| Summary: | oo-trap-user does not honor requested command when SSH_ORIGINAL_COMMAND is unset | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OKD | Reporter: | Mark Lamourine <mlamouri> | ||||
| Component: | Containers | Assignee: | Mark Lamourine <mlamouri> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | libra bugs <libra-bugs> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 2.x | CC: | jliggitt, wjiang | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1035358 (view as bug list) | Environment: | |||||
| Last Closed: | 2014-01-24 03:33:08 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1035358 | ||||||
| Attachments: |
|
||||||
Adding code to oo-trap-user to honor sys.argv when SSH_ORIGINAL_COMMAND is not set. *** Bug 1024772 has been marked as a duplicate of this bug. *** Merged Tried on devenv_4081, and try follow scenarios: 1. ssh to app with kerberos authorization 2. snapshot save app with kerberos authorization 3. git push with kerberos authorization And all about scenarios work well, so verified this issue. |
Created attachment 816907 [details] a simple script to install and initialize kerberos 5 on a devenv combination broker/console/node Description of problem: /usr/bin/oo-trap-user gets incorrect command when auth is not ssh authorized_keys entry. Version-Release number of selected component (if applicable): How reproducible: Attempt git clone using Kerberos authentication Steps to Reproduce: 1. create devenv 2. install and configure kerberos service (see attached script) 3. create local user u1 matching principal u1@<REALM> where REALM is the devenv hostname (console or rhc) 4. create an app and add the u1@<REALM> principal as an "ssh key" with type krb5-principal 5. switch user to u1 in /home/u1 6. attempt git clone as indicated in the output from app create Actual results: git clone attempt drops to rhcsh Expected results: git clone attempts creates local copy of app git repository Additional info: When oo-trap-user runs it expects the command to be in the SSH_ORIGINAL_COMMAND environment variable. This variable is only set when an SSH authorized key has a command= section which replaces the original command. When the SSH_ORIGINAL_COMMAND variable is unset, the command defaults to rhcsh rather than using the actual arguments (from python sys.argv). When logging in with Kerberos or other non public-key mechanisms, SSH_ORIGINAL_COMMAND will not be set.