Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shell app - direct shell instead of SSH? #4060

Closed
cwaldbieser opened this issue Jan 8, 2025 · 9 comments
Closed

Shell app - direct shell instead of SSH? #4060

cwaldbieser opened this issue Jan 8, 2025 · 9 comments

Comments

@cwaldbieser
Copy link

For the shell app, my understanding of the architecture is that the OOD software creates a web-based terminal emulator and hooks that up to an ssh process that runs as the logged in user.

Is it possible to have the software invoke some kind of shell (e.g. bash) instead of ssh and wire it up to the terminal emulator?
The reason I ask is because the ssh process will ask a user to authenticate. If you use key-based or cert-based authentication, the ssh process running on a remote host will have no way to access the user's private key, and thus passwordless authentication becomes rather problematic.

I recognize that direct shell wouldn't necessarily make sense if your OOD service is running on some dedicated node that a user has no business having a shell on, but if you run the service on say the login node, this would be a convenient way to use the terminal from the web app.

I'm not sure if this is something that can currently be configured, e.g. with ODD_SSH_WRAPPER, or if this would be a new feature request.

@osc-bot osc-bot added this to the Backlog milestone Jan 8, 2025
@johrstrom
Copy link
Contributor

I'm not sure if this is something that can currently be configured, e.g. with ODD_SSH_WRAPPER, or if this would be a new feature request.

I can be done with ODD_SSH_WRAPPER. I use this sometimes, and would have to look it up to be sure, but I'm fairly sure it's just the wrapper I use is just this:

#!/bin/bash

/bin/bash

@johrstrom
Copy link
Contributor

By the way, it's worth noting that we (OSC) use HostBasedAuthentication on our systems to allow folks to ssh here and there seamlessly.

@cwaldbieser
Copy link
Author

Doesn't HostBasedAuthentication allow a user on host A to impersonate a user on host B? E.g. if I am logged in as alice@host-a.example.net and I ssh bob@host-b.example.net, won't that succeed?

@johrstrom
Copy link
Contributor

No, if you try to login as a different user, it'll prompt for the password. Even if the user doesn't exist (like thisusercantreallyexist)

image

@cwaldbieser
Copy link
Author

Thanks. The following article from 2014 explains how spoofing is prevented.
tl;dr - The host key is used by the ssh client to sign the assertion sent to the sshd server. Only root can read the host key. The trusted ssh client is allowed to use a helper program that can elevate permissions to read the host key. The trusted ssh client asserts the effective user name.

@cwaldbieser
Copy link
Author

I tried setting ODD_SSH_WRAPPER to a script like mentioned above, and this works as expected.
However, if I let the terminal prompt be idle for about a minute, I get a message:

"Your connection to the remote server has been terminated."
Any idea what could be causing the connection to drop? If I run something like htop, the shell will stay active. It's only if I leave it idle that I get this message.

I tried setting passenger_pool_idle_time, but I think the default was 5 minutes, and that didn't seem to work.

@johrstrom
Copy link
Contributor

This configuration works for 3.0.9 and up, if you're on a version lower than that then that's just the behavior of idle connections.

https://osc.github.io/ood-documentation/latest/customizations.html#enable-and-configure-shell-ping-pong

@cwaldbieser
Copy link
Author

We are on a higher version. I first has used the Apache httpd setting from this post, and those increased the timeout to 5 minutes and 30 seconds (330s), so something else was still limiting the idle time. I tried the ping pong configuration, but that did not extend the idle time past that limit.

@cwaldbieser
Copy link
Author

I think the issue was I had to force kill my PUN.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants