Shellinabox added to Arch Linux AUR

[GoogleCodeExporter]

http://aur.archlinux.org/packages.php?ID=34829

Original issue reported on code.google.com by cptl....@gmail.com on 12 Mar 2010 at 10:10

[GoogleCodeExporter]

I am unable to get this to work in Arch unless I run using '-t 
--localhost-only'. The 
default settings give me an SSL error, and service unavailable.

Original comment by christer...@gmail.com on 30 May 2010 at 6:22

[GoogleCodeExporter]

If I manually create the certificate.pem it works.

Original comment by christer...@gmail.com on 30 May 2010 at 7:10

[GoogleCodeExporter]

Can you please tell me how did you generate certificate.pem? I generated it as 
well
via openssl but it still doesn't work... Thank you

Original comment by michal.b...@gmail.com on 31 May 2010 at 8:31

[GoogleCodeExporter]

i created certificate.pam using

openssl req -new -x509 -keyout certificate.pem -out certificate.pem -days 365 
-nodes; chmod 600 certificate.pem

but it does not work. any idea? jose

ps: arch linux here too.

Original comment by jose1...@gmail.com on 1 Aug 2010 at 2:57

[GoogleCodeExporter]

I am unfamiliar with Arch, and this sounds a little bit like a problem that is 
specific to the Arch distribution. So, there'll only be very limited help that 
I can provide.

Normally, ShellInABox is supposed to automatically generate any missing SSL 
certificates. You can run it with the --debug command line option to see a 
message when it tries to generate the missing certificate.

For example, if you invoked the daemon as "shellinaboxd --debug", you should 
see a message that says

  Received SNI callback for virtual host "localhost" from "localhost:4200"
  Auto-generating missing certificate "certificate-localhost.pem" for "localhost"

This would happen the first time you connect to the server over SSL.

For the time being, I marked this issue as "WontFix", as it doesn't sound as if 
there is anything I can do about it. It appears as if this is a configuration 
issue in Arch Linux. But should this turn out to be a problem with ShellInABox 
itself, feel free to change the status.

Original comment by zod...@gmail.com on 1 Aug 2010 at 4:23

• Changed state: WontFix

[GoogleCodeExporter]

thank you for your explaining post. i admit this can be (and probably is) 
arch's problem but i've no idea what to do in order to fix this. as you 
suggested i tried with --debug flag. this is the output:

[root@darkstar ~]# shellinaboxd --debug
Command line: shellinaboxd --debug
Listening on port 4200
Substituting "nobody's" primary group for "nogroup"
Substituting "nobody's" primary group for "nogroup"
Auto-generating missing certificate "certificate.pem" for "darkstar"
Failed to generate self-signed certificate "certificate.pem"
Cannot read valid certificate from "certificate.pem". Check file permissions 
and file format.

this is the respective part from strace:

write(2, "Auto-generating missing certific"..., 68) = 68
write(2, "\n", 1)                       = 1
rt_sigaction(SIGINT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, {SIG_IGN, [], 0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
clone(child_stack=0, flags=CLONE_PARENT_SETTID|SIGCHLD, 
parent_tidptr=0xbf80a934) = 12745
waitpid(12745, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0) = 12745
rt_sigaction(SIGINT, {SIG_DFL, [], 0}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
write(2, "Failed to generate self-signed c"..., 60) = 60

could you please shed some light on what's going on in the above code? thank 
you very much for your time and patience,

joe

Original comment by jose1...@gmail.com on 1 Aug 2010 at 7:30

[GoogleCodeExporter]

The idea of looking at "strace" output is definitely good. But I think,  you'll 
have to give it the "-f" option, if you want to make any sense of what's going 
on. We really care why the child process is failing with an exit status of "1".

Original comment by zod...@gmail.com on 2 Aug 2010 at 5:31

[GoogleCodeExporter]

hopefully this will be helpful: http://archlinux.pastebin.com/k9wUyrpx

Original comment by jose1...@gmail.com on 2 Aug 2010 at 5:57

[GoogleCodeExporter]

It appears that the daemon is run with the current directory pointing to 
"/root", but the user and group ids are 99 (no idea what that is on "arch", 
maybe nobody or maybe a dedicated user for shellinabox).

This user doesn't have access to the "/root" directory. You can fix that by 
either starting shellinaboxd from a different directory, or my creating a 
suitable directory for the certificates and providing the "--cert" command line 
option. The latter is probably the better approach.

Original comment by zod...@gmail.com on 2 Aug 2010 at 6:26

[GoogleCodeExporter]

oh great, this definitely got us further. i can now see that the certificate is 
generated (certificate-localhost.pem). for some reason i get the following 
error in the browser: Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): 
Unknown error.

Original comment by jose1...@gmail.com on 2 Aug 2010 at 7:53

[GoogleCodeExporter]

The problem is this certificates generate with SSL 2.0 version even I tried by 
enabling this on browser it doesn't work well 

Original comment by sjkeer...@gmail.com on 20 Sep 2010 at 3:13

[GoogleCodeExporter]

ShellInABox generates certificates with this command line:

openssl req -x509 -nodes -days 7300 -newkey rsa:1024 -keyout /dev/stdout -out 
/dev/stdout -subj "/CN=${DOMAIN}/"

I believe, for a lot of parameters OpenSSL looks into the global "openssl.cnf" 
file. Maybe, this file defaults to a different set of parameters than what is 
commonly used by other OpenSSL installations?

Original comment by zod...@gmail.com on 20 Sep 2010 at 4:32

[GoogleCodeExporter]

Still no clue for the certification error pasted below.

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

Auto-generating missing certificate "certificate.pem" for "keet"
Accepted connection from localhost:52325
Handling "GET" "/"
Compressed response from 4883 to 2099
localhost - - [21/Sep/2010:18:29:44 +0530] "GET / HTTP/1.1" 200 2192
Accepted connection from localhost:52326
Switching to SSL (replaying 0+99 bytes)
Closing connection to localhost:52326
Accepted connection from localhost:52327
Switching to SSL (replaying 0+99 bytes)
Closing connection to localhost:52327

Original comment by sjkeer...@gmail.com on 21 Sep 2010 at 1:01

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Finely after a long research I could able to success with https. Just follow 
the below instruction you could up shellinabox with https.

The self sign could help us to solve the issue of 

(Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.)

# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# cat server.crt server.key > certificate.pem
# shellinabox

Then open the browser https://localhost:4200

Thanks,
Keerthi

Original comment by sjkeer...@gmail.com on 22 Sep 2010 at 11:23

[GoogleCodeExporter]

thank you, it works!

Original comment by jose1...@gmail.com on 23 Sep 2010 at 10:43

[GoogleCodeExporter]

I confirm this now works for secure http
Thanks everyone.

Original comment by nik.tett...@gmail.com on 28 Oct 2010 at 12:37

[GoogleCodeExporter]

Can it be fixed? I got "Segmentation fault" but it works when I generate 
certificate.pem as stated above.

Original comment by totaliza...@gmail.com on 16 Jun 2011 at 6:14

[GoogleCodeExporter]

Attached is the arch openssl.cnf. Can you post the default for your 
distribution?

When I do an "openssl x509 -text" for the certificate that codeinabox generates 
vs the instructions in comment 15, the difference is that the codeinabox cert 
says version 3 and the comment15 one says version 1. The version3 cert also has 
a block for x509 extensions...

Original comment by m...@0x01b.net on 20 Jul 2011 at 5:24

Attachments:

• openssl.cnf

[GoogleCodeExporter]

This seems to happen on distributions other than Arch too. I'm running Ubuntu 
Server 11.10 and I'm facing the exact same problem.

Original comment by tomtasche on 3 Jan 2012 at 9:00

[GoogleCodeExporter]

https://github.com/jayschwa/shellinabox/commit/28ff61e1c6b622c565ff7d1b5fbeba306
e937598

I have made an update that seems to resolve the 
ERR_SSL_VERSION_OR_CIPHER_MISMATCH issue for me.

Original comment by Jayschwa on 2 Feb 2012 at 6:27

[GoogleCodeExporter]

It'd be nice if this was fixed. I don't know much about ssl yet in order to 
make custom solutions like above.

Original comment by TruSktr on 16 Sep 2013 at 1:51

[GoogleCodeExporter]

cd /tmp, then shellinabox works perfect!

Original comment by TruSktr on 16 Sep 2013 at 1:55

[GoogleCodeExporter]

plus 1 Keerthi's answer

Original comment by andym...@gmail.com on 5 Jun 2014 at 4:38