Solution for lack of TTY (giving SSH problems) when using je

Hi there!

You know the problem when you want the ssh from within a jail after you jexec'ed into it?

I mean this:
Code:
@host# jexec <jid> <shell>
@jail# ssh user@host
Host key verification failed.

or this:

Code:
@host# jexec <jid> <shell>
@jail# ssh user@host
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).

Or also when using screen:
Code:
@host# jexec <jid> <shell>
@jail# screen
Cannot access '/dev/pts/11': No such file or directory

As you might know, that's because you don't have a TTY when you jexec into a jail. Possible solutions for this are:

* using PKI auth (but this only solves the problem for SSH and not for other commands that need a TTY)
* running sshd in the jail and logging into the jail via SSH (but what if you want to keep your jail very secure and don't want to run sshd?)

I have now found a much better solution, that I haven't seen mentioned anywhere yet, so I thought I might want to share it with you guys:

/usr/ports/sysutils/tmux

It's a terminal multiplexer like screen, but unlike screen it works even when you jexec'ed into a jail! And because its a terminal multiplexer, you get a TTY!

Now you can do this:

Code:
@host# jexec <jid> <shell>
@jail# tmux
@jail# ssh user@host
user@host's password:

I don't know what tmux's secret sauce is, but its awesome!
 
I'm using tmux for quite some time now...
Never thought of running tmux in jail... :D

Thanks, I already see where I could use this
 
SirDice said:
# jexec <jid> /usr/bin/su - works for me.

I almost had an even bigger WOW moment, but just like killasmurf86 it doesn't seem to work for me:

Code:
# jexec 8 /usr/bin/su -
# ssh user@host
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
 
You need to generate a host key. Have a look at the /etc/rc.d/sshd script. Normally when it runs for the first time on a clean machine it'll generate the host keys. Without the host keys ssh isn't going to work.
 
SirDice said:
You need to generate a host key. Have a look at the /etc/rc.d/sshd script. Normally when it runs for the first time on a clean machine it'll generate the host keys. Without the host keys ssh isn't going to work.

I tested this on a jail where sshd was running. The jail most certainly has host keys. The host keys don't enter into it, it's the lack of a TTY that makes it fail.

It probably works for you because you have PKI auth set up?

See if you can run screen when you jexec into your jail. You will see the problem! Then run tmux and on top of that run screen and voila! Suddenly it works! (of course this example is silly and contrived, but perfectly illustrates the problem)

EDIT: on second thought, I think you are misunderstanding the problem on another level SirDice, maybe because the title of this post isn't quite accurate and because the sequence of commands in the examples are misleading... When I run jexec followed by another command, that command is run IN the jail, not on the host where I ran jexec. I will edit the title and examples.
 
Screen works for me, no problems there. I do seem to have the same ssh problem though. The error message kinda threw me off. But with -v it indeed shows that ssh fails because it cannot open a pty.
 
SirDice said:
Screen works for me, no problems there. I do seem to have the same ssh problem though. The error message kinda threw me off. But with -v it indeed shows that ssh fails because it cannot open a pty.

Hmm... maybe we are on to something... Can you do a ls or tree of your /dev dir in the jail?

Here is mine (default ezjail jail):

Code:
@jail# tree /dev
/dev
|-- fd
|   |-- 0
|   |-- 1
|   `-- 2
|-- log -> ../var/run/log
|-- null
|-- ptmx
|-- pts
|-- random
|-- stderr -> fd/2
|-- stdin -> fd/0
|-- stdout -> fd/1
|-- urandom -> random
`-- zero

(notice the lack of /dev/tty or /dev/pts/*)
 
SirDice, you either have screen compiled with some options I don't know about or you have a very special jail setup or some custom kernel options (I'm running GENERIC) or you are doing something different from what I'm doing.

Because I just can't get screen to work after jexec'ing into jail. Can you please verify for us one more time that the following is absolutely 100% sure working for you? (I especially have a hard time believing this, since you stated that you DO have the same problem with SSH)

Code:
root@host# jexec <jid> sh
root@jail# screen

Screen version 4.00.03 (FAU) 23-Oct-06

<SNIP>

[Press Space or Return to end.]

Because I keep getting (except when I run tmux in the jail before screen):

Code:
root@host# jexec <jid> sh
root@jail# screen
Cannot access '/dev/pts/1': No such file or directory

(where the number 1 changes from time to time of course)
 
hopla said:
Code:
root@host# jexec <jid> sh
root@jail# screen
Cannot access '/dev/pts/1': No such file or directory

(where the number 1 changes from time to time of course)

Same here ... It tries to open the same tty you have logged in on outside of the jail which is not accessible (of course) inside.
 
9.2 problem (similar solve)

  • The console (i.e. keyboard attached to hardware) uses VTY's. Entering the jail does not populate /dev/tty (despite changing the devfs to put /dev/tty into the jail).
  • SSH (i.e. remote into the hardware) uses a TTY. Entering the jail populates the /dev/tty entry.
  • tmux puts you into a TTY. Entering the jail populates the /dev/tty entry.

Evidently /dev/tty is handled in some special way, ls -l /dev/tt* does not show it, whereas ls -l /dev/tty does at the root console.

I installed tmux and put it into the /root/.login. This ensures I'm running a TTY and never interact with the VTY.
 
Back
Top