Description of problem: * Shell in a box is configured to use SSH. In /etc/sysconfig/shellinaboxd: OPTS="--service /:SSH" * I successfully connect from a browser and get a "login" prompt. * Upon entering the user name, the connection is closed. Version-Release number of selected component (if applicable): shellinabox-2.14-24.git88822c1.fc19.i686 Additional info: Using strace on the server I found the culprit: * My /etc/ssh/ssh_config has a ProxyCommand (due to FreeIPA installation). * So the ssh client tries to run ProxyCommand with the caller shell. * However, shellinabox rightfully has /sbin/nologin shell. * Which cause a failure of ProxyCommand and as a result failure of ssh. Workaround: I created ~shellinabox/.ssh/config containing: Host * ProxyCommand none Proper fix: * The ssh command line is in shellinabox/service.c (around line 153-166). * The '-oProxyCommand=none' string should be added.
Hello, sorry for being late, dealing with this now. I don't know very much about the ProxyCommand thing in FreeIPA installation; my next setup of it is scheduled for next year (with RHEL's IPA). I have a few questions. Could the change you suggest break things when connecting from a shellinabox shell to a FreeIPA? What does FreeIPA set in the ProxyCommand? Would it be better to package the ~shellinabox/.ssh/config file in the rpm thus avoiding patching the code for the ssh call? A user could see that there's some default setting for ssh by looking at the files the package provides. What do you think? Thanks, --Simone
Reply to comment #1 * In /etc/ssh/ssh_config (client configuration): ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h This was changed by /usr/sbin/ipa-client-install (it's python script, you can easily verity this) * The question about trying to login into shellinabox and use FreeIPA authentication is good -- I have no idea and suspect that skipping ProxyCommand may cause it to fail. * If we finally decide to override ProxyCommand I think it's best to use the same mechanism as the other overrides -- I.e: either put everything in ~/.ssh/config or everything hard-coded in shellinabox (that's the current situation). Otherwise, looking at the config file would be misleading.
Thanks for the info. > * The question about trying to login into shellinabox and > use FreeIPA authentication is good -- I have no idea > and suspect that skipping ProxyCommand may cause it to fail. Well, in this case it should be better to have the option in the config file; so the user could change and look at it as much as another configuration file. > * If we finally decide to override ProxyCommand I think it's best > to use the same mechanism as the other overrides -- > I.e: either put everything in ~/.ssh/config or everything > hard-coded in shellinabox (that's the current situation). > Otherwise, looking at the config file would be misleading. I can move options out of the code and put them all in the config file. Upstream project is pretty dead; so I think that whatever we choose it will eventually divert a lot from upstream. What's your preference? I would go for moving out options from the code and ship ~/.ssh/config as a config file in the rpm.
shellinabox-2.14-27.git88822c1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.el6
shellinabox-2.14-27.git88822c1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.fc19
shellinabox-2.14-27.git88822c1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.el5
shellinabox-2.14-27.git88822c1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/shellinabox-2.14-27.git88822c1.fc20
Package shellinabox-2.14-27.git88822c1.el5: * should fix your issue, * was pushed to the Fedora EPEL 5 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing shellinabox-2.14-27.git88822c1.el5' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1610/shellinabox-2.14-27.git88822c1.el5 then log in and leave karma (feedback).
shellinabox-2.14-27.git88822c1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
shellinabox-2.14-27.git88822c1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
shellinabox-2.14-27.git88822c1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
shellinabox-2.14-27.git88822c1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.