Enable ssh within a FreeNAS Jail host

最近すっかりFreeNASに嵌っています
FreeBSDと言えばFreeBSD 2.2.8から4.7ぐらいまでは使わせていただいたのですが時代の流れとともにLinuxでの構築が増えていました

最近は個人的にFreeNAS 7, NAS4Free, FreeNAS 9と使ってきましたがFreeNAS 9はなかなかの優れものだと思います

Jailの実装でNAS専用OSという枠を超えてひとつのサーバOSと思います。初心者からハックしたい強者まで楽しめるのではないでしょうか
このようなOSを無償で利用できることに感謝です

さて、FreeNAS 9のJail hostで作業する時はFreeNAS 9にログインしてからjexecでjail hostに移動して作業を行っていました

これを直接sshでjail hostにログインできるように変更します

1. sshサーバの確認

jail hostを作成するとデフォルトでsshdサーバが有効で起動していました

Shell

root@vhost:/root # cat /etc/rc.conf portmap_enable="NO" sshd_enable="YES" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" hostname="vhost" devfs_enable="YES" devfs_system_ruleset="devfsrules_common"

1 2 3 4 5 6 7 8 9 10

root@vhost:/root # cat /etc/rc.conf portmap_enable="NO" sshd_enable="YES" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" hostname="vhost" devfs_enable="YES" devfs_system_ruleset="devfsrules_common"

2. sshd_configの確認

設定ファイルのsshd_configを確認します
rootログインとパスワード認証が無効になっているのでこのままでは誰もsshログインができません

Shell

root@vhost:/ # find / -name sshd_config /etc/ssh/sshd_config root@vhost:/ # cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ # $FreeBSD: release/9.1.0/crypto/openssh/sshd_config 224638 2011-08-03 19:14:22Z brooks $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20110503 #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # Change to yes to enable built-in password authentication. #PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Disable HPN tuning improvements. #HPNDisabled no # Buffer size for HPN to non-HPN connections. #HPNBufferSize 2048 # TCP receive socket buffer polling for HPN. Disable on non autotuning kernels. #TcpRcvBufPoll yes # Allow the use of the NONE cipher. #NoneEnabled no # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139

root@vhost:/ # find / -name sshd_config /etc/ssh/sshd_config root@vhost:/ # cat /etc/ssh/sshd_config #       $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ #       $FreeBSD: release/9.1.0/crypto/openssh/sshd_config 224638 2011-08-03 19:14:22Z brooks $   # This is the sshd server system-wide configuration file.  See # sshd_config(5) for more information.   # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin   # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented.  Uncommented options change a # default value.   # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options.   #VersionAddendum FreeBSD-20110503   #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::   # The default requires explicit activation of protocol 1 #Protocol 2   # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key   # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024   # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO   # Authentication:   #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10   #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile     .ssh/authorized_keys   # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes   # Change to yes to enable built-in password authentication. #PasswordAuthentication no #PermitEmptyPasswords no   # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes   # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no   # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes   # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication.  Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes   #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none   # no default banner path #Banner none   # override default of no subsystems Subsystem       sftp    /usr/libexec/sftp-server   # Disable HPN tuning improvements. #HPNDisabled no   # Buffer size for HPN to non-HPN connections. #HPNBufferSize 2048   # TCP receive socket buffer polling for HPN.  Disable on non autotuning kernels. #TcpRcvBufPoll yes   # Allow the use of the NONE cipher. #NoneEnabled no   # Example of overriding settings on a per-user basis #Match User anoncvs #       X11Forwarding no #       AllowTcpForwarding no #       ForceCommand cvs server

3. ユーザー作成

ユーザを作成します。suができるようにwheelグループに直接登録しています

Shell

root@vhost:/ # adduser Username: matsuoka Full name: Matsuoka Uid (Leave empty for default): Login group [matsuoka]: wheel Login group is wheel. Invite matsuoka into other groups? []: Login class [default]: Shell (sh csh tcsh nologin) [sh]: tcsh Home directory [/home/matsuoka]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: Enter password again: Lock out the account after creation? [no]: Username : matsuoka Password : ***** Full Name : Matsuoka Uid : 1010 Class : Groups : wheel Home : /home/matsuoka Home Mode : Shell : /bin/tcsh Locked : no OK? (yes/no): yes adduser: INFO: Successfully added (matsuoka) to the user database. Add another user? (yes/no): no Goodbye!

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

root@vhost:/ # adduser Username: matsuoka Full name: Matsuoka Uid (Leave empty for default): Login group [matsuoka]: wheel Login group is wheel. Invite matsuoka into other groups? []: Login class [default]: Shell (sh csh tcsh nologin) [sh]: tcsh Home directory [/home/matsuoka]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: Enter password again: Lock out the account after creation? [no]: Username   : matsuoka Password   : ***** Full Name  : Matsuoka Uid        : 1010 Class      : Groups     : wheel Home       : /home/matsuoka Home Mode  : Shell      : /bin/tcsh Locked     : no OK? (yes/no): yes adduser: INFO: Successfully added (matsuoka) to the user database. Add another user? (yes/no): no Goodbye!

4. sshd_configの変更

パスワード認証を有効にします

; html-script: false ] #PasswordAuthentication no PasswordAuthentication yes

1 2 3

; html-script: false ] #PasswordAuthentication no PasswordAuthentication yes

5. sshdの再起動
Shell

root@vhost:/ # find / -name sshd /etc/rc.d/sshd /etc/pam.d/sshd /usr/sbin/sshd root@vhost:/ # /etc/rc.d/sshd restart Stopping sshd. Waiting for PIDS: 38225. Starting sshd.

1 2 3 4 5 6 7 8

root@vhost:/ # find / -name sshd /etc/rc.d/sshd /etc/pam.d/sshd /usr/sbin/sshd root@vhost:/ # /etc/rc.d/sshd restart Stopping sshd. Waiting for PIDS: 38225. Starting sshd.

FreeNAS上にあるjail hostにssh接続してログインできれば完了です。あとは運用に合わせて設定変更して下さい