Created attachment 816907 [details] a simple script to install and initialize kerberos 5 on a devenv combination broker/console/node Description of problem: /usr/bin/oo-trap-user gets incorrect command when auth is not ssh authorized_keys entry. Version-Release number of selected component (if applicable): How reproducible: Attempt git clone using Kerberos authentication Steps to Reproduce: 1. create devenv 2. install and configure kerberos service (see attached script) 3. create local user u1 matching principal u1@<REALM> where REALM is the devenv hostname (console or rhc) 4. create an app and add the u1@<REALM> principal as an "ssh key" with type krb5-principal 5. switch user to u1 in /home/u1 6. attempt git clone as indicated in the output from app create Actual results: git clone attempt drops to rhcsh Expected results: git clone attempts creates local copy of app git repository Additional info: When oo-trap-user runs it expects the command to be in the SSH_ORIGINAL_COMMAND environment variable. This variable is only set when an SSH authorized key has a command= section which replaces the original command. When the SSH_ORIGINAL_COMMAND variable is unset, the command defaults to rhcsh rather than using the actual arguments (from python sys.argv). When logging in with Kerberos or other non public-key mechanisms, SSH_ORIGINAL_COMMAND will not be set.
Adding code to oo-trap-user to honor sys.argv when SSH_ORIGINAL_COMMAND is not set.
*** Bug 1024772 has been marked as a duplicate of this bug. ***
Pending PR https://github.com/openshift/origin-server/pull/4019
Merged
Tried on devenv_4081, and try follow scenarios: 1. ssh to app with kerberos authorization 2. snapshot save app with kerberos authorization 3. git push with kerberos authorization And all about scenarios work well, so verified this issue.