Closed Ramshield closed 7 years ago
I think I didn't capture the exact situation here, can you please provide more details
Okay sure.
We use a shell to login to routers and switches via telnet. This isn't possible as far as I know with Aker.
So I want to create a second account which does have shell access, and access it via SSH "SSH user@localhost".
However when I do this for Aker, it doesn't work and I am getting the following messages in my logs:
May 11 11:38:15 noc su: pam_unix(su:session): session opened for user X by root(uid=0) May 11 11:38:18 noc sshd[4003]: Connection closed by 127.0.0.1 [preauth]
But it does work when I try without Aker. So is this an issue in Aker, or just not possible to login to a local user with Aker?
How do you authenticate to this user, password , ssh keys ?
Is it possible to set log_level = DEBUG
and provide Aker log ?
I did indeed to it via SSH keys. Allow me a moment to attach the log files.
EDIT: Errors when using Aker in console:
Traceback (most recent call last):
File "/bin/aker/aker.py", line 149, in
Log file:
2017-05-12 09:32:13,860 - DEBUG - Core: Drawing TUI
2017-05-12 09:32:13,862 - DEBUG - TUI: tui started
2017-05-12 09:32:15,078 - DEBUG - TUI: init conenction to 127.0.0.1 as jim on port 22
2017-05-12 09:32:15,078 - DEBUG - Core: pausing TUI
2017-05-12 09:32:15,078 - DEBUG - TUI: tui paused
2017-05-12 09:32:15,079 - DEBUG - Session: Base Session created
2017-05-12 09:32:15,079 - DEBUG - Client: Client Created
2017-05-12 09:32:15,079 - DEBUG - Session: SSHSession created
2017-05-12 09:32:15,079 - DEBUG - Sniffer: Creating Pyte screen with cols 237 and rows 63
2017-05-12 09:32:15,080 - DEBUG - Sniffer: Sniffer Created
2017-05-12 09:32:15,081 - INFO - Core: Starting session UUID b5e4ab98-7706-4974-93d9-80b120f18335 for user jim to host 127.0.0.1
2017-05-12 09:32:15,081 - DEBUG - SSHClient: Connected to 127.0.0.1:22
2017-05-12 09:32:15,529 - DEBUG - SSHClient: Authenticating using key-pair
2017-05-12 09:32:15,530 - DEBUG - starting thread (client mode): 0x1ba1d90L
2017-05-12 09:32:15,531 - DEBUG - Local version/idstring: SSH-2.0-paramiko_2.1.2
2017-05-12 09:32:15,531 - DEBUG - Remote version/idstring: SSH-2.0-OpenSSH_6.6.1
2017-05-12 09:32:15,532 - INFO - Connected (version 2.0, client OpenSSH_6.6.1)
2017-05-12 09:32:15,533 - DEBUG - kex algos:[u'curve25519-sha256@libssh.org', u'ecdh-sha2-nistp256', u'ecdh-sha2-nistp384', u'ecdh-sha2-nistp521', u'diffie-hellman-group-exchange-sha256', u'diffie-hellman-group-exchange-sha1', u'diffie-$
2017-05-12 09:32:15,533 - DEBUG - Kex agreed: diffie-hellman-group1-sha1
2017-05-12 09:32:15,533 - DEBUG - Cipher agreed: aes128-ctr
2017-05-12 09:32:15,534 - DEBUG - MAC agreed: hmac-sha2-256
2017-05-12 09:32:15,534 - DEBUG - Compression agreed: none
2017-05-12 09:32:15,558 - DEBUG - kex engine KexGroup1 specified hash_algo
However I'm 100% sure the key is correct and when using normal Bash shell it works.
I see
2017-05-12 09:32:15,609 - INFO - Authentication (publickey) failed.
For now Aker uses ~/.ssh/id_rsa
(private key) for authentication , does this file exist with expected permissions ?
Hi Anazmy. /root/.ssh/id_rsa doesn't exist, /home/jim/.ssh/id_rsa(.pub) does. It works fine when using a normal shell, but not with Aker?
The user logged in Aker interface - root or jim - must have the private key ~/.ssh/id_rsa
available with proper permissions to be used for authentication. I'm assuming here also that the public key ~/.ssh/id_rsa.pub
is already added to destination host(s) .
Hi Anazmy. Well it works fine when replacing the aker.py shell with /bin/bash.
So the key is correct and works fine. My hosts.json file:
"users":[ { "username":"jim", "keyfile":"~/.ssh/id_rsa.pub", "groups":["L2","L3"] } ], "hosts":[ { "name":"Aker Gateway Root", "username":"root", "hostname":"127.0.0.1", "port":"22", "key":"~/.ssh/id_rsa", "groups":[ "L2" ] },
No idea how to format code with "`", sorry.
no problem about the formatting .
I see in your hosts.json one host defined "hostname":"127.0.0.1"
which is localhost , so I'm not sure what are you trying to do here , logging to the same host - aker gateway - as root ?
That wouldn't work , Aker authenticates to destination hosts with the same username you're logged in as - appears on top left side of the screen - .
I need to access the localhost as root/user so I have a shell environment for Telnet sessions, ping tests and traceroutes.
Oh now I see. That explains a lot. Is there any way to give it a variable username, or do I have to create on all my hosts new user accounts for all my employees? Because that would be an awful lot of work, while I just want my employees to login as root/user with root access...
Two points here .
1- Aker allow userA to access destination hosts as userA only , changing identity is not an option now and frankly I don't think its a good security practice to do so . Leveraging sudo capability is a better way to achieve such behavior.
2- Allowing users root access to Aker gateway defies the lockdown imposed by Aker , users can alter/delete session logs since they have root privilege .
Hence, I think Aker wont fit in this case .
1- I agree, just a lot of administrative work to deal with. I'll reconsider using Aker for this purpose.
2- I agree, but this would be for admin users only, so only people who ofcourse would need access to such things. However to work on Aker root access is still needed, meaning root access can never be closed on a jump server which has access to a LARGE part of the network. Seems like a big risk to me? So an option to switch to local shell user would be more safe and sudo from there, then allowing root, not?
I didn't mean root is completely closed, I meant that having sudo privilege or root access on jumpserver implies two things :
1- ONLY privileged security/senior admins has access to sudo/root on Aker . 2- The user with sudo/root access is not part of the Aker logging process
Got it. I know enough for now, thank you.
Hello anazmy.
We use our jump-server for accessing our switches and such as well. But this requires a local shell to do so. And it's also used for testing purposes like IP's, traceroutes and such. Is it possible to login to shell for some users that require so? Or can I do this by allowing a local SSH key and adding another host to login to the local shell, or should I create a separate user which can access shell?
EDIT: Works for a normal user, but not via your script? May 11 11:38:15 noc su: pam_unix(su:session): session opened for user X by root(uid=0) May 11 11:38:18 noc sshd[4003]: Connection closed by 127.0.0.1 [preauth]