I created a jail and configured sshd on it with the following options:
I start to notice on the /var/log/auth lot of lines like this:
Feb 28 00:47:38 ssh sshd[62899]: login_getclass: unknown class 'staff'
Feb 28 00:47:38 ssh sshd[62899]: login_getclass: unknown class 'staff'
I change the LogLevel to DEBUG for trying to fund more info but for my surprise in DEBUG or VERBOSE mode i never got that lines.
this is the output of VERBOSE
Feb 28 00:51:53 ssh sshd[63025]: warning: /etc/hosts.allow, line 30: can't verify hostname: getaddrinfo(189-228-129-192.static.as29550.net, AF_INET) failed
Feb 28 00:51:53 ssh sshd[63025]: Connection from 189.228.129.192 port 54551
Feb 28 00:51:54 ssh sshd[63025]: Failed none for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:54 ssh sshd[63025]: Failed publickey for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:55 ssh sshd[63025]: Accepted password for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:55 ssh sshd[63025]: User child is on pid 63027
the host server has FreeBSD 7.1 amd64 and the jails make.conf looks like:
And the login.conf of the jail looks like:
Any comments ?
Code:
Port 22
Protocol 2
ServerKeyBits 1024
SyslogFacility AUTH
[color="Red"]LogLevel INFO[/color]
LoginGraceTime 120
KeyRegenerationInterval 3600
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding no
PrintLastLog yes
Compression yes
KeepAlive yes
ClientAliveInterval 60
Uselogin no
Banner /etc/ssh/banner
Subsystem sftp /usr/libexec/sftp-server
UseDNS no
MaxStartups 10:30:60
MaxAuthTries 3
UsePrivilegeSeparation yes
StrictModes yes
I start to notice on the /var/log/auth lot of lines like this:
Feb 28 00:47:38 ssh sshd[62899]: login_getclass: unknown class 'staff'
Feb 28 00:47:38 ssh sshd[62899]: login_getclass: unknown class 'staff'
I change the LogLevel to DEBUG for trying to fund more info but for my surprise in DEBUG or VERBOSE mode i never got that lines.
this is the output of VERBOSE
Feb 28 00:51:53 ssh sshd[63025]: warning: /etc/hosts.allow, line 30: can't verify hostname: getaddrinfo(189-228-129-192.static.as29550.net, AF_INET) failed
Feb 28 00:51:53 ssh sshd[63025]: Connection from 189.228.129.192 port 54551
Feb 28 00:51:54 ssh sshd[63025]: Failed none for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:54 ssh sshd[63025]: Failed publickey for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:55 ssh sshd[63025]: Accepted password for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:55 ssh sshd[63025]: User child is on pid 63027
the host server has FreeBSD 7.1 amd64 and the jails make.conf looks like:
Code:
# BUILD OPTIONS
NO_ACPI= true # do not build acpiconf(8) and related programs
NO_BOOT= true # do not build boot blocks and loader
NO_BLUETOOTH= true # do not build Bluetooth related stuff
NO_FORTRAN= true # do not build g77 and related libraries
NO_GDB= true # do not build GDB
NO_GPIB= true # do not build GPIB support
NO_I4B= true # do not build isdn4bsd package
NO_IPFILTER= true # do not build IP Filter package
NO_PF= true # do not build PF firewall package
NO_AUTHPF= true # do not build and install authpf (setuid/gid)
NO_KERBEROS= true # do not build and install Kerberos 5 (KTH Heimdal)
NO_LPR= true # do not build lpr and related programs
NO_MODULES= true # do not build modules with the kernel
NO_NETCAT= true # do not build netcat
NO_NIS= true # do not build NIS support and related programs
NO_SHAREDOCS= true # do not build the 4.4BSD legacy docs
NO_USB= true # do not build usbd(8) and related programs
NO_VINUM= true # do not build Vinum utilities
NO_ATM= true # do not build ATM related programs and libraries
NO_GAMES= true # do not build games (games/ subdir)
NO_RCMDS= true # do not build or install BSD r* commands (rsh, etc).
NO_INTE6= true # do not build IPv6 related programs and libraries
NO_PROFILE= true # Avoid compiling profiled libraries
# BIND OPTIONS
NO_BIND= true # Do not build any part of BIND
NO_BIND_DNSSEC= true # Do not build dnssec-keygen, dnssec-signzone
NO_BIND_ETC= true # Do not install files to /etc/namedb
NO_BIND_LIBS_LWRES= true # Do not install the lwres library
NO_BIND_MTREE= true # Do not run mtree to create chroot directories
NO_BIND_NAMED= true # Do not build named, rndc, lwresd, etc
And the login.conf of the jail looks like:
Code:
default:\
:passwd_format=blf:\
:minpasswordlen=6:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/welcome:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
:nologin=/var/run/nologin:\
:coredumpsize=0:\
:cputime=unlimited:\
:datasize=10M:\
:filesize=5m:\
:maxproc=20:\
:memorylocked=7M:\
:memoryuse=15M:\
:openfiles=50:\
:sbsize=unlimited:\
:vmemoryuse:100M:\
:stacksize=2M:\
:priority=5:\
:ignoretime@:\
:requirehome=1:\
:idletime=30:\
:umask=077:
staff:\
:ignorenologin:\
:coredumpsize=0:\
:cputime=unlimited:\
:datasize=unlimited:\
:filesize=unlimited:\
:maxproc=unlimited:\
:memorylocked=unlimited:\
:memoryuse=unlimited:\
:openfiles=unlimited: \
:sbsize=unlimited:\
:vmemoryuse:unlimited:\
:stacksize=unlimited:\
:priority=0: \
:requirehome=0: \
:tc=default:
root:\
:ignorenologin:\
:sbsize=unlimited:\
:tc=staff:
daemon:\
:tc=staff:
Any comments ?