+++ This bug was initially created as a clone of Bug #1024102 +++ Description of problem: /usr/bin/oo-trap-user gets incorrect command when auth is not ssh authorized_keys entry. Version-Release number of selected component (if applicable): How reproducible: Attempt git clone using Kerberos authentication Steps to Reproduce: 1. create devenv 2. install and configure kerberos service (see attached script) 3. create local user u1 matching principal u1@<REALM> where REALM is the devenv hostname (console or rhc) 4. create an app and add the u1@<REALM> principal as an "ssh key" with type krb5-principal 5. switch user to u1 in /home/u1 6. attempt git clone as indicated in the output from app create Actual results: git clone attempt drops to rhcsh Expected results: git clone attempts creates local copy of app git repository Additional info: When oo-trap-user runs it expects the command to be in the SSH_ORIGINAL_COMMAND environment variable. This variable is only set when an SSH authorized key has a command= section which replaces the original command. When the SSH_ORIGINAL_COMMAND variable is unset, the command defaults to rhcsh rather than using the actual arguments (from python sys.argv). When logging in with Kerberos or other non public-key mechanisms, SSH_ORIGINAL_COMMAND will not be set. --- Additional comment from Mark Lamourine on 2013-10-28 16:01:41 EDT --- Adding code to oo-trap-user to honor sys.argv when SSH_ORIGINAL_COMMAND is not set. --- Additional comment from Jordan Liggitt on 2013-10-30 11:30:44 EDT --- --- Additional comment from Mark Lamourine on 2013-11-14 08:29:50 EST --- Pending PR https://github.com/openshift/origin-server/pull/4019 --- Additional comment from Jordan Liggitt on 2013-11-27 10:49:29 EST --- Merged
enterprise-server cherry-pick: commit 508e10c039c267687608fa366d05145e19754421 Author: Mark Lamourine <markllama> Date: Mon Oct 28 17:13:21 2013 -0400 allow oo-trap-user to run from non-public-key auth clarified command branching and debugging commented syslogs for debugging to minimize load commented one more line Prevent double-calling oo-trap-user twice lmeyer: cherry-picked cleanly from origin-server 4b91a8ac92781f4a85e2d2327e4d60fd52f5f9fd #cherrypick
check on puddle [2.0/2013-11-27.2] 1.get the hostname of node #host $public_ip 2.add node host principal on kerberos server # kadmin.local -q "addprinc host/vm-167-59-4-10.ose.phx2.redhat.com" 3.add a user on kerberos server #kadmin.local -q "addprinc xiama" 4.add key for node host principal on kerberos server #kadmin.local -q "ktadd host/vm-167-59-4-10.ose.phx2.redhat.com" #kadmin.local -q "ktadd -k node.keytab host/vm-167-59-4-10.ose.phx2.redhat.com" 5.cp keytab from kerberos server to node, save as /etc/krb5.keytab 6.kinit on rhc client #kinit xiama 7.kinit on node #kinit -kt /etc/krb5.keytab host/vm-167-59-4-10.ose.phx2.redhat.com 8.create app and delete all sshkey, then add krb key # rhc sshkey add test --type krb5-principal --content xiama 9.rhc app ssh $app 10.rhc git-clone $app 11.do some changes, and git push result: 8.cat login into the app 9.can git clone the app 10.git push successfully, add access successfully!