Red Hat Bugzilla – Bug 1024102
oo-trap-user does not honor requested command when SSH_ORIGINAL_COMMAND is unset
Last modified: 2015-05-14 19:13:02 EDT
Created attachment 816907 [details]
a simple script to install and initialize kerberos 5 on a devenv combination broker/console/node
Description of problem:
/usr/bin/oo-trap-user gets incorrect command when auth is not ssh authorized_keys entry.
Version-Release number of selected component (if applicable):
Attempt git clone using Kerberos authentication
Steps to Reproduce:
1. create devenv
2. install and configure kerberos service (see attached script)
3. create local user u1 matching principal u1@<REALM> where REALM is the devenv hostname (console or rhc)
4. create an app and add the u1@<REALM> principal as an "ssh key" with type krb5-principal
5. switch user to u1 in /home/u1
6. attempt git clone as indicated in the output from app create
git clone attempt drops to rhcsh
git clone attempts creates local copy of app git repository
When oo-trap-user runs it expects the command to be in the SSH_ORIGINAL_COMMAND environment variable. This variable is only set when an SSH authorized key has a command= section which replaces the original command. When the SSH_ORIGINAL_COMMAND variable is unset, the command defaults to rhcsh rather than using the actual arguments (from python sys.argv).
When logging in with Kerberos or other non public-key mechanisms, SSH_ORIGINAL_COMMAND will not be set.
Adding code to oo-trap-user to honor sys.argv when SSH_ORIGINAL_COMMAND is not set.
*** Bug 1024772 has been marked as a duplicate of this bug. ***
Pending PR https://github.com/openshift/origin-server/pull/4019
Tried on devenv_4081, and try follow scenarios:
1. ssh to app with kerberos authorization
2. snapshot save app with kerberos authorization
3. git push with kerberos authorization
And all about scenarios work well, so verified this issue.