1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solution for lack of TTY (giving SSH problems) when using je

Discussion in 'General' started by hopla, Dec 8, 2010.

  1. hopla

    hopla New Member

    Messages:
    34
    Likes Received:
    0
    Hi there!

    You know the problem when you want the ssh from within a jail after you jexec'ed into it?

    I mean this:
    Code:
    @host# jexec <jid> <shell>
    @jail# ssh user@host
    Host key verification failed.
    or this:

    Code:
    @host# jexec <jid> <shell>
    @jail# ssh user@host
    Permission denied, please try again.
    Permission denied, please try again.
    Permission denied (publickey,password).
    Or also when using screen:
    Code:
    @host# jexec <jid> <shell>
    @jail# screen
    Cannot access '/dev/pts/11': No such file or directory
    As you might know, that's because you don't have a TTY when you jexec into a jail. Possible solutions for this are:

    * using PKI auth (but this only solves the problem for SSH and not for other commands that need a TTY)
    * running sshd in the jail and logging into the jail via SSH (but what if you want to keep your jail very secure and don't want to run sshd?)

    I have now found a much better solution, that I haven't seen mentioned anywhere yet, so I thought I might want to share it with you guys:

    /usr/ports/sysutils/tmux

    It's a terminal multiplexer like screen, but unlike screen it works even when you jexec'ed into a jail! And because its a terminal multiplexer, you get a TTY!

    Now you can do this:

    Code:
    @host# jexec <jid> <shell>
    @jail# tmux
    @jail# ssh user@host
    user@host's password: 
    I don't know what tmux's secret sauce is, but its awesome!
     
  2. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,392
    Likes Received:
    7
    # jexec <jid> /usr/bin/su - works for me.
     
  3. graudeejs

    graudeejs Member

    Messages:
    4,594
    Likes Received:
    0
    I'm using tmux for quite some time now...
    Never thought of running tmux in jail... :D

    Thanks, I already see where I could use this
     
  4. graudeejs

    graudeejs Member

    Messages:
    4,594
    Likes Received:
    0
    Doesn't work all that well. Can't run mksh in jail :) (Unlike with tmux)
     
  5. hopla

    hopla New Member

    Messages:
    34
    Likes Received:
    0
    I almost had an even bigger WOW moment, but just like killasmurf86 it doesn't seem to work for me:

    Code:
    # jexec 8 /usr/bin/su -
    # ssh user@host
    Permission denied, please try again.
    Permission denied, please try again.
    Permission denied (publickey,password).
     
  6. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,392
    Likes Received:
    7
    You need to generate a host key. Have a look at the /etc/rc.d/sshd script. Normally when it runs for the first time on a clean machine it'll generate the host keys. Without the host keys ssh isn't going to work.
     
  7. hopla

    hopla New Member

    Messages:
    34
    Likes Received:
    0
    I tested this on a jail where sshd was running. The jail most certainly has host keys. The host keys don't enter into it, it's the lack of a TTY that makes it fail.

    It probably works for you because you have PKI auth set up?

    See if you can run screen when you jexec into your jail. You will see the problem! Then run tmux and on top of that run screen and voila! Suddenly it works! (of course this example is silly and contrived, but perfectly illustrates the problem)

    EDIT: on second thought, I think you are misunderstanding the problem on another level SirDice, maybe because the title of this post isn't quite accurate and because the sequence of commands in the examples are misleading... When I run jexec followed by another command, that command is run IN the jail, not on the host where I ran jexec. I will edit the title and examples.
     
  8. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,392
    Likes Received:
    7
    Screen works for me, no problems there. I do seem to have the same ssh problem though. The error message kinda threw me off. But with -v it indeed shows that ssh fails because it cannot open a pty.
     
  9. hopla

    hopla New Member

    Messages:
    34
    Likes Received:
    0
    Hmm... maybe we are on to something... Can you do a ls or tree of your /dev dir in the jail?

    Here is mine (default ezjail jail):

    Code:
    @jail# tree /dev
    /dev
    |-- fd
    |   |-- 0
    |   |-- 1
    |   `-- 2
    |-- log -> ../var/run/log
    |-- null
    |-- ptmx
    |-- pts
    |-- random
    |-- stderr -> fd/2
    |-- stdin -> fd/0
    |-- stdout -> fd/1
    |-- urandom -> random
    `-- zero
    
    (notice the lack of /dev/tty or /dev/pts/*)
     
  10. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,392
    Likes Received:
    7
    Mine's the same.
     
  11. hopla

    hopla New Member

    Messages:
    34
    Likes Received:
    0
    So do you have any theory then why screen is working for you and not for me?
     
  12. hopla

    hopla New Member

    Messages:
    34
    Likes Received:
    0
    SirDice, you either have screen compiled with some options I don't know about or you have a very special jail setup or some custom kernel options (I'm running GENERIC) or you are doing something different from what I'm doing.

    Because I just can't get screen to work after jexec'ing into jail. Can you please verify for us one more time that the following is absolutely 100% sure working for you? (I especially have a hard time believing this, since you stated that you DO have the same problem with SSH)

    Code:
    root@host# jexec <jid> sh
    root@jail# screen
    
    Screen version 4.00.03 (FAU) 23-Oct-06
    
    <SNIP>
    
    [Press Space or Return to end.]
    
    Because I keep getting (except when I run tmux in the jail before screen):

    Code:
    root@host# jexec <jid> sh
    root@jail# screen
    Cannot access '/dev/pts/1': No such file or directory
    (where the number 1 changes from time to time of course)
     
  13. tbyte

    tbyte New Member

    Messages:
    109
    Likes Received:
    0
    Same here ... It tries to open the same tty you have logged in on outside of the jail which is not accessible (of course) inside.
     
  14. leebrown66

    leebrown66 New Member

    Messages:
    6
    Likes Received:
    0
    9.2 problem (similar solve)

    • The console (i.e. keyboard attached to hardware) uses VTY's. Entering the jail does not populate /dev/tty (despite changing the devfs to put /dev/tty into the jail).
    • SSH (i.e. remote into the hardware) uses a TTY. Entering the jail populates the /dev/tty entry.
    • tmux puts you into a TTY. Entering the jail populates the /dev/tty entry.

    Evidently /dev/tty is handled in some special way, ls -l /dev/tt* does not show it, whereas ls -l /dev/tty does at the root console.

    I installed tmux and put it into the /root/.login. This ensures I'm running a TTY and never interact with the VTY.