Created attachment 817373 [details] the script which help setup a kerberos server Description of problem: when ssh in the app with kerberos ticket, duplicate messages show up. # rhc ssh app Connecting to 5270cf47e97c04dfc1000008.rhcloud.com ... Last login: Wed Oct 30 05:25:36 2013 from 10.238.185.170 ********************************************************************* You are accessing a service that is for use only by authorized users. If you do not have authorization, discontinue use at once. Any use of the services is subject to the applicable terms of the agreement which can be found at: https://openshift.redhat.com/app/legal ********************************************************************* ********************************************************************* You are accessing a service that is for use only by authorized users. If you do not have authorization, discontinue use at once. Any use of the services is subject to the applicable terms of the agreement which can be found at: https://www.openshift.com/legal ********************************************************************* Welcome to OpenShift shell This shell will assist you in managing OpenShift applications. !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!! Shell access is quite powerful and it is possible for you to accidentally damage your application. Proceed with care! If worse comes to worst, destroy your application with "rhc app delete" and recreate it !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!! Type "help" for more info. Version-Release number of selected component (if applicable): devenv_3966 How reproducible: always Steps to Reproduce: 1.run attachment script on instance 2.create an app 3.remove all other type sshkeys 4.add a krb5-principal type sshkey 5.change the selinux context chcon -t krb5_home_t /var/lib/openshift/$gear_id/.k5login 6.initialize a ticket for the krb5-principal sshkey content 6.ssh into the app Actual results: # rhc ssh app Connecting to 5270cf47e97c04dfc1000008.rhcloud.com ... Last login: Wed Oct 30 05:25:36 2013 from 10.238.185.170 ********************************************************************* You are accessing a service that is for use only by authorized users. If you do not have authorization, discontinue use at once. Any use of the services is subject to the applicable terms of the agreement which can be found at: https://openshift.redhat.com/app/legal ********************************************************************* ********************************************************************* You are accessing a service that is for use only by authorized users. If you do not have authorization, discontinue use at once. Any use of the services is subject to the applicable terms of the agreement which can be found at: https://www.openshift.com/legal ********************************************************************* Welcome to OpenShift shell This shell will assist you in managing OpenShift applications. !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!! Shell access is quite powerful and it is possible for you to accidentally damage your application. Proceed with care! If worse comes to worst, destroy your application with "rhc app delete" and recreate it !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!! Type "help" for more info. Expected results: It should not display duplicate messages Additional info:
Actually, it appears that the kerberos 5 login is behaving correctly. The first (non-indented) message comes from /etc/motd. This is the system login message. The second is produced by /usr/bin/rhcsh, the OpenShift "restricted shell". These are two separate messages, that happen, in the devenv to have identical messages except for the indentation. Logins with the SSH authorized key do not produce the system message of the day.
PR 4019 will eliminate duplicate calls to oo-trap-user https://github.com/openshift/origin-server/pull/4019 The motd has been suppressed for SSH authorized_keys logins by the inclusion of a command= clause in the key entries. This indicates to SSH that the command will be connected to a pipe from the client so the MOTD would be noise. The kerberos logins do not use anything like the command= and so normal shell logins include the system MOTD as well as the rhcsh banner. Other remote commands will not show the banner as SSH will again suppress the MOTD for inbound SSH logins which include a command to run on the server host. (ala rsync etc).
The presentation of the MOTD banner for shell logins is correct. The apparent duplicate is because the top of the rhcsh banner is identical to the devenv /etc/motd contents. This is the expected behavior, though we may want to change the contents of the /etc/motd to avoid the appearance of duplicate output.
We can turn off system motd behavior for the devenv, so that rhcsh is the only way it gets output.
Turned off system-generated message of the day in devenv, now rhcsh is the only script that will output it, which makes kerberos auth and ssh auth behave consistently. Merged in https://github.com/openshift/li/pull/2065
Commit pushed to master at https://github.com/openshift/li https://github.com/openshift/li/commit/7403a637ba6a14ac1592e8070f5bfe1b14b71b8d Fix bug 1024706 - turn off message of the day for devenv
Tried on devenv_3973 and it can solve this issue, but when ssh into the instance, the legal banner message is missing if fix like this. # ssh -i libra-new.pem ec2-23-23-43-202.compute-1.amazonaws.com [root@ip-10-244-134-36 ~]# # rhc ssh php Connecting to 5271dfcb0ad1743f4a000007.rhcloud.com ... ********************************************************************* You are accessing a service that is for use only by authorized users. If you do not have authorization, discontinue use at once. Any use of the services is subject to the applicable terms of the agreement which can be found at: https://www.openshift.com/legal ********************************************************************* Welcome to OpenShift shell This shell will assist you in managing OpenShift applications. !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!! Shell access is quite powerful and it is possible for you to accidentally damage your application. Proceed with care! If worse comes to worst, destroy your application with "rhc app delete" and recreate it !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!! Type "help" for more info. [php-y.dev.rhcloud.com 5271dfcb0ad1743f4a000007]\>
SSHing into the devenv as root no longer displays message of the day. SSHing into a gear works because rhcsh handles printing the message of the day
If we want the message of the day to appear consistently for gear users using kerberos or publickey auth, this is the solution we have to use.