| Summary: | connection closes after entering user-name (includes a fix) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Oron Peled <oron> |
| Component: | shellinabox | Assignee: | Simone Caronni <negativo17> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | negativo17 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | shellinabox-2.14-27.git88822c1.el5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-24 01:57:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Hello, sorry for being late, dealing with this now. I don't know very much about the ProxyCommand thing in FreeIPA installation; my next setup of it is scheduled for next year (with RHEL's IPA). I have a few questions. Could the change you suggest break things when connecting from a shellinabox shell to a FreeIPA? What does FreeIPA set in the ProxyCommand? Would it be better to package the ~shellinabox/.ssh/config file in the rpm thus avoiding patching the code for the ssh call? A user could see that there's some default setting for ssh by looking at the files the package provides. What do you think? Thanks, --Simone Reply to comment #1 * In /etc/ssh/ssh_config (client configuration): ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h This was changed by /usr/sbin/ipa-client-install (it's python script, you can easily verity this) * The question about trying to login into shellinabox and use FreeIPA authentication is good -- I have no idea and suspect that skipping ProxyCommand may cause it to fail. * If we finally decide to override ProxyCommand I think it's best to use the same mechanism as the other overrides -- I.e: either put everything in ~/.ssh/config or everything hard-coded in shellinabox (that's the current situation). Otherwise, looking at the config file would be misleading. Thanks for the info. > * The question about trying to login into shellinabox and > use FreeIPA authentication is good -- I have no idea > and suspect that skipping ProxyCommand may cause it to fail. Well, in this case it should be better to have the option in the config file; so the user could change and look at it as much as another configuration file. > * If we finally decide to override ProxyCommand I think it's best > to use the same mechanism as the other overrides -- > I.e: either put everything in ~/.ssh/config or everything > hard-coded in shellinabox (that's the current situation). > Otherwise, looking at the config file would be misleading. I can move options out of the code and put them all in the config file. Upstream project is pretty dead; so I think that whatever we choose it will eventually divert a lot from upstream. What's your preference? I would go for moving out options from the code and ship ~/.ssh/config as a config file in the rpm. shellinabox-2.14-27.git88822c1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.el6 shellinabox-2.14-27.git88822c1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.fc19 shellinabox-2.14-27.git88822c1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.el5 shellinabox-2.14-27.git88822c1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.fc20 Package shellinabox-2.14-27.git88822c1.el5: * should fix your issue, * was pushed to the Fedora EPEL 5 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing shellinabox-2.14-27.git88822c1.el5' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1610/shellinabox-2.14-27.git88822c1.el5 then log in and leave karma (feedback). shellinabox-2.14-27.git88822c1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. shellinabox-2.14-27.git88822c1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. shellinabox-2.14-27.git88822c1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. shellinabox-2.14-27.git88822c1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: * Shell in a box is configured to use SSH. In /etc/sysconfig/shellinaboxd: OPTS="--service /:SSH" * I successfully connect from a browser and get a "login" prompt. * Upon entering the user name, the connection is closed. Version-Release number of selected component (if applicable): shellinabox-2.14-24.git88822c1.fc19.i686 Additional info: Using strace on the server I found the culprit: * My /etc/ssh/ssh_config has a ProxyCommand (due to FreeIPA installation). * So the ssh client tries to run ProxyCommand with the caller shell. * However, shellinabox rightfully has /sbin/nologin shell. * Which cause a failure of ProxyCommand and as a result failure of ssh. Workaround: I created ~shellinabox/.ssh/config containing: Host * ProxyCommand none Proper fix: * The ssh command line is in shellinabox/service.c (around line 153-166). * The '-oProxyCommand=none' string should be added.