Bug 1013974 - connection closes after entering user-name (includes a fix)
connection closes after entering user-name (includes a fix)
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: shellinabox (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Simone Caronni
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-01 03:51 EDT by Oron Peled
Modified: 2014-07-01 13:06 EDT (History)
1 user (show)

See Also:
Fixed In Version: shellinabox-2.14-27.git88822c1.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-23 21:57:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Oron Peled 2013-10-01 03:51:27 EDT
Description of problem:
 * Shell in a box is configured to use SSH. In /etc/sysconfig/shellinaboxd:
         OPTS="--service /:SSH"
 * I successfully connect from a browser and get a "login" prompt.
 * Upon entering the user name, the connection is closed.

Version-Release number of selected component (if applicable):

shellinabox-2.14-24.git88822c1.fc19.i686

Additional info:

Using strace on the server I found the culprit:
 * My /etc/ssh/ssh_config has a ProxyCommand (due to FreeIPA installation).
 * So the ssh client tries to run ProxyCommand with the caller shell.
 * However, shellinabox rightfully has /sbin/nologin shell.
 * Which cause a failure of ProxyCommand and as a result failure of ssh.

Workaround: I created ~shellinabox/.ssh/config containing:
 Host *
    ProxyCommand none

Proper fix:
 * The ssh command line is in shellinabox/service.c (around line 153-166).
 * The '-oProxyCommand=none' string should be added.
Comment 1 Simone Caronni 2013-10-08 08:41:24 EDT
Hello,

sorry for being late, dealing with this now. I don't know very much about the ProxyCommand thing in FreeIPA installation; my next setup of it is scheduled for next year (with RHEL's IPA). I have a few questions.

Could the change you suggest break things when connecting from a shellinabox shell to a FreeIPA? What does FreeIPA set in the ProxyCommand?

Would it be better to package the ~shellinabox/.ssh/config file in the rpm thus avoiding patching the code for the ssh call? A user could see that there's some default setting for ssh by looking at the files the package provides.

What do you think?

Thanks,
--Simone
Comment 2 Oron Peled 2013-10-10 05:16:20 EDT
Reply to comment #1

* In /etc/ssh/ssh_config (client configuration):

      ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

   This was changed by /usr/sbin/ipa-client-install
   (it's python script, you can easily verity this)

* The question about trying to login into shellinabox and
  use FreeIPA authentication is good -- I have no idea
  and suspect that skipping ProxyCommand may cause it to fail.

* If we finally decide to override ProxyCommand I think it's best
  to use the same mechanism as the other overrides --
  I.e: either put everything in ~/.ssh/config or everything
  hard-coded in shellinabox (that's the current situation).
  Otherwise, looking at the config file would be misleading.
Comment 3 Simone Caronni 2013-10-10 13:02:46 EDT
Thanks for the info.

> * The question about trying to login into shellinabox and
>   use FreeIPA authentication is good -- I have no idea
>   and suspect that skipping ProxyCommand may cause it to fail.

Well, in this case it should be better to have the option in the config file; so the user could change and look at it as much as another configuration file.
 
> * If we finally decide to override ProxyCommand I think it's best
>   to use the same mechanism as the other overrides --
>   I.e: either put everything in ~/.ssh/config or everything
>   hard-coded in shellinabox (that's the current situation).
>   Otherwise, looking at the config file would be misleading.

I can move options out of the code and put them all in the config file. Upstream project is pretty dead; so I think that whatever we choose it will eventually divert a lot from upstream.

What's your preference? I would go for moving out options from the code and ship ~/.ssh/config as a config file in the rpm.
Comment 4 Fedora Update System 2014-06-11 05:50:32 EDT
shellinabox-2.14-27.git88822c1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.el6
Comment 5 Fedora Update System 2014-06-11 05:50:48 EDT
shellinabox-2.14-27.git88822c1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.fc19
Comment 6 Fedora Update System 2014-06-11 05:51:20 EDT
shellinabox-2.14-27.git88822c1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.el5
Comment 7 Fedora Update System 2014-06-11 05:52:15 EDT
shellinabox-2.14-27.git88822c1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.fc20
Comment 8 Fedora Update System 2014-06-11 19:34:59 EDT
Package shellinabox-2.14-27.git88822c1.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing shellinabox-2.14-27.git88822c1.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1610/shellinabox-2.14-27.git88822c1.el5
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2014-06-23 21:57:43 EDT
shellinabox-2.14-27.git88822c1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-06-23 21:58:36 EDT
shellinabox-2.14-27.git88822c1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2014-07-01 13:05:50 EDT
shellinabox-2.14-27.git88822c1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-07-01 13:06:06 EDT
shellinabox-2.14-27.git88822c1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.