Jail sshd fails to listen to ipv6 address

[Gregory N. Schmit]

I have a jail running and the network configuration is done by the host's /etc/jail.conf. The behavior is that when the jail boots, sshd listens to the correct ipv4 address listed in the /etc/ssh/sshd_config, however it doesn't listen to the ipv6 address. I did attempt to set it to :: to see if that worked to no avail.

If I do service sshd restart, sshd comes up fine and works correctly. This seems to be the same sort of issue I mentioned in another thread with the networking not coming up immediately, and so the daemon process doesn't bind/associate correctly. I thought that the host's jail(8) would setup the networking first before running the jail's rc, and so by the time sshd got around to starting, the ipv6 address would already exist on the interface. It seems that is not happening.

Here is the relevant data:


Host's /etc/jail.conf

helios {
        path = "/server/helios";
        host.hostname = "helios";
        host.domainname = "helios.domain.com";

        ip4.addr = "lo1|192.168.99.2/24";
        ip6.addr = "vtnet0|2604:5454:5454::2002/64";

        allow.raw_sockets;
        allow.mount.devfs;
        mount.devfs;
        persist;
        exec.start = "sh /etc/rc";
}

Jail's /etc/ssh/sshd_config

ListenAddress 192.168.99.2
ListenAddress 2604:5454:5454::2002
Port 22
Port 1000
Subsystem       sftp    /usr/libexec/sftp-server

Jail sockstat

/usr/home/gns $ sockstat
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
gns      sshd       1025  3  tcp4   192.168.99.2:22       131.193.1.197:52268
gns      sshd       1025  4  stream -> ??
root     sshd       1021  3  tcp4   192.168.99.2:22       131.193.1.197:52268
root     sshd       1021  5  stream -> ??
root     cron       943   4  dgram  -> /var/run/logpriv
root     sshd       939   3  tcp4   192.168.99.2:1000     *:*
root     sshd       939   4  tcp4   192.168.99.2:22       *:*
root     syslogd    868   4  dgram  /var/run/log
root     syslogd    868   5  dgram  /var/run/logpriv
root     syslogd    868   6  udp4   192.168.99.2:514      *:*

I figured out a fix which is just to open /etc/rc.d/sshd and add a sleep 2 command in the beginning of the file, which apparently delays sshd enough to allow the ipv6 ifconfig to take effect on the interface. This seems to be a hacky fix and I still suspect I've set something up incorrectly.

Thanks all,

-gns

 

[DarkSoul]

I stumbled upon the same problem.

The funny thing is that the soon-to-be-deprecated jail_* variables in /etc/rc.conf do the job properly...

 

[SirDice]

ip4.addr = "lo1|192.168.99.2/24";
ip6.addr = "vtnet0|2604:5454:5454::2002/64";

Try removing the interface names.

 

[tnpimatt]

I just stumbled into this issue. My jail is configured thus:

ns2cad    {
        ip4.addr = lo1|172.16.16.4;
        ip6.addr = hn0|2605:7900:20:a::4;
        path = "/jails/ns2";
        mount += "/data/ns2 /jails/ns2/data nullfs rw 0 0";
    }

and sshd_config has:

ListenAddress 0.0.0.0
ListenAddress [2605:7900:20:a::4]

When the jail boots (normally, or with 'service jail start ns2') only the IPv4 address is bound by sshd. If I drop into the jail and issue: 'service sshd restart', then the IPv6 address is bound by sshd as expected.

When attempting to remove the interface names from the configuration as suggested by SirDice, then FreeBSD binds the public IPv6 address to my lo1 loopback interface, which isn't helpful.

I tried adding a few different options (netif, NETWORKING) to REQUIRE in /etc/rc.d/sshd but to no avail. Putting a sleep in the rc.d file is an ugly workaround but it does work.