1

I need your help for solving an SSH+FreeBSD+jails authentication issue.

I've (almost) successfully set up a jailed environment on my FreeBSD 8.2 box.

My FreeBSD host has 2 network interfaces: 192.168.1.41/24 (regular network) and 172.16.100.41/24 (admin network).

Its one and only jail is configured to listen on both 192.168.1.101 and 172.16.100.101 IP addresses. I have configured sshd in the jail to listen on the admin interface only (that is, 172.16.100.101).

Everything described above works, but what I can't do is, connecting to the jail via SSH from the host (being logged as root on the host). After accepting the public key, I'm asked for a password (which I believe is root's password), and after 3 attempts, I always get the message "Permission denied (publickey,keyboard-interactive)". The same message is logged in the jail's /var/log/auth.log.

The following commands all yield the same result:

ssh 172.16.100.101

ssh root@172.16.100.101

ssh -l root 172.16.100.101

I'm expecting the jail's root password to be the same as my host's root password, right? What am I missing? Or where should I be looking for more hints?

Thanks for your help!

Romain
  • 115
  • 1
  • 6

2 Answers2

2

You should confirm that the password set correctly by either manually copying the files in as Robert Novak suggests, or login to the jail with jexec ${jailID} /bin/tcsh and passwd (you can use jls to find out the jail ID).

Also, verify that PermitRootLogin yes in /etc/ssh/sshd_config.

EDIT: After you edit or copy /etc/master.passwd, you need to run /usr/sbin/pwd_mkdb -p /etc/master.passwd to tell FreeBSD to remake the binaries based on the new file(s).

Jed Daniels
  • 7,282
  • 2
  • 34
  • 42
  • Thanks for pointing this out. See my answer to Robert Novak, I indeed had to explicitly `PermitRootLogin yes` in the `sshd` config file, but I still don't understand why I also need to reset `root`'s password. – Romain Mar 01 '11 at 22:03
  • OK so I found out that you actually need to copy 4 files: `/etc/passwd`, `/etc/master.passwd` and their binary counterparts: `/etc/pwd.db` and `/etc/spwd.db`. Otherwise I guess the state is inconsistent between these pairs, and nothing works until you reset the password using `passwd`! – Romain Mar 01 '11 at 22:29
1

Each jail should have its own passwd file. If you copied the host's /etc/master.passwd and /etc/passwd into the jails, then the passwords would be identical. Otherwise, I believe you will have to reset the password manually.

Robert Novak
  • 619
  • 4
  • 6
  • Thanks for your help. As Jed Daniels pointed out, I also had to edit `sshd`'s config file to allow `root` login. Fair enough. But, following your advice, I've also added both `/etc/master.passwd` and `/etc/passwd` to my "base" jail (I'm using `ezjail` so I've set up my own flavour). However it turns out that even with these files copied to a new jail, I still need to issue a `jexec #j passwd` to reset `root`'s password. If I compare the host's `/etc/master.passwd` to the jail's `/etc/master.passwd`, I can see that the line corresponding to `root` is different, even with the same password. Why? – Romain Mar 01 '11 at 22:04