Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 24/25/26 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 19th March 2017, 02:44 AM
SomeDamFool Offline
Registered User
 
Join Date: Sep 2006
Location: On up the road a piece
Posts: 716
linuxfedorafirefox
SSH can't get out of jail

I've been using Firejail for a couple of apps and today decided to let it populate /usr/local/etc/firejail with profiles for many known apps. After that I couldn't connect via ssh to my other computer and found a ssh.profile in that folder. If I move ssh.profile out of /usr/local/etc/firejail I can connect but first get a message I never got before.

Redirecting symlink to /usr/bin/ssh
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
** Note: you can use --noprofile to disable default.profile **
Parent pid 18796, child pid 18797
]0;firejail /usr/bin/ssh -l user -x -e none -q xxx.xxx.x.xx echo FISH:;exec /bin/sh -c "if env true 2>/dev/null; then env PS1= PS2= TZ=UTC LANG=C LC_ALL=C LOCALE=C /bin/sh; else PS1= PS2= TZ=UTC LANG=C LC_ALL=C LOCALE=C /bin/sh; fi" Child process initialized
The authenticity of host 'xxx.xxx.x.xx (xxx.xxx.x.xx)' can't be established.
ECDSA key fingerprint isSHA256:OqogorjxUim4FxF8dzeS2bbNhGjn3afHyAUW0qHIg pM.
ECDSA key fingerprint is MD5:7b:83:fe:94:2c:fe:36:01:16:6d:cb:55:3e:06:d0:b 9.
Are you sure you want to continue connecting (yes/no)?

Firejail's instructions aren't very precise and their support is almost non-existent. This is the contents of ssh.profile. I tried commenting out some things but it didn't help. Does anyone see anything obviously wrong in it? Thanks.

Code:
# ssh client
quiet
noblacklist ~/.ssh
noblacklist /tmp/ssh-*
noblacklist /etc/ssh

include /usr/local/etc/firejail/disable-common.inc
include /usr/local/etc/firejail/disable-programs.inc
include /usr/local/etc/firejail/disable-passwdmgr.inc

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
__________________
I live in my own little world, but it's OK, they know me here.
Reply With Quote
  #2  
Old 19th March 2017, 09:02 AM
bobx001 Offline
Registered User
 
Join Date: Dec 2012
Location: santa barbara, CA
Posts: 391
linuxfedorafirefox
Re: SSH can't get out of jail

My 0.02$:

The
Quote:
The authenticity of host 'xxx.xxx.x.xx (xxx.xxx.x.xx)' can't be established.
message is very common, when your computer has NOT YET stored the ssh key of the remote computer.

example,
Code:
[bobx@nova ~]$ cd .ssh
[bobx@nova .ssh]$ ls -lsca
total 56
 4 drwx------  2 bobx bobx  4096 Mar  6 16:31 .
 4 drwx------ 55 bobx bobx  4096 Mar 18 07:58 ..
 4 -rw-------  1 bobx bobx   668 Aug 27  2016 id_dsa
 4 -rw-r--r--  1 bobx bobx   617 Aug 27  2016 id_dsa.pub
 4 -rw-------  1 bobx bobx   992 Aug 27  2016 identity
 4 -rw-r--r--  1 bobx bobx   657 Aug 27  2016 identity.pub
 4 -rw-------  1 bobx bobx  1675 Aug 27  2016 id_rsa
 4 -rw-r--r--  1 bobx bobx   409 Aug 27  2016 id_rsa.pub
24 -rw-r--r--  1 bobx bobx 20680 Mar 15 08:56 known_hosts
[bobx@nova .ssh]$ mv known_hosts known_hosts.DISABLED
[bobx@nova .ssh]$ ssh root@192.168.0.17
The authenticity of host '192.168.0.17 (192.168.0.17)' can't be established.
ECDSA key fingerprint is SHA256:c3n3n0Ze7tCCCigCKCO2Pvg2UevXJvfRuLKDecI3khU.
ECDSA key fingerprint is MD5:49:b0:fd:8d:c0:65:c0:6c:33:44:8b:e4:a0:ea:29:aa.
Are you sure you want to continue connecting (yes/no)?
Note, I have "removed" the file called "known_hosts", so that my machine suddenly "does now know" the remote machine, Ergo if I decide to proceed, it just grabs the remote machine's SSH keys from the .ssh folder of the user I am connecting to, and stores it as a new known_hosts file.

Then, if I put the old file back in its place, I can ssh back in again without the message appearing:
Code:
[bobx@nova .ssh]$ mv known_hosts.DISABLED known_hosts
[bobx@nova .ssh]$ ls -lsca
total 56
 4 drwx------  2 bobx bobx  4096 Mar 19 09:01 .
 4 drwx------ 55 bobx bobx  4096 Mar 18 07:58 ..
 4 -rw-------  1 bobx bobx   668 Aug 27  2016 id_dsa
 4 -rw-r--r--  1 bobx bobx   617 Aug 27  2016 id_dsa.pub
 4 -rw-------  1 bobx bobx   992 Aug 27  2016 identity
 4 -rw-r--r--  1 bobx bobx   657 Aug 27  2016 identity.pub
 4 -rw-------  1 bobx bobx  1675 Aug 27  2016 id_rsa
 4 -rw-r--r--  1 bobx bobx   409 Aug 27  2016 id_rsa.pub
24 -rw-r--r--  1 bobx bobx 20680 Mar 19 09:01 known_hosts
[bobx@nova .ssh]$ ssh root@192.168.0.17
Last login: Sat Mar 18 21:02:45 2017 from 192.168.0.96
So, I surmise the file you have removed, is the equivalent to "known_hosts" , but for firejail.
Reply With Quote
  #3  
Old 19th March 2017, 10:19 AM
Dutchy Offline
Registered User
 
Join Date: Aug 2011
Location: ~
Posts: 1,878
linuxfedorafirefox
Re: SSH can't get out of jail

Firejail profiles are not used by default. You need to run a program through firejail or create a symlink in /usr/local/{bin|sbin} so it takes precedence. Reading your log it looks like you have a symlink for ssh somewhere in /usr/local that points to firejail. You need to remove that or use the full path to ssh everywhere to bypass Firejail.
Reply With Quote
  #4  
Old 19th March 2017, 10:48 AM
SomeDamFool Offline
Registered User
 
Join Date: Sep 2006
Location: On up the road a piece
Posts: 716
linuxfedorafirefox
Re: SSH can't get out of jail

Bobx001
I did remove ~/.ssh/known_hosts from both machines one at a time as in the past that has worked but it didn't work this time. Then I got to thinking, I just ran 'firejail cfg'... hmm. Then I found the ssh.profile in /usr/local/etc/firejail/ and found that when I removed it I could connect after saying 'yes' to the message.

Dutchy
Apparently when I ran firejail cfg it also populated /usr/local/bin with 27 symlinks, all but 2 of which I've never run with firejail, incuding an ssh symlink. Removing the ssh link from the folder fixed the problem which is good, but I'll keep tinkering as if possible I'd like for firejail to work when I use ssh.
__________________
I live in my own little world, but it's OK, they know me here.
Reply With Quote
Reply

Tags
jail, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Skype Goes to Jail mchauber Using Fedora 8 28th November 2012 05:39 PM
ssh jail viper3two Security and Privacy 14 3rd May 2011 10:57 PM
ChrootDirectory Jail with sftp JPMallory Using Fedora 2 16th September 2008 03:29 PM
put the user in jail environment miniLinux Security and Privacy 5 13th June 2008 04:57 PM
Sex with girlfriend=10 years in jail..... Shadow Skill Wibble 77 27th December 2006 09:05 AM


Current GMT-time: 02:46 (Wednesday, 26-07-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat