You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by "Andy Kurth (JIRA)" <ji...@apache.org> on 2019/01/03 18:48:00 UTC
[jira] [Created] (VCL-1108) Improve flexibility in how sshd is
configured in Linux images
Andy Kurth created VCL-1108:
-------------------------------
Summary: Improve flexibility in how sshd is configured in Linux images
Key: VCL-1108
URL: https://issues.apache.org/jira/browse/VCL-1108
Project: VCL
Issue Type: Improvement
Components: vcld (backend)
Reporter: Andy Kurth
In Linux images, the *ext_sshd* service is dynamically generated when an image is loaded and reconfigured when the computer is reserved. The ext_sshd service is configured with */etc/ssh/ext_sshd/external_sshd_config*. This file is generated by using the regular */etc/ssh/sshd_config* file as a template. The following hard-coded parameter modifications are then applied to external_sshd_config:
{{ListenAddress <remote IP>}}
{{PasswordAuthentication yes}}
{{PermitRootLogin no}}
{{PidFile /var/run/ext_sshd.pid}}
{{X11Forwarding yes}}
{{AllowUsers <reservation user>}}
The *ext_sshd* service and all associated files including *external_sshd_config* are deleted before an image is captured. When the image is loaded, the *sshd_config* file stored in the image is used as the template.
The only way to customize the ext_sshd service is by using a *vcl_post_reserve* script. There's a timing problem with this. *vcl_post_reserve* gets executed after
# vcld detects the user clicked the Connect button
# $self->os->grant_access()
## firewall opened to user's IP
## connect methods processed, ext_sshd running
# $self->os->update_cluster()
At this point, the user is able to connect to the computer via SSH. If you need to customize any of the ext_sshd configuration parameters _which can't be customized in sshd_config because they'd break management node communication_, you'd have to do it here and then restart the service. This leaves a window of 1 to several seconds when the ext_sshd service was configured and listening without the customizations.
This problem came up in an image which required using Duo for multifactor authentication. ext_sshd could be configured properly by the *vcl_post_reserve* script, but it left a window when a user could login without going through Duo.
There are a few ways to improve this. The simplest, though the the prettiest, would be to extend the *configure_sshd_config_file* and *configure_ext_sshd_config_file* subroutines in *Linux.pm* to check for the existence of some other file to use as a template for external_sshd_config _(instead of sshd_config)_. Perhaps something like */root/.vclcontrol/external_sshd_config.template*. The hard-coded parameter modifications listed above would still need to be applied.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)