
debug3: monitor_read: checking request 44
debug3: mm_pam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_answer_pam_query
debug3: mm_request_receive_expect entering: type 45
debug3: ssh_msg_recv entering
debug3: mm_request_receive entering
debug3: ssh_msg_send: type 0
debug3: mm_request_send entering: type 45
debug3: mm_request_receive entering
debug3: mm_pam_query: pam_query returned 0
Postponed keyboard-interactive/pam for root from <My IP> port 41414 ssh2
debug3: mm_pam_respond
debug3: mm_request_send entering: type 46
debug3: mm_pam_respond: waiting for MONITOR_ANS_PAM_RESPOND
debug3: mm_request_receive_expect entering: type 47
debug3: monitor_read: checking request 46
debug3: mm_request_receive entering
debug3: mm_answer_pam_respond
debug2: pam_respond
debug3: mm_request_send entering: type 47
debug3: mm_pam_respond: pam_respond returned 0
debug3: mm_request_receive entering
debug3: mm_pam_free_ctx
debug3: mm_request_send entering: type 48
debug3: monitor_read: checking request 48
debug3: mm_answer_pam_free_ctx
debug3: mm_pam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX
debug3: mm_request_receive_expect entering: type 49
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 49
debug2: monitor_read: 48 used once, disabling now
Accepted keyboard-interactive/pam for root from <My IP> port 41414 ssh2
debug1: monitor_child_preauth: root has been authenticated by
privileged process
Accepted keyboard-interactive/pam for root from <My IP> port 41414 ssh2
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 24
debug3: mm_request_receive entering
debug3: mm_send_keystate: Sending new keys: 0x8074240 0x8074200
debug3: mm_newkeys_to_blob: converting 0x8074240
debug3: mm_newkeys_to_blob: converting 0x8074200
debug3: mm_send_keystate: New keys have been sent
debug3: mm_send_keystate: Sending compression state
debug3: mm_request_send entering: type 24
debug3: mm_send_keystate: Finished sending state
debug3: mm_newkeys_from_blob: 0x8071600(118)
debug2: mac_init: found hmac-md5
debug3: mm_get_keystate: Waiting for second key
debug3: mm_newkeys_from_blob: 0x8071600(118)
debug2: mac_init: found hmac-md5
debug3: mm_get_keystate: Getting compression state
debug3: mm_get_keystate: Getting Network I/O buffers
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
debug1: newkeys: mode 0
debug1: newkeys: mode 1
debug1: Entering interactive session for SSH2.
debug1: fd 3 setting O_NONBLOCK
debug1: fd 7 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max
16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
openpty: No such file or directory
session_pty_req: session 0 alloc failed
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: PAM establishing creds
debug1: fd 9 setting O_NONBLOCK
debug2: fd 9 is O_NONBLOCK
debug1: fd 11 setting O_NONBLOCK
debug2: channel 0: read 176 from efd 11
debug2: channel 0: rwin 65536 elen 176 euse 1
debug2: channel 0: sent ext data 176
debug2: channel 0: read 112 from efd 11
debug2: channel 0: rwin 65360 elen 112 euse 1
debug2: channel 0: sent ext data 112
debug2: channel 0: read 50 from efd 11
debug2: channel 0: rwin 65248 elen 50 euse 1
debug2: channel 0: sent ext data 50
debug2: channel 0: read 151 from efd 11
debug2: channel 0: rwin 65198 elen 151 euse 1
debug2: channel 0: sent ext data 151
debug2: channel 0: read 164 from efd 11
debug2: channel 0: rwin 65047 elen 164 euse 1
debug2: channel 0: sent ext data 164
^C
> There is nothing out of place in the jailed environment log files
> either...
>
>
> How jail is started:
> 1) ifconfig,
> 2) mount -t procfs proc /jail/<IP>/proc
> # jail /jail/<IP> jail <IP> /bin/sh /etc/rc
> hw.bus.devctl_disable: 1 -> 1
> Entropy harvesting:sysctl: kern.random.sys.harvest.interrupt:
> Operation not permitted
> interruptssysctl: kern.random.sys.harvest.ethernet: Operation not
> permitted
> ethernetsysctl: kern.random.sys.harvest.point_to_point: Operation not
> permitted
> point_to_point.
> Fast boot: skipping disk checks.
> mount: /: unknown special file or file system
> adjkerntz[87273]: sysctl(put_wallclock): Operation not permitted
> Doing initial network setup:.
> ifconfig: ioctl (SIOCDIFADDR): permission denied
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> Additional routing options:.
> Mounting NFS file systems:.
> Starting syslogd.
> syslogd: child pid 87388 exited with return code 1
> ELF ldconfig path: /usr/lib /usr/lib/compat
> a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
> Starting local daemons:.
> Updating motd.
> Starting sshd.
> Initial i386 initialization:.
> Additional ABI support:.
> Local package initialization:.
> Additional TCP options:.
> Starting cron.
> Starting background file system checks.
>
> Mon Apr 7 22:07:20 CDT 2003
>
>
> In the jail environment:
>
> rc.conf
> linux_enable="NO"
> usbd_enable="NO"
> sshd_enable="YES"
> portmap_enable="NO"
>
>
>
> In the host system:
>
> <IP Settings>
> inetd_flags="-wW -a <HOST IP>"
> sendmail_enable="NO"
> portmap_enable="NO"
> kern_securelevel_enable="NO"
> linux_enable="YES"
> usbd_enable="YES"
> sshd_enable="YES"
>
>
> All the stuff in the man pages were done:
>
> o Create an empty /etc/fstab to quell startup warnings
> about
> missing fstab
> o Disable the port mapper (/etc/rc.conf:
> portmap_enable="NO")
> o Run newaliases(1) to quell sendmail(8) warnings.
> o Disable interface configuration to quell startup
> warnings about
> ifconfig(8) (network_interfaces="")
> o Configure /etc/resolv.conf so that name resolution
> within the
> jail will work correctly
> o Set a root password, probably different from the real
> host sys-
> tem
> o Set the timezone
> o Add accounts for users in the jail environment
> o Install any packages that you think the environment
> requires
>
>
>
> Help.
>
>
> Thanks,
>
> CH
>
>
>
> This PGP signature is signed to charford at infinithost.com. If you
> have received this signature from a different email account please
> email that account and a different key will be sent. Sorry for any
> problems.
>
> This electronic message transmission contains information that is
> privileged, confidential or otherwise the exclusive property of the
> intended recipient or the sender. This information is intended for
> the use of the individual or entity that is the intended recipient. If
> you are not the designated recipient, please be aware that any
> dissemination, distribution or copying of this communication is
> strictly prohibited. If you have received this electronic
> transmission in error, please notify us by electronic mail charford @
> infinithost.com and promptly destroy the original transmission. Thank
> you for your assistance.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (Darwin)
>
> iD8DBQE+kkT/tf2vknGZ+KoRAqFfAJ9wG/aJQcpsv98fhqLBfQpPSL1M/wCeKT9A
> 5PjmenLTaNuYiI/0jqbAzXI=
> =nq3j
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
>
This PGP signature is signed to charford at infinithost.com. If you
have received this signature from a different email account please
email that account and a different key will be sent. Sorry for any
problems.
This electronic message transmission contains information that is
privileged, confidential or otherwise the exclusive property of the
intended recipient or the sender. This information is intended for the
use of the individual or entity that is the intended recipient. If you
are not the designated recipient, please be aware that any
dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this electronic transmission
in error, please notify us by electronic mail charford @
infinithost.com and promptly destroy the original transmission. Thank
you for your assistance.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE+kk/etf2vknGZ+KoRAkjsAJ4lCLA8x5XHwNYuWL0OxX8a2Rx9QQCfXoA/
EY33gYblsJwtMVY8n/56wlM=
=Qgdl
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?81E5D2D3-697A-11D7-B41C-000393A6FBE8>