Why can't I access my JAIL through SSH?

[strawdog74]

After previously having my tv-daemon & mysql installed on the main FreeNAS partition (which worked great), I have finally decided to bite the bullet and use a JAIL as its the recommended method.

The thing is, I've followed all the steps here but I can't connect via SSH to the JAIL using the IP address I set it to. THe IP address is definitely on the same SUBNET as the router & laptop I am using, but it doesn't seem to be working.

FREENAS = 192.168.1.50
JAIL = 192.168.1.55
GATEWAY = 192.168.1.254

The JAIL is responding to PING commands, and I am assuming the JAIL supports SSH & SFTP from the off, as there doesn't appear to be PBI files for these.

Anyone any ideas how I can connect to my JAIL via SSH or SFTP?

PING RESULTS are as follows :-

Code:

Pinging 192.168.1.55 with 32 bytes of data:
Reply from 192.168.1.55: bytes=32 time=5ms TTL=64
Reply from 192.168.1.55: bytes=32 time=2ms TTL=64
Reply from 192.168.1.55: bytes=32 time=2ms TTL=64
Reply from 192.168.1.55: bytes=32 time=2ms TTL=64

Ping statistics for 192.168.1.55:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 5ms, Average = 2ms

MESSAGES LOG is as follows :-

Code:

Feb 18 17:47:54 freenas notifier: security.jail.allow_raw_sockets: 0 -> 1
Feb 18 17:47:54 freenas notifier: Configuring jails: sysvipc_allow=YES.
Feb 18 17:47:54 freenas notifier: Starting jails: packages.
Feb 18 17:47:54 freenas kernel: bridge0: Ethernet address: 02:d8:6a:44:4b:00
Feb 18 17:47:54 freenas kernel: epair0a: Ethernet address: 02:e8:fc:00:0a:0a
Feb 18 17:47:54 freenas kernel: epair0b: Ethernet address: 02:e8:fc:00:0b:0b
Feb 18 17:47:54 freenas kernel: epair0a: link state changed to UP
Feb 18 17:47:54 freenas kernel: epair0b: link state changed to UP
Feb 18 17:47:54 freenas kernel: epair0a: promiscuous mode enabled
Feb 18 17:47:54 freenas notifier: add net default: gateway 192.168.1.254
Feb 18 17:47:54 freenas notifier: stty: stdin isn't a terminal
Feb 18 17:47:54 freenas kernel: bge0: promiscuous mode enabled
Feb 18 17:47:54 freenas notifier: /etc/rc: WARNING: $hostname is not set -- see rc.conf(5).
Feb 18 17:47:54 freenas notifier: Generating host.conf.
Feb 18 17:47:54 freenas notifier: ELF ldconfig path: /lib /usr/lib /usr/local/lib
Feb 18 17:47:54 freenas notifier: 32-bit compatibility ldconfig path: /usr/lib32
Feb 18 17:47:54 freenas notifier: Creating and/or trimming log files.
Feb 18 17:47:54 freenas notifier: Starting syslogd.
Feb 18 17:47:54 freenas notifier: Clearing /tmp (X related).
Feb 18 17:47:54 freenas notifier: Updating motd:.
Feb 18 17:47:55 freenas notifier: Starting cron.
Feb 18 17:47:55 freenas notifier: 
Feb 18 17:47:55 freenas notifier: Mon Feb 18 17:47:55 GMT 2013

Jail configuration details are as follows :-

 

[strawdog74]

Sorry!!! I missed a section that answers my question :-

---------------------------------------------------
Accessing the Plugins Jail
---------------------------------------------------
If you need to administer the contents of the Plugins Jail, make sure that the Plugins service is showing as ON in Services → Control Services, then open Shell. To determine the ID being used by the jail, use the jls command:

Code:

jls
JID  IP Address      Hostname                      Path                      
 1      -            software                      /mnt/volume1/jail/software

In this example, the jail ID is 1 and the IP Address is listed as "-", which is to be expected. To access the jail, provide the jail ID and the shell that you would like to use as options to the jexec command:

Code:

jexec 1 /bin/tcsh
software#

The software# prompt (hostname of the jail) indicates that you are now inside the Plugins Jail. By default, ssh access is not configured for the Plugins Jail. Unless you configure ssh access within the Plugins Jail, it can only be accessed through Shell.
---------------------------------------------------

To be honest, this seems like a hassle, so I'm going to look into installing SSH as a separate package on my jail. Has anyone done this before? Can it be done??

 

[strawdog74]

Hmmmm....it's a bit threadbare isn't it?

I wish the JAIL PBI came with all the commands/packages that came with FreeNAS (eg nano/sshd/python etc). Oh well, I guess it will be good to know how to install these manually for when I move a different distro.

 

[William Grzybowski]

Sure, you have to manually enable SSH in the jail, /etc/rc.conf, sshd_enable=YES

 

[strawdog74]

Sure, you have to manually enable SSH in the jail, /etc/rc.conf, sshd_enable=YES

Thanks William. Sounds easy enough....I'll have a go tomorrow.

I tried pkg_add -r nano, and it looked like it installed ok, but when I type "nano" I got an error. I guess I need to add some PATH substitution somewhere to pick up /usr/local/bin but am unsure where to do this. I think I need to play some more...

 

[William Grzybowski]

Do not use pkg_add, use ports... portupgrade or portmaster commands...

Read the manual from FreeBSD

 

[strawdog74]

Do not use pkg_add, use ports... portupgrade or portmaster commands...

Read the manual from FreeBSD

Ah, I hadn't thought of that. I might actually install FreeBSD I it's entirety to get more familiar with it, and the manuals for it are really good.

 

[James]

This is now less threadbare:

http://doc.freenas.org/index.php/Plugins#Accessing_the_Plugins_Jail

 

[strawdog74]

Thanks! Particularly for the section on port compilation...essential reading for n00bs (and for appreciating the difference between packages & ports)

 

[dbbd]

Well, I still cannot connect to the jail via ssh. I do have sshd_enable="YES", the plugin in the jail (transmission like the wiki example) is up an working fine, but no ssh.

I'm trying to setup an ssh tunnel so that I will be able to access the transmission gui from outside my network. First step is ssh from within.
Any help will be great.

 

[strawdog74]

My best guess is that you are trying to login as root (which is not enabled in sshd by default for security reasons), in which case you will need to edit the /etc/ssh/sshd_config file as follows :-

#LoginGraceTime 2m
PermitRootLogin yes

Remember to remove the hash to uncomment the line, as well as setting the value to "yes". Obviously you will need to ensure your root password is set, so before trying to login via SSH, use jexec access to set the root password by typing :-

passwd

Once both steps have been done, restart ssh by typing :-

service sshd restart

That's it I think. Let me know if you have any issues.

 

[Dusan]

Also, you do not need sshd running it the jail if you only need it to create a tunnel. The "main" FreeNAS sshd can be easily used to create a tunnel to the transmission GUI running in a jail.

 

[dbbd]

My best guess is that you are trying to login as root (which is not enabled in sshd by default for security reasons), in which case you will need to edit the /etc/ssh/sshd_config file as follows :-

#LoginGraceTime 2m
PermitRootLogin yes

Remember to remove the hash to uncomment the line, as well as setting the value to "yes". Obviously you will need to ensure your root password is set, so before trying to login via SSH, use jexec access to set the root password by typing :-

passwd

Once both steps have been done, restart ssh by typing :-

service sshd restart

That's it I think. Let me know if you have any issues.

Nice guess, but no. I did an adduser in the jail (after entering exec 3 tcsh)
And would have tried to login as that user, but I don't even get a prompt. I get an access denied.

 

[dbbd]

Also, you do not need sshd running it the jail if you only need it to create a tunnel. The "main" FreeNAS sshd can be easily used to create a tunnel to the transmission GUI running in a jail.

That sounds promising. Can you explain how? Or link to an explanation? I cannot find anything specific enough on google.

Thanks,
Dan

 

[Dusan]

Just enter <your-jail-ip>:9091 instead of localhost:9091 as the destination when you create the tunnel. Of course, you need to enable Allow TCP Port Forwarding in the SSH Configuration.

 

[dbbd]

Isn't opening the host to external ssh less secure then opening the jail itself?
If an attack uses the ssh as a vector, with a jail, it ends up nowhere.

Dan

 

[Dusan]

I don't think there's much difference. If somebody has an exploit for OpenSSH then after "owning" your jail nothing stops them from creating a tunnel to your host SSH to hack that one too.

 

[dbbd]

Well, thanks to Dusan. I got it working.
On the client I do

ssh -L 9091:10.0.0.29:9091 myself@<my-router-ip-address>

Then in the browser I opened the url http://127.0.0.1:9091

and got my transmission web interface (from 10.0.0.29).