SSH from within a FreeBSD jail gotchas
If you’re using FreeBSD’s jail(8) mechanism (which, by the way, is similar to Solaris zones but not as fancy or as featureful), you might have occasionally seen this problem:
You’re inside the jail, and you’d like to ssh out, and you get:
[jbaltz@boron ~]$ sudo jexec -u jbaltz 1 bash
[jbaltz@xxx /]$ ssh localhost
socket: Protocol not supported
Host key verification failed.
[jbaltz@xxx /]$
...and you make ssh more verbose, and you see the following towards the end:
[root@xxx /]# ssh -v localhost
OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
...
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: read_passphrase: can't open /dev/tty: Device busy
Host key verification failed.
...the problem is probably that you’ve jexec(8)’d into the jail, instead of logging in. SSH expects to be able to attach to a tty, and when you connect in via jexec, you don’t create one:
[jbaltz@boron ~]$ sudo jexec 1 bash
[root@xxx /]# who
[root@xxx /]#
wupsie! The solution is to log into the jail “the regular way” via ssh:
[jbaltz@boron ~]$ ssh xxx
Password:
Last login: Thu Sep 20 14:54:04 2007 from xxx.3phasec
[jbaltz@xxx ~]$ ssh localhost
socket: Protocol not supported
The authenticity of host 'localhost (127.0.0.1)' can't be established.
DSA key fingerprint is b6:d7:47:4b:25:60:75:36:2e:30:22:2f:27:ba:67:27.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (DSA) to the list of known hosts.
Password:
Last login: Thu Sep 20 14:54:31 2007 from xxx.3phasec
[jbaltz@xxx ~]$
and voilà, it works!