FreeBSD Jail 和 SSH - /dev/tty:没有这样的文件或目录

发布于 2024-09-15 07:41:09 字数 673 浏览 12 评论 0原文

当我尝试从 JAIL 内部通过 SSH 连接时,出现此错误:

# ssh [email protected]
...
debug1: read_passphrase: can not open / dev / tty: No such file or directory
Host key verification failed.

在 JAIL 外部一切正常。有什么想法吗?

重现步骤:

# jls
JID  IP Address      Hostname                      Path
1     10.10.3.1       demo.example.com             /jails/demo

# jexec 1 tcsh

(inside jail:)
# ssh [email protected]

When I try to connect through SSH from inside the JAIL I get this error:

# ssh [email protected]
...
debug1: read_passphrase: can not open / dev / tty: No such file or directory
Host key verification failed.

Outside JAIL everythng is working properly. Any ideas?

Steps to reproduce:

# jls
JID  IP Address      Hostname                      Path
1     10.10.3.1       demo.example.com             /jails/demo

# jexec 1 tcsh

(inside jail:)
# ssh [email protected]

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

恍梦境° 2024-09-22 07:41:09

您的监狱根目录是否通过 devfs 挂载填充了 /dev 文件系统?现在看来还不行。

重要说明:您应该能够使用 devfs 规则来限制被监禁进程可见的设备。特别是,访问原始磁盘设备节点是一个主意。 jail(8) 联机帮助页在以下段落附近对此进行了描述:

重要的是, devfs 中适当的设备节点会暴露在监狱中;对监狱中磁盘设备的访问可能允许监狱中的进程通过修改监狱外部的文件来绕过监狱沙箱。有关如何使用 devfs 规则来限制对 per-jail devfs 中条目的访问的信息,请参阅 devfs(8)。用于监狱的简单 devfs 规则集可作为 /etc/defaults/devfs.rules 中的规则集 #4 获得。

您应该能够在 /jails/demo/dev 下挂载 devfs,并通过以 root 身份运行以下命令来应用推荐的监狱设备规则:

# mkdir /jails/demo/dev
# mount -t devfs devfs /jails/demo/dev
# devfs -m /jails/demo/dev rule -s 4 applyset

当然,您也可以编写/etc/defaults/devfs.rules 中的自定义规则集,甚至是仅适用于特定监狱的特殊 devfs 规则集。

有关更多详细信息,另请参阅 jail(8)devfs(8)devfs.rules(5) 的联机帮助页。

Does your jail root have a populated /dev filesystem through a devfs mount? It looks like it doesn't right now.

Important note: You should be able to use devfs rules to limit the devices visible to jailed processes. In particular, access to raw disk device nodes is a bad idea. The jail(8) manpage describes this near the following paragraph:

It is important that only appropriate device nodes in devfs be exposed to a jail; access to disk devices in the jail may permit processes in the jail to bypass the jail sandboxing by modifying files outside of the jail. See devfs(8) for information on how to use devfs rules to limit access to entries in the per-jail devfs. A simple devfs ruleset for jails is available as ruleset #4 in /etc/defaults/devfs.rules.

You should be able to mount devfs under /jails/demo/dev and apply the recommended jail device rules by running as root the following commands:

# mkdir /jails/demo/dev
# mount -t devfs devfs /jails/demo/dev
# devfs -m /jails/demo/dev rule -s 4 applyset

Of course, you can also write a custom ruleset in /etc/defaults/devfs.rules, even a special devfs ruleset that only applies to a specific jail.

For more details see also the manpages for jail(8), devfs(8), and devfs.rules(5).

心房的律动 2024-09-22 07:41:09

如果您通过监狱命令进入监狱,您也可能会遇到这种情况。如果你启动监狱并通过 SSH 进入它,你应该会有更好的运气。

You may also experience this if you're entered the jail via the jail command. If you start up the jail and SSH into it, you should have better luck.

无人问我粥可暖 2024-09-22 07:41:09

devfs 文件系统可能没有安装在您的监狱中。很多事情都会失败,不仅仅是 ssh。

要自动安装经过正确过滤的 devfs,最好的选择是使用 rc.conf 变量:

jail_enable=YES

jail_list="JAILNAME"

jail_devfs_enable=是

jail_JAILNAME_rootdir='/jails/demo'

jail_JAILNAME_hostname="演示"

然后你可以使用“/etc/rc.d/jail start demo”停止/停止它,e

The devfs filesystem is probably not mounted in your jail. Many things will fail, not just ssh.

To mount a properly-filtered devfs automotically, your best bet is to use rc.conf variables:

jail_enable=YES

jail_list="JAILNAME"

jail_devfs_enable=YES

jail_JAILNAME_rootdir='/jails/demo'

jail_JAILNAME_hostname="demo"

Then you can stop/stop it using "/etc/rc.d/jail start demo", e

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文