Solution for lack of TTY (giving SSH problems) when using je

General questions about the FreeBSD operating system. Ask here if your question does not fit elsewhere.

Solution for lack of TTY (giving SSH problems) when using je

Postby hopla » 08 Dec 2010, 14:33

Hi there!

You know the problem when you want the ssh from within a jail after you jexec'ed into it?

I mean this:
Code: Select all
@host# jexec <jid> <shell>
@jail# ssh user@host
Host key verification failed.


or this:

Code: Select all
@host# jexec <jid> <shell>
@jail# ssh user@host
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).


Or also when using screen:
Code: Select all
@host# jexec <jid> <shell>
@jail# screen
Cannot access '/dev/pts/11': No such file or directory


As you might know, that's because you don't have a TTY when you jexec into a jail. Possible solutions for this are:

* using PKI auth (but this only solves the problem for SSH and not for other commands that need a TTY)
* running sshd in the jail and logging into the jail via SSH (but what if you want to keep your jail very secure and don't want to run sshd?)

I have now found a much better solution, that I haven't seen mentioned anywhere yet, so I thought I might want to share it with you guys:

/usr/ports/sysutils/tmux

It's a terminal multiplexer like screen, but unlike screen it works even when you jexec'ed into a jail! And because its a terminal multiplexer, you get a TTY!

Now you can do this:

Code: Select all
@host# jexec <jid> <shell>
@jail# tmux
@jail# ssh user@host
user@host's password:


I don't know what tmux's secret sauce is, but its awesome!
hopla
Junior Member
 
Posts: 34
Joined: 17 Nov 2008, 08:54

Postby SirDice » 08 Dec 2010, 14:40

# jexec <jid> /usr/bin/su - works for me.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16166
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby graudeejs » 08 Dec 2010, 14:42

I'm using tmux for quite some time now...
Never thought of running tmux in jail... :D

Thanks, I already see where I could use this
User avatar
graudeejs
Style(9) Addict
 
Posts: 4591
Joined: 16 Nov 2008, 23:23
Location: Riga, Latvia

Postby graudeejs » 08 Dec 2010, 14:43

SirDice wrote: # jexec <jid> /usr/bin/su - works for me.


Doesn't work all that well. Can't run mksh in jail :) (Unlike with tmux)
User avatar
graudeejs
Style(9) Addict
 
Posts: 4591
Joined: 16 Nov 2008, 23:23
Location: Riga, Latvia

Postby hopla » 08 Dec 2010, 14:48

SirDice wrote: # jexec <jid> /usr/bin/su - works for me.


I almost had an even bigger WOW moment, but just like killasmurf86 it doesn't seem to work for me:

Code: Select all
# jexec 8 /usr/bin/su -
# ssh user@host
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
hopla
Junior Member
 
Posts: 34
Joined: 17 Nov 2008, 08:54

Postby SirDice » 08 Dec 2010, 14:55

You need to generate a host key. Have a look at the /etc/rc.d/sshd script. Normally when it runs for the first time on a clean machine it'll generate the host keys. Without the host keys ssh isn't going to work.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16166
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby hopla » 08 Dec 2010, 15:05

SirDice wrote:You need to generate a host key. Have a look at the [file]/etc/rc.d/sshd[/file] script. Normally when it runs for the first time on a clean machine it'll generate the host keys. Without the host keys ssh isn't going to work.


I tested this on a jail where sshd was running. The jail most certainly has host keys. The host keys don't enter into it, it's the lack of a TTY that makes it fail.

It probably works for you because you have PKI auth set up?

See if you can run screen when you jexec into your jail. You will see the problem! Then run tmux and on top of that run screen and voila! Suddenly it works! (of course this example is silly and contrived, but perfectly illustrates the problem)

EDIT: on second thought, I think you are misunderstanding the problem on another level SirDice, maybe because the title of this post isn't quite accurate and because the sequence of commands in the examples are misleading... When I run jexec followed by another command, that command is run IN the jail, not on the host where I ran jexec. I will edit the title and examples.
hopla
Junior Member
 
Posts: 34
Joined: 17 Nov 2008, 08:54

Postby SirDice » 08 Dec 2010, 15:25

Screen works for me, no problems there. I do seem to have the same ssh problem though. The error message kinda threw me off. But with -v it indeed shows that ssh fails because it cannot open a pty.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16166
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby hopla » 08 Dec 2010, 16:00

SirDice wrote:Screen works for me, no problems there. I do seem to have the same ssh problem though. The error message kinda threw me off. But with -v it indeed shows that ssh fails because it cannot open a pty.


Hmm... maybe we are on to something... Can you do a ls or tree of your /dev dir in the jail?

Here is mine (default ezjail jail):

Code: Select all
@jail# tree /dev
/dev
|-- fd
|   |-- 0
|   |-- 1
|   `-- 2
|-- log -> ../var/run/log
|-- null
|-- ptmx
|-- pts
|-- random
|-- stderr -> fd/2
|-- stdin -> fd/0
|-- stdout -> fd/1
|-- urandom -> random
`-- zero


(notice the lack of /dev/tty or /dev/pts/*)
hopla
Junior Member
 
Posts: 34
Joined: 17 Nov 2008, 08:54

Postby SirDice » 08 Dec 2010, 16:30

Mine's the same.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16166
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby hopla » 08 Dec 2010, 18:08

SirDice wrote:Mine's the same.

So do you have any theory then why screen is working for you and not for me?
hopla
Junior Member
 
Posts: 34
Joined: 17 Nov 2008, 08:54

Postby hopla » 09 Dec 2010, 10:46

SirDice, you either have screen compiled with some options I don't know about or you have a very special jail setup or some custom kernel options (I'm running GENERIC) or you are doing something different from what I'm doing.

Because I just can't get screen to work after jexec'ing into jail. Can you please verify for us one more time that the following is absolutely 100% sure working for you? (I especially have a hard time believing this, since you stated that you DO have the same problem with SSH)

Code: Select all
root@host# jexec <jid> sh
root@jail# screen

Screen version 4.00.03 (FAU) 23-Oct-06

<SNIP>

[Press Space or Return to end.]


Because I keep getting (except when I run tmux in the jail before screen):

Code: Select all
root@host# jexec <jid> sh
root@jail# screen
Cannot access '/dev/pts/1': No such file or directory


(where the number 1 changes from time to time of course)
hopla
Junior Member
 
Posts: 34
Joined: 17 Nov 2008, 08:54

Postby tbyte » 26 Mar 2012, 07:28

hopla wrote:
Code: Select all
root@host# jexec <jid> sh
root@jail# screen
Cannot access '/dev/pts/1': No such file or directory


(where the number 1 changes from time to time of course)


Same here ... It tries to open the same tty you have logged in on outside of the jail which is not accessible (of course) inside.
User avatar
tbyte
Member
 
Posts: 109
Joined: 17 Nov 2008, 13:35
Location: Sofia, Bulgaria, EU

9.2 problem (similar solve)

Postby leebrown66 » 14 Nov 2013, 23:19

  • The console (i.e. keyboard attached to hardware) uses VTY's. Entering the jail does not populate /dev/tty (despite changing the devfs to put /dev/tty into the jail).
  • SSH (i.e. remote into the hardware) uses a TTY. Entering the jail populates the /dev/tty entry.
  • tmux puts you into a TTY. Entering the jail populates the /dev/tty entry.

Evidently /dev/tty is handled in some special way, ls -l /dev/tt* does not show it, whereas ls -l /dev/tty does at the root console.

I installed tmux and put it into the /root/.login. This ensures I'm running a TTY and never interact with the VTY.
leebrown66
Junior Member
 
Posts: 6
Joined: 15 Dec 2012, 21:15


Return to General

Who is online

Users browsing this forum: neel and 2 guests