Bug 1024102 - oo-trap-user does not honor requested command when SSH_ORIGINAL_COMMAND is unset
oo-trap-user does not honor requested command when SSH_ORIGINAL_COMMAND is unset
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Linux
unspecified Severity medium
: ---
: ---
Assigned To: Mark Lamourine
libra bugs
:
: 1024772 (view as bug list)
Depends On:
Blocks: 1035358
  Show dependency treegraph
 
Reported: 2013-10-28 16:00 EDT by Mark Lamourine
Modified: 2015-05-14 19:13 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1035358 (view as bug list)
Environment:
Last Closed: 2014-01-23 22:33:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
a simple script to install and initialize kerberos 5 on a devenv combination broker/console/node (1.18 KB, application/x-shellscript)
2013-10-28 16:00 EDT, Mark Lamourine
no flags Details

  None (edit)
Description Mark Lamourine 2013-10-28 16:00:18 EDT
Created attachment 816907 [details]
a simple script to install and initialize kerberos 5 on a devenv combination broker/console/node

Description of problem:

/usr/bin/oo-trap-user gets incorrect command when auth is not ssh authorized_keys entry.

Version-Release number of selected component (if applicable):


How reproducible:

Attempt git clone using Kerberos authentication


Steps to Reproduce:
1. create devenv
2. install and configure kerberos service (see attached script)
3. create local user u1 matching principal u1@<REALM> where REALM is the devenv hostname (console or rhc)
4. create an app and add the u1@<REALM> principal as an "ssh key" with type krb5-principal
5. switch user to u1 in /home/u1
6. attempt git clone as indicated in the output from app create

Actual results:

git clone attempt drops to rhcsh


Expected results:

git clone attempts creates local copy of app git repository

Additional info:

When oo-trap-user runs it expects the command to be in the SSH_ORIGINAL_COMMAND environment variable. This variable is only set when an SSH authorized key has a command= section which replaces the original command. When the SSH_ORIGINAL_COMMAND variable is unset, the command defaults to rhcsh rather than using the actual arguments (from python sys.argv).

When logging in with Kerberos or other non public-key mechanisms, SSH_ORIGINAL_COMMAND will not be set.
Comment 1 Mark Lamourine 2013-10-28 16:01:41 EDT
Adding code to oo-trap-user to honor sys.argv when SSH_ORIGINAL_COMMAND is not set.
Comment 2 Jordan Liggitt 2013-10-30 11:30:44 EDT
*** Bug 1024772 has been marked as a duplicate of this bug. ***
Comment 3 Mark Lamourine 2013-11-14 08:29:50 EST
Pending PR https://github.com/openshift/origin-server/pull/4019
Comment 4 Jordan Liggitt 2013-11-27 10:49:29 EST
Merged
Comment 5 weiwei jiang 2013-11-27 22:16:48 EST
Tried on devenv_4081, and try follow scenarios:
1. ssh to app with kerberos authorization
2. snapshot save app with kerberos authorization
3. git push with kerberos authorization

And all about scenarios work well, so verified this issue.

Note You need to log in before you can comment on or make changes to this bug.