Bug 1013974

Summary: connection closes after entering user-name (includes a fix)
Product: [Fedora] Fedora Reporter: Oron Peled <oron>
Component: shellinaboxAssignee: Simone Caronni <negativo17>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: negativo17
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: shellinabox-2.14-27.git88822c1.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-24 01:57:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Oron Peled 2013-10-01 07:51:27 UTC
Description of problem:
 * Shell in a box is configured to use SSH. In /etc/sysconfig/shellinaboxd:
         OPTS="--service /:SSH"
 * I successfully connect from a browser and get a "login" prompt.
 * Upon entering the user name, the connection is closed.

Version-Release number of selected component (if applicable):

shellinabox-2.14-24.git88822c1.fc19.i686

Additional info:

Using strace on the server I found the culprit:
 * My /etc/ssh/ssh_config has a ProxyCommand (due to FreeIPA installation).
 * So the ssh client tries to run ProxyCommand with the caller shell.
 * However, shellinabox rightfully has /sbin/nologin shell.
 * Which cause a failure of ProxyCommand and as a result failure of ssh.

Workaround: I created ~shellinabox/.ssh/config containing:
 Host *
    ProxyCommand none

Proper fix:
 * The ssh command line is in shellinabox/service.c (around line 153-166).
 * The '-oProxyCommand=none' string should be added.

Comment 1 Simone Caronni 2013-10-08 12:41:24 UTC
Hello,

sorry for being late, dealing with this now. I don't know very much about the ProxyCommand thing in FreeIPA installation; my next setup of it is scheduled for next year (with RHEL's IPA). I have a few questions.

Could the change you suggest break things when connecting from a shellinabox shell to a FreeIPA? What does FreeIPA set in the ProxyCommand?

Would it be better to package the ~shellinabox/.ssh/config file in the rpm thus avoiding patching the code for the ssh call? A user could see that there's some default setting for ssh by looking at the files the package provides.

What do you think?

Thanks,
--Simone

Comment 2 Oron Peled 2013-10-10 09:16:20 UTC
Reply to comment #1

* In /etc/ssh/ssh_config (client configuration):

      ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

   This was changed by /usr/sbin/ipa-client-install
   (it's python script, you can easily verity this)

* The question about trying to login into shellinabox and
  use FreeIPA authentication is good -- I have no idea
  and suspect that skipping ProxyCommand may cause it to fail.

* If we finally decide to override ProxyCommand I think it's best
  to use the same mechanism as the other overrides --
  I.e: either put everything in ~/.ssh/config or everything
  hard-coded in shellinabox (that's the current situation).
  Otherwise, looking at the config file would be misleading.

Comment 3 Simone Caronni 2013-10-10 17:02:46 UTC
Thanks for the info.

> * The question about trying to login into shellinabox and
>   use FreeIPA authentication is good -- I have no idea
>   and suspect that skipping ProxyCommand may cause it to fail.

Well, in this case it should be better to have the option in the config file; so the user could change and look at it as much as another configuration file.
 
> * If we finally decide to override ProxyCommand I think it's best
>   to use the same mechanism as the other overrides --
>   I.e: either put everything in ~/.ssh/config or everything
>   hard-coded in shellinabox (that's the current situation).
>   Otherwise, looking at the config file would be misleading.

I can move options out of the code and put them all in the config file. Upstream project is pretty dead; so I think that whatever we choose it will eventually divert a lot from upstream.

What's your preference? I would go for moving out options from the code and ship ~/.ssh/config as a config file in the rpm.

Comment 4 Fedora Update System 2014-06-11 09:50:32 UTC
shellinabox-2.14-27.git88822c1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.el6

Comment 5 Fedora Update System 2014-06-11 09:50:48 UTC
shellinabox-2.14-27.git88822c1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.fc19

Comment 6 Fedora Update System 2014-06-11 09:51:20 UTC
shellinabox-2.14-27.git88822c1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.el5

Comment 7 Fedora Update System 2014-06-11 09:52:15 UTC
shellinabox-2.14-27.git88822c1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.fc20

Comment 8 Fedora Update System 2014-06-11 23:34:59 UTC
Package shellinabox-2.14-27.git88822c1.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing shellinabox-2.14-27.git88822c1.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1610/shellinabox-2.14-27.git88822c1.el5
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2014-06-24 01:57:43 UTC
shellinabox-2.14-27.git88822c1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2014-06-24 01:58:36 UTC
shellinabox-2.14-27.git88822c1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2014-07-01 17:05:50 UTC
shellinabox-2.14-27.git88822c1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2014-07-01 17:06:06 UTC
shellinabox-2.14-27.git88822c1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.