GoogleCodeExporter
commented
8 years ago The directory /tmp/certificates exists and it has write permission for the
shellinabox group.Original comment by alejandr...@gmail.com on 12 Jul 2009 at 6:39
Closed GoogleCodeExporter closed 8 years ago
GoogleCodeExporter
commented
8 years ago The directory /tmp/certificates exists and it has write permission for the
shellinabox group.Original comment by alejandr...@gmail.com on 12 Jul 2009 at 6:39
GoogleCodeExporter
commented
8 years ago The Debian package already starts the daemon for you and if it can find the
"openssl"
binary, it stores self-signed certificates in "/var/lib/shellinabox".
If you don't want the daemon to be started automatically, you will need to
disable it
in "/etc/default/shellinabox". But then you need to figure out how to correctly
set
it up yourselves, so I don't recommend that approach for most users.
If you then decide to start it manually, you have to make sure that the
certificate
directory has the right permissions. By default, shellinabox will drop
privileges to
become "nobody". So, if the directory isn't accessible by "nobody", shellinabox
won't
be able to serve encrypted connections. And that's most likely the problem you
are
seeing.
Of course, changing the directory to be owned by "nobody" would be a bad idea.
Anybody who can become "nobody", would then be able to read your private keys.
Instead, you should create a dedicated user for the shellinabox daemon. And
that's
what the Debian package does for you. You will notice that after installing the
package you have a "shellinabox" user. And that "/var/lib/shellinabox" is owned
by
"shellinabox".
You then also need to make sure you that you pass the right command line flags
to
switch to this user.
In other words, if you use the default settings that the package configures
after a
"dpkg -i", and if "openssl" is available in "/usr/bin", things should work out
of the
box. Just point your browser to "http://localhost:4200/".
If that doesn't work, that would be a bug. But I'd need to know more details to
figure out how your system is different from other Debian machines.Original comment by zod...@gmail.com on 12 Jul 2009 at 6:49
GoogleCodeExporter
commented
8 years ago I've also tried running SIAB with the same command line arguments mentioned on
the
man page:
" shellinaboxd -c certificates -g shellinaboxd
If the certificates directory exists and is writable by the shellinaboxd
group, self-signed SSL certificates will be generated in this directory.
Running
this command as root allows any user on the system to log in at http://
localhost:4200/. Sessions will automatically be promoted to SSL/TLS."
The shellinaboxd group doesn't exist (I don't know if that's a typo in the man
page,
or a problem with the Debian package). So I used -g shellinabox (that's the
group
name created by the installer).
Then if I point the browser to http://localhost:4200/ I can login wihtout any
problems. However, the session is never promoted to SSL/TLS (or at least the
browser
doesn't show any visual cues about that, like the URL changing to https or a
warning
about a self-signed certificate). Original comment by alejandr...@gmail.com on 12 Jul 2009 at 7:03
GoogleCodeExporter
commented
8 years ago Just to discard permission related problems, I've run chmod 777
/tmp/certificates,
but I still get the same behaviour (i.e., http access works OK, but session
doesn't
get promoted to SSL).
Also, openssl is installed:
ii openssl 0.9.8c-4etch5
and the openssl command is available under /usr/bin
I'd be happy to provide any additional information required in order to
diagnose
this problem.Original comment by alejandr...@gmail.com on 12 Jul 2009 at 7:10
GoogleCodeExporter
commented
8 years ago Thank you for pointing out the misleading example in the manual page. I'll
update that.
In the meantime, do you have Google Talk enabled? If so, that might be the
easiest
way to debug this issue, if you have a few minutes time.Original comment by zod...@gmail.com on 12 Jul 2009 at 7:20
GoogleCodeExporter
commented
8 years ago Installing SIAB on a virtual machine running Lenny seems to work. I say "seems"
because I get a certificate.pem file under /tmp/certificates as soon as I run
shellinaboxd -c /tmp/certificates -g shellinabox (on the Etch box, that file
isn't
created when issuing the same command).
Howevever, when I access http://lennyhost:4200, then connection gets redirected
to
https, and then Firefox gives this message: "Firefox can't connect securely to
lennyhost because the site uses a security protocol which isn't enabled" (I'm
not
quite soure about what that really means).
The certificate.pem file has a 0 byte length, so I guess that something must be
wrong:
-r-------- 1 nobody shellinabox 0 2009-07-12 16:23 certificate.pemOriginal comment by alejandr...@gmail.com on 12 Jul 2009 at 7:29
GoogleCodeExporter
commented
8 years ago If i create the certificate manually under /var/lib/shellinabox by running
openssl
req -x509 -nodes -days 7300 -newkey rsa:1024 -out certificate.pem -subj '/
CN=localhost/', and then run SIAB using the same command that is used by the
script
on init.d (/usr/bin/shellinaboxd -q --background=/var/run/shellinaboxd.pid -c
/var/
lib/shellinabox -p 4200 -u shellinabox -g shellinabox --no-beep), the behavior
is
still the same (http works fine, https doesn't).
ls /var/lib/shellinabox -l
-rwxrwxrwx 1 shellinabox shellinabox 790 2009-07-12 17:25 certificate.pem
-rwxrwxrwx 1 shellinabox shellinabox 887 2009-07-12 17:25 privkey.pem
I'll try to run SIAB on an official Debian Lenny LiveCD and see what happens.Original comment by alejandr...@gmail.com on 12 Jul 2009 at 8:37
Original issue reported on code.google.com by
alejandr...@gmail.comon 12 Jul 2009 at 6:36