search

aker-gateway / Aker

SSH bastion/jump host/jumpserver
Other
566 stars 81 forks source link

issues - auto disconnect after enter ssh #75

Open vhostvn opened 6 years ago

vhostvn commented 6 years ago

Hi,

I setup aker on CentOS 6.9 64bit.

After type password and press enter, my account disconnect immediately. I checked /var/log/messages and it returns this error:

Mar 24 04:26:38 localhost abrt: detected unhandled Python exception in '/usr/bin/aker/aker.py' Mar 24 04:26:38 localhost abrt-server[2609]: Saved Python crash dump of pid 2590 to /var/spool/abrt/pyhook-2018-03-24-04:26:38-2590 Mar 24 04:26:38 localhost abrtd: Directory 'pyhook-2018-03-24-04:26:38-2590' creation detected Mar 24 04:26:38 localhost abrtd: Executable '/usr/bin/aker/aker.py' doesn't belong to any package and ProcessUnpackaged is set to 'no' Mar 24 04:26:38 localhost abrtd: 'post-create' on '/var/spool/abrt/pyhook-2018-03-24-04:26:38-2590' exited with 1 Mar 24 04:26:38 localhost abrtd: Deleting problem directory '/var/spool/abrt/pyhook-2018-03-24-04:26:38-2590'

May i know how to fix?

Follow install from this guide: https://github.com/aker-gateway/Aker/blob/phase0/README.md

vhostvn commented 6 years ago

And this is from CentOS 7:

Mar 23 17:46:35 localhost systemd: Created slice User Slice of vhostvn. Mar 23 17:46:35 localhost systemd: Starting User Slice of vhostvn. Mar 23 17:46:35 localhost systemd: Started Session 12 of user vhostvn. Mar 23 17:46:35 localhost systemd-logind: New session 12 of user vhostvn. Mar 23 17:46:35 localhost systemd: Starting Session 12 of user vhostvn. Mar 23 17:46:35 localhost systemd-logind: Removed session 12. Mar 23 17:46:35 localhost systemd: Removed slice User Slice of vhostvn. Mar 23 17:46:35 localhost systemd: Stopping User Slice of vhostvn.

anazmy commented 6 years ago

Can you please provide debug log /var/log/aker/aker.log

vhostvn commented 6 years ago

On CentOS 6: we have nothing on that folder:

[root@localhost ~]# ll /var/log/aker/ total 0 [root@localhost ~]#

And this is log from CentOS 7: show menu -->select host -->enter and disconnect putty immediately.

output log.txt

anazmy commented 6 years ago

Don't see helpful data in the log, what does logs on client side say?

vhostvn commented 6 years ago

logs on client

Which server will act as client on this case? aker server or destination server?

Thanks,

anazmy commented 6 years ago

The client should be the machine you're trying to connect to from aker tui screen (list of hosts)

vhostvn commented 6 years ago

I have terminate both gateway server and reinstall the new one. This is screencast from newly install: http://n.vhost.vn/2018-04-01_03-22-22.mp4

I use CentOS Linux release 7.4.1708 (Core)

AdamB-pl commented 6 years ago

Hello I had a similar problem, created two accounts in system one "anazmy" and "jsmith" to be sure I didn't do anything wrong by modifying provided host.json file.

I was able to connect normally on account anazmy, but not on jsmith, so i use ssh client with -vvv flag and streams all bugs to file.

So I simply change permission to fille by command chmod to 777 and gateway start working normally on both accounts (maybe script create this file on user anazmy )...

chmod 777 /var/log/aker/aker.log

Traceback (most recent call last): File "/usr/bin/aker/aker.py", line 174, in Aker().build_tui() File "/usr/bin/aker/aker.py", line 123, in init level=config.log_level) File "/usr/lib64/python2.7/logging/init.py", line 1529, in basicConfig hdlr = FileHandler(filename, mode) File "/usr/lib64/python2.7/logging/init.py", line 902, in init StreamHandler.init(self, self._open()) File "/usr/lib64/python2.7/logging/init.py", line 925, in _open stream = open(self.baseFilename, self.mode) IOError: [Errno 13] Permission denied: '/var/log/aker/aker.log'

anazmy commented 6 years ago

The file /var/log/aker/aker.log is meant to have perms 777, well for now at least. How did you install the server ?

AdamB-pl commented 6 years ago

I installed manually Aker gateway on clean centos 7 basing on documentation, only one things I did differently:

I installed python2-pip.noarch to upgraade setuptools and install pyte.

Probably I know what causes the problem in the documentation we have: chmod 777 /var/log/aker but should be touch /var/log/aker/aker.log chmod 777 /var/log/aker -R

1  ip addr
2  nmcli c s
3  nmcli c up enp0s3
4  nmcli c up enp0s8
5  ip addr
6  nmcli c s
7  nmcli c e enp0s8
8  nmcli c up enp0s8
9  ip addr

10 yum update 11 reboot 12 nmcli c s 13 nmcli c up enp0s3 14 nmcli c up enp0s8 15 ip addr 16 nmcli c s 17 nmcli c e enp0s3 18 nmcli c e enp0s8 19 shutdown -h now 20 yum search python 21 yum -y install epel-release 22 yum -y install python2-paramiko python-configparser python-redis python-urwid python2-wcwidth redis 23 systemctl start redis 24 systemctl enable redis 25 yum search pyte 26 pip install 27 yum install pip 28 yum search pip 29 yum install -ypython2-pip.noarch 30 yum install -y python2-pip.noarch 31 pip install pip 32 pip install --upgrade pip 33 pip install pip 34 pip install pyte 35 pip install setuptools 36 pip install --upgrade setuptools 37 pip install pyte 38 yum install git 39 git clone https://github.com/aker-gateway/Aker.git /usr/bin/aker/ 40 chmod 755 /usr/bin/aker/aker.py 41 chmod 755 /usr/bin/aker/akerctl.py 42 mkdir /var/log/aker 43 chmod 777 /var/log/aker 44 vim /etc/ssh/sshd_config 45 yum install vim mc tcpdump 46 vim /etc/ssh/sshd_config 47 systemctl restart sshd 48 systemctl status sshd 49 systemctl reload sshd 50 systemctl restart ssh 51 systemctl restart sshd 52 systemctl status sshd 53 vim /etc/ssh/sshd_config 54 systemctl restart ssh 55 systemctl restart sshd 56 journalctl -xe 57 vim /etc/ssh/sshd_config 58 systemctl restart sshd 59 systemctl restart redis 60 mkdir /etc/aker 61 cd /etc/aker 62 ls 63 cp /usr/bin/aker/aker.ini . 64 ls 65 vim aker.ini 66 cp /usr/bin/aker/hosts.json . 67 ls 68 vim hosts.json 69 useradd anazmy 70 cd /home/ 71 ls 72 passwd anazmy 73 pwd 74 cd /etc/aker/ 75 ls 76 cat hosts.json 77 adduser jsmith 78 passwd jsmith 79 tail /var/log/aker/aker.log 80 systemctl restart redis 81 tail /var/log/messages 82 tail /var/log/audit/audit.log 83 journalctl -xe 84 ls -la /var/log/aker/aker.log 85 chmod 777 /var/log/aker/aker.log 86 w 87 history

AdamB-pl commented 6 years ago

TO be honest, I also thinking if we can suppress problem 777 of aker logs by creating an additional group, give sticky bit group ownership with full permissions to folder /var/log/aker and make all agents accounts pin to that group. Also, that will help with sshd configuration...

I will test the theory when I find some spare time in work and if that work I will write a few words about...

anazmy commented 6 years ago

Exactly that was my suspicion, I changed the 777 perms setting in the setup playbook but not in the README.

Let me fix that.

AdamB-pl commented 6 years ago

I tested my theory and it works flawlessly - give an opportunity to create aker.log, only i will test connection:

[root@localhost ~]# groupadd Aker-agent
[root@localhost ~]# mkdir /var/log/aker
[root@localhost ~]# chown root:Aker-agent /var/log/aker
[root@localhost ~]# chmod 2770 /var/log/aker
[root@localhost ~]# setfacl -d -m g:Aker-agent:rwx /var/log/aker
[root@localhost ~]# setfacl -m g:Aker-agent:rwx /var/log/aker

All files created in /var/log/aker directory will have RW for group permissions so even logrotate reload logs or you scripts pack and remove it will still work.

[root@localhost aker]# getfacl aker.log
# file: aker.log
# owner: micky
# group: Aker-agent
user::rw-
group::rwx                      #effective:rw-
group:Aker-agent:rwx            #effective:rw-
mask::rw-
other::r--

I think adding all agent to one group is a better approach - home directory has permissions 700 so there shouldn't be any problem...

[root@localhost home]# useradd -g Aker-agent -s  /usr/bin/aker/aker.py  jessie
[root@localhost home]# passwd jessie
Changing password for user jessie.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost aker]# useradd  -s  /usr/bin/aker/aker.py micky
[root@localhost aker]# usermod -aG Aker-agent micky
[root@localhost aker]# passwd micky
Changing password for user micky.
New password:
BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic
Retype new password:
passwd: all authentication tokens updated successfully.
AdamB-pl commented 6 years ago

I encountered a problem I tried to add a server to test fully connection without success. I'm not sure if need create an individual key par to any server and create the account with the same name us agent? For example, user jessie need have own par key and created an account on the server that I connect with uploaded public key? I will test that more ..

Traceback (most recent call last):
  File "/usr/bin/aker/aker.py", line 174, in <module>
    Aker().build_tui()
  File "/usr/bin/aker/aker.py", line 136, in build_tui
    self.tui.start()
  File "/usr/bin/aker/tui.py", line 349, in start
    self.loop.run()
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 271, in run
    self.screen.run_wrapper(self._run)
  File "/usr/lib64/python2.7/site-packages/urwid/raw_display.py", line 241, in run_wrapper
    return fn()
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 336, in _run
    self.event_loop.run()
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 707, in run
    self._loop()
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 786, in _loop
    self._watch_files[fd]()
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 387, in _update
    self.process_input(keys)
  File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 487, in process_input
    k = self._topmost_widget.keypress(self.screen_size, k)
  File "/usr/lib64/python2.7/site-packages/urwid/wimp.py", line 642, in keypress
    return self._current_widget.keypress(size, key)
  File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1102, in keypress
    return self.body.keypress( (maxcol, remaining), key )
  File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1102, in keypress
    return self.body.keypress( (maxcol, remaining), key )
  File "/usr/bin/aker/tui.py", line 76, in keypress
    self.focus.original_widget.get_caption())
  File "/usr/lib64/python2.7/site-packages/urwid/signals.py", line 120, in emit
    result |= bool(callback(*args_copy))
  File "/usr/bin/aker/tui.py", line 331, in host_chosen_handler
    self.aker.init_connection(host)
  File "/usr/bin/aker/aker.py", line 157, in init_connection
    session.connect(screen_size)
  File "/usr/bin/aker/session.py", line 40, in connect
    self._client.connect(self.host, self.host_port, size)
  File "/usr/bin/aker/SSHClient.py", line 68, in connect
    self._socket.connect((ip, port))
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.gaierror: [Errno -2] Name or service not known
AdamB-pl commented 6 years ago

I found somewhere that "socket.gaierror: [Errno -2] Name or service not known" can be caused by failing to look up and resolve a hostname, so I add in /etc/hosts additional line and use that name for the testing host. Sadly that didn't work,

logs from session: File "/usr/bin/aker/aker.py", line 174, in <module> Aker().build_tui() File "/usr/bin/aker/aker.py", line 136, in build_tui self.tui.start() File "/usr/bin/aker/tui.py", line 349, in start self.loop.run() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 271, in run self.screen.run_wrapper(self._run) File "/usr/lib64/python2.7/site-packages/urwid/raw_display.py", line 241, in run_wrapper return fn() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 336, in _run self.event_loop.run() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 707, in run self._loop() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 786, in _loop self._watch_files[fd]() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 387, in _update self.process_input(keys) File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 487, in process_input k = self._topmost_widget.keypress(self.screen_size, k) File "/usr/lib64/python2.7/site-packages/urwid/wimp.py", line 642, in keypress return self._current_widget.keypress(size, key) File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1102, in keypress return self.body.keypress( (maxcol, remaining), key ) File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1102, in keypress return self.body.keypress( (maxcol, remaining), key ) File "/usr/bin/aker/tui.py", line 76, in keypress self.focus.original_widget.get_caption()) File "/usr/lib64/python2.7/site-packages/urwid/signals.py", line 120, in emit result |= bool(callback(*args_copy)) File "/usr/bin/aker/tui.py", line 331, in host_chosen_handler self.aker.init_connection(host) File "/usr/bin/aker/aker.py", line 157, in init_connection session.connect(screen_size) File "/usr/bin/aker/session.py", line 40, in connect self._client.connect(self.host, self.host_port, size) File "/usr/bin/aker/SSHClient.py", line 68, in connect self._socket.connect((ip, port)) File "/usr/lib64/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.gaierror: [Errno -2] Name or service not known

Aker logs in debug:

2018-05-07 15:28:25,147 - INFO - Core: Starting up, user=anazmy from=192.168.56.1:52963
2018-05-07 15:28:25,148 - DEBUG - Core: using Identity Provider Json
2018-05-07 15:28:25,148 - INFO - IdPFactory: trying dynamic loading of module : Json
2018-05-07 15:28:25,149 - INFO - Json: loaded
2018-05-07 15:28:25,149 - DEBUG - Json: loading all hosts from /etc/aker/hosts.json
2018-05-07 15:28:25,150 - DEBUG - Json: loading all users from /etc/aker/hosts.json
2018-05-07 15:28:25,150 - DEBUG - Json: loading all usergroups from /etc/aker/hosts.json
2018-05-07 15:28:25,150 - DEBUG - Json: loading hosts/groups for user anazmy
2018-05-07 15:28:25,150 - DEBUG - Json: loading host web1.ipa.example for user anazmy
2018-05-07 15:28:25,150 - DEBUG - Json: loading host db1.ipa.example for user anazmy
2018-05-07 15:28:25,150 - DEBUG - Json: loading host db2.ipa.example for user anazmy
2018-05-07 15:28:25,155 - DEBUG - Hosts: loading host web1.ipa.example from cache
2018-05-07 15:28:25,155 - DEBUG - Hosts: loading host db1.ipa.example from cache
2018-05-07 15:28:25,156 - DEBUG - Hosts: loading host db2.ipa.example from cache
2018-05-07 15:28:25,156 - INFO - Hosts: loading hosts from cache
2018-05-07 15:28:25,156 - DEBUG - Core: Drawing TUI
2018-05-07 15:28:25,158 - DEBUG - TUI: tui started
2018-05-07 15:28:25,892 - DEBUG - TUI: user anazmy chose hostgroup linuxservers
2018-05-07 15:28:25,892 - DEBUG - TUI: host web1.ipa.example is in hostgroup linuxservers, adding
2018-05-07 15:28:25,892 - DEBUG - TUI: host db1.ipa.example is in hostgroup linuxservers, adding
2018-05-07 15:28:25,893 - DEBUG - TUI: host db2.ipa.example is in hostgroup linuxservers, adding
2018-05-07 15:28:25,893 - DEBUG - TUI: Host search handler called with text
2018-05-07 15:28:25,893 - DEBUG - TUI: host web1.ipa.example matches search text
2018-05-07 15:28:25,893 - DEBUG - TUI: host db1.ipa.example matches search text
2018-05-07 15:28:25,893 - DEBUG - TUI: host db2.ipa.example matches search text
2018-05-07 15:28:26,804 - DEBUG - TUI: user anazmy chose server db2.ipa.example
2018-05-07 15:28:26,804 - DEBUG - Core: pausing TUI
2018-05-07 15:28:26,804 - DEBUG - TUI: tui paused
2018-05-07 15:28:26,805 - DEBUG - Session: Base Session created
2018-05-07 15:28:26,805 - DEBUG - Client: Client Created
2018-05-07 15:28:26,805 - DEBUG - Session: SSHSession created
2018-05-07 15:28:26,805 - DEBUG - Sniffer: Creating Pyte screen with cols 233 and rows 55
2018-05-07 15:28:26,806 - DEBUG - Sniffer: Sniffer Created
2018-05-07 15:28:26,806 - INFO - Core: Starting session UUID e85dea4c-ea58-4300-869f-f04550c671cd for user anazmy to host db2.ipa.example
anazmy commented 6 years ago

For setting xattr using setfacl. It might not be feasible in some enterprise environments to force a user group on all users, I think I need to put some thought on this point to find a convenient way.

As for the "Name or service not known" better have it reported on a separate issue to avoid confusion.

y3lin4ung commented 5 years ago

I was dealy in accessing remote server just like you! At Final, I got access to remote servers and noticed we have same erros. I change the hostname in /etc/aker/host.json to "blurblur" hostname not "blurblur.google.com" doman. And it's it my fault, I had changed the "port" : to 22, not ssh!!

FYI

everywan-dev commented 5 years ago

I have terminate both gateway server and reinstall the new one. This is screencast from newly install: http://n.vhost.vn/2018-04-01_03-22-22.mp4

I use CentOS Linux release 7.4.1708 (Core)

I have the same problem, does anyone know the solution? I'm sure it's silly but I can not find anything ...

Traceback (most recent call last): File "/usr/bin/aker/aker.py", line 174, in <module> Aker().build_tui() File "/usr/bin/aker/aker.py", line 136, in build_tui self.tui.start() File "/usr/bin/aker/tui.py", line 349, in start self.loop.run() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 271, in run self.screen.run_wrapper(self._run) File "/usr/lib64/python2.7/site-packages/urwid/raw_display.py", line 241, in run_wrapper return fn() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 336, in _run self.event_loop.run() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 707, in run self._loop() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 786, in _loop self._watch_files[fd]() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 387, in _update self.process_input(keys) File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 487, in process_input k = self._topmost_widget.keypress(self.screen_size, k) File "/usr/lib64/python2.7/site-packages/urwid/wimp.py", line 642, in keypress return self._current_widget.keypress(size, key) File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1102, in keypress return self.body.keypress( (maxcol, remaining), key ) File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1102, in keypress return self.body.keypress( (maxcol, remaining), key ) File "/usr/bin/aker/tui.py", line 76, in keypress self.focus.original_widget.get_caption()) File "/usr/lib64/python2.7/site-packages/urwid/signals.py", line 120, in emit result |= bool(callback(*args_copy)) File "/usr/bin/aker/tui.py", line 331, in host_chosen_handler self.aker.init_connection(self.user.allowed_ssh_hosts[host].fqdn) File "/usr/bin/aker/aker.py", line 157, in init_connection session.connect(screen_size) File "/usr/bin/aker/session.py", line 40, in connect self._client.connect(self.host, self.host_port, size) File "/usr/bin/aker/SSHClient.py", line 68, in connect self._socket.connect((ip, port)) File "/usr/lib64/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 111] Conexión rehusada

anazmy commented 5 years ago

I have terminate both gateway server and reinstall the new one. This is screencast from newly install: http://n.vhost.vn/2018-04-01_03-22-22.mp4 I use CentOS Linux release 7.4.1708 (Core)

I have the same problem, does anyone know the solution? I'm sure it's silly but I can not find anything ...

Traceback (most recent call last): File "/usr/bin/aker/aker.py", line 174, in <module> Aker().build_tui() File "/usr/bin/aker/aker.py", line 136, in build_tui self.tui.start() File "/usr/bin/aker/tui.py", line 349, in start self.loop.run() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 271, in run self.screen.run_wrapper(self._run) File "/usr/lib64/python2.7/site-packages/urwid/raw_display.py", line 241, in run_wrapper return fn() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 336, in _run self.event_loop.run() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 707, in run self._loop() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 786, in _loop self._watch_files[fd]() File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 387, in _update self.process_input(keys) File "/usr/lib64/python2.7/site-packages/urwid/main_loop.py", line 487, in process_input k = self._topmost_widget.keypress(self.screen_size, k) File "/usr/lib64/python2.7/site-packages/urwid/wimp.py", line 642, in keypress return self._current_widget.keypress(size, key) File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1102, in keypress return self.body.keypress( (maxcol, remaining), key ) File "/usr/lib64/python2.7/site-packages/urwid/container.py", line 1102, in keypress return self.body.keypress( (maxcol, remaining), key ) File "/usr/bin/aker/tui.py", line 76, in keypress self.focus.original_widget.get_caption()) File "/usr/lib64/python2.7/site-packages/urwid/signals.py", line 120, in emit result |= bool(callback(*args_copy)) File "/usr/bin/aker/tui.py", line 331, in host_chosen_handler self.aker.init_connection(self.user.allowed_ssh_hosts[host].fqdn) File "/usr/bin/aker/aker.py", line 157, in init_connection session.connect(screen_size) File "/usr/bin/aker/session.py", line 40, in connect self._client.connect(self.host, self.host_port, size) File "/usr/bin/aker/SSHClient.py", line 68, in connect self._socket.connect((ip, port)) File "/usr/lib64/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 111] Conexión rehusada

Can you please report this on a separate issue with debug logs. Your log implies this is something else.

AdamB-pl commented 5 years ago

In the end, I gave up on this solution, maybe in future, I will try again. As for substitute I setup GateOne instance and it works for more than half year without major problems.

Maybe this is a temporary "workaround", but still, I want to setup Aker gateway...

Project: https://github.com/liftoff/GateOne

Best regards, Adam B.