Connect to another console (not bash)

[guanana]

Hi,

I'm trying to establish a connection into one machine with one user that has not defined the default bash shell. Instead of that it has lshell (restricted shell). I cannot connect (I can without any problem with another users that use bash). Could you please tell me which are the dependencies needed in the remote shell to connect (not the proxy or the auth server, just the node), or tell me if tsh is just expecting bash and is because of that it fails?

I attach you the debug if it is useful

BTW Perfect job with the last bug, thanks!

[root@teleport-auth ~]# tsh --proxy=teleport-proxy-1 --user=test -l viewlogs -d ssh live-cluster-2

INFO[0000] using FSLocalKeyStore                         file=client/keystore.go:73
INFO[0000] returning cert /root/.tsh/keys/teleport-proxy-1.example.local:3033/test.cert valid until 2016-08-08 20:21:04.646281973 +0000 UTC  file=client/keystore.go:187
INFO[0000] SSH_AUTH_SOCK is not set. Is local SSH agent running?  file=client/api.go:1023
INFO[0000] returning cert /root/.tsh/keys/teleport-proxy-1.example.local:3033/test.cert valid until 2016-08-08 20:21:04.646281973 +0000 UTC  file=client/keystore.go:187
INFO[0000] connecting to proxy: teleport-proxy-1:3023 with host login root  file=client/api.go:815
DEBU[0000] checking host key of teleport-proxy-1:3023
   file=client/keyagent.go:105
INFO[0000] Successfully authenticated with teleport-proxy-1:3023  file=client/api.go:827
INFO[0000] proxyClient.GetSites() returned: [{"name":"apps","lastconnected":"2016-08-08T09:48:44.913093956+01:00","status":"online"}]  file=client/client.go:113
INFO[0000] connecting to node: live-cluster-2:3022@apps       file=client/client.go:177
DEBU[0000] checking host key of live-cluster-2:3022@apps
     file=client/keyagent.go:105
INFO[0000] proxyClient.GetSites() returned: [{"name":"apps","lastconnected":"2016-08-08T09:48:45.014205503+01:00","status":"online"}]  file=client/client.go:113
INFO[0000] connecting to node: @apps                     file=client/client.go:177
DEBU[0000] checking host key of @apps
                   file=client/keyagent.go:105
Connection to live-cluster-2:3022 closed from the remote side

Client-Logs

Aug  8 09:49:32 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:32+01:00" level=info msg="0.0.0.0:3022 accepted connection from XX.XXX.5.100:40907"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="conn(XX.XXX.5.100:40907->YY.YYY.200.110:3022, user=viewlogs) auth attempt with key ssh-rsa-cert-v01@openssh.com 05:fa:28:78:71:52:de:bf:a4:31:13:35:4c:32:c5:13"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="successfully authenticated" file="srv/sshserver.go:501" fingerprint="ssh-rsa-cert-v01@openssh.com 05:fa:28:78:71:52:de:bf:a4:31:13:35:4c:32:c5:13" local=YY.YYY.200.110:3022 remote=XX.XXX.5.100:40907 user=viewlogs
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="new ssh connection XX.XXX.5.100:40907 -> YY.YYY.200.110:3022 vesion: SSH-2.0-Go"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="ssh.dispatch(req=env, wantReply=true)" component=node fields=map[teleportUser:test id:4 local:YY.YYY.200.110:3022 remote:XX.XXX.5.100:40907 login:viewlogs] file="srv/sshserver.go:713"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="setEnv(TELEPORT_SESSION=101c45fd-5d45-11e6-9e28-005056934fce)" component=node fields=map[login:viewlogs teleportUser:test id:4 local:YY.YYY.200.110:3022 remote:XX.XXX.5.100:40907] file="srv/ctx.go:179"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="ssh.dispatch(req=env, wantReply=true)" component=node fields=map[remote:XX.XXX.5.100:40907 login:viewlogs teleportUser:test id:4 local:YY.YYY.200.110:3022] file="srv/sshserver.go:713"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="setEnv(LANG=en_GB.UTF-8)" component=node fields=map[login:viewlogs teleportUser:test id:4 local:YY.YYY.200.110:3022 remote:XX.XXX.5.100:40907] file="srv/ctx.go:179"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="ssh.dispatch(req=pty-req, wantReply=true)" component=node fields=map[remote:XX.XXX.5.100:40907 login:viewlogs teleportUser:test id:4 local:YY.YYY.200.110:3022] file="srv/sshserver.go:713"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="Parsed pty request pty(enn=xterm, w=147, h=29)"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="notifyWinChange(): no session found!"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="ssh.dispatch(req=shell, wantReply=true)" component=node fields=map[local:YY.YYY.200.110:3022 remote:XX.XXX.5.100:40907 login:viewlogs teleportUser:test id:4] file="srv/sshserver.go:713"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="[session.registry] joinShell(session: <nil>)"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="ssh.joinShell created new session 101c45fd-5d45-11e6-9e28-005056934fce" component=node fields=map[teleportUser:test id:4 local:YY.YYY.200.110:3022 remote:XX.XXX.5.100:40907 login:viewlogs] file="srv/sess.go:91"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="server.EmitAuditEvent(session.start)"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="ctx.result = {/usr/bin/lshell 1 []}" component=node fields=map[login:viewlogs teleportUser:test id:4 local:YY.YYY.200.110:3022 remote:XX.XXX.5.100:40907] file="srv/sshserver.go:694"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="party[06e7088a-5d45-11e6-81f1-005056af03d3].Close()" component=node fields=map[local:YY.YYY.200.110:3022 remote:XX.XXX.5.100:40907 login:viewlogs teleportUser:test id:4] file="srv/sess.go:828"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="session.removeParty(sess(XX.XXX.5.100:40907->YY.YYY.200.110:3022, user=viewlogs, id=4) party(id=06e7088a-5d45-11e6-81f1-005056af03d3))" component=node fields=map[teleportUser:test id:4 local:YY.YYY.200.110:3022 remote:XX.XXX.5.100:40907 login:viewlogs] file="srv/sess.go:532"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="server.EmitAuditEvent(session.leave)"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="TunClient[Node].Dial()"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="tunClient(Node).authServers: [{teleport-auth.example.local:3025 tcp } {teleport-auth.example.local:3025 tcp }]"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="session.io.copy() stopped"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="0001-01-01T00:00:00Z" level=info msg="party.io.copy(06e7088a-5d45-11e6-81f1-005056af03d3) closed" component=node fields=map[local:YY.YYY.200.110:3022 remote:XX.XXX.5.100:40907 login:viewlogs teleportUser:test id:4] file="srv/sess.go:684"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="[session.registry] session 101c45fd-5d45-11e6-9e28-005056934fce to be garbage collected"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="server.EmitAuditEvent(session.end)"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="session.Close(101c45fd-5d45-11e6-9e28-005056934fce)"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="session.close(writer=session-recorder)"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=info msg="[SSH] terminal sync stopped"
Aug  8 09:49:33 367537-vm10 /usr/bin/teleport[14140]: time="2016-08-08T09:49:33+01:00" level=error msg="os: process already finished"

[kontsevoy]

Confirmed. Teleport does not process /etc/login.defs resulting in $PATH not being set on custom shells.

[kontsevoy]

@guanana Can you please try this build and let me know if it works on your system: http://s3.gravitational.io/ev/teleport-v1.0.4-linux-amd64-bin.tar.gz

This build must report this version (Notice git ref):

> teleport version
Teleport v1.0.4 git:v1.0.4-3-gbedc5d5

[guanana]

Yes! It works perfect! Thank you!

[guanana]

Hi, I was checking more deptly the patch and I just found in some of the servers just in some sessions it load the PATH env with a shorter version.... I mean

Load normal ssh

MAIL=/var/spool/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
PWD=/root
LANG=en_GB.UTF-8
SELINUX_LEVEL_REQUESTED=
HISTCONTROL=ignoredups
SHLVL=1
HOME=/root
LOGNAME=root
CVS_RSH=ssh

server-apps ~ # whoami root

Log with teleport

MAIL=/var/spool/mail/
**PATH=/usr/local/sbin:/usr/sbin:/sbin::/root/bin
PWD=/root
**LANG=en_US.UTF-8
HISTCONTROL=ignoredups
SHLVL=1
HOME=/root
**LOGNAME=
CVS_RSH=ssh

server-apps ~ # /usr/bin/whoami root

[kontsevoy]

@guanana can you attach /etc/login.defs file from that machine please? Thanks.

[guanana]

Nothing special really with root user (I think we never change it). The special user is other, it is because of that I didn't advertise this fail before, because the "special" user seems to works just fine.

/etc/login.defs

#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR  Maildir
MAIL_DIR    /var/spool/mail
#MAIL_FILE  .mail

# Password aging controls:
#
#   PASS_MAX_DAYS   Maximum number of days a password may be used.
#   PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#   PASS_MIN_LEN    Minimum acceptable password length.
#   PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN           500
UID_MAX         60000

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN           500
GID_MAX         60000

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD    /usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

[kontsevoy]

@guanana ok I have a beta build for you:

http://s3.gravitational.io/ev/teleport-v1.0.5-beta.1-linux-amd64-bin.tar.gz

The reported version should be:

> teleport version
Teleport v1.0.5-beta.1 git:v1.0.4-5-gd078086

It may not match the defaults on your system (you have a rare case of ENV_SUPATH not defined) but the behavior should be acceptable and compatible.

[guanana]

Yes, it seems to solve the problem.

Thanks again for your quick reply.

[kontsevoy]

@guanana this will be merged into the official 1.0.5 release. Meanwhile you can use the binaries provided above. Thanks for reporting this!

[guanana]

Hi, It seems to be solved but I just found that with the new version I receive this error and automatic disconnection

Traceback (most recent call last):
File "/usr/bin/lshell", line 27, in
lshell.main()
File "/usr/lib/python2.6/site-packages/lshell.py", line 1446, in main
userconf = CheckConfig(args).returnconf()
File "/usr/lib/python2.6/site-packages/lshell.py", line 762, in init
self.get_config_user()
File "/usr/lib/python2.6/site-packages/lshell.py", line 1227, in get_config_user
os.environ['PATH'] = os.environ['PATH'] + self.conf['env_path']
File "/usr/lib64/python2.6/UserDict.py", line 22, in getitem
raise KeyError(key)
KeyError: 'PATH'

[kontsevoy]

@guanana can you post the output of teleport -d version please?

[guanana]

[root@teleport-proxy-1 etc]# tsh -d --proxy=teleport-proxy-1.example.local --user smith2 -l viewlogs ssh ukpdap18d

INFO[0000] using FSLocalKeyStore                         file=client/keystore.go:73
INFO[0000] returning cert /root/.tsh/keys/teleport-proxy-1.example.local/smith2.cert valid until 2016-09-14 20:11:25.218737744 +0000 UTC  file=client/keystore.go:187
ERRO[0000] open /root/.tsh/keys/teleport-proxy-2.example.local/smith2.cert: no such file or directory  file=client/keystore.go:166
INFO[0000] SSH_AUTH_SOCK is not set. Is local SSH agent running?  file=client/api.go:1027
INFO[0000] returning cert /root/.tsh/keys/teleport-proxy-1.example.local/smith2.cert valid until 2016-09-14 20:11:25.218737744 +0000 UTC  file=client/keystore.go:187
ERRO[0000] open /root/.tsh/keys/teleport-proxy-2.example.local/smith2.cert: no such file or directory  file=client/keystore.go:166
INFO[0000] connecting to proxy: teleport-proxy-1.example.local:3023 with host login joe2  file=client/api.go:819
DEBU[0000] checking host key of teleport-proxy-1.example.local:3023
  file=client/keyagent.go:105
INFO[0000] Successfully authenticated with teleport-proxy-1.example.local:3023  file=client/api.go:831
INFO[0000] proxyClient.GetSites() returned: [{"name":"apps","lastconnected":"2016-09-14T09:12:14.248192262+01:00","status":"online"}]  file=client/client.go:113
INFO[0000] connecting to node: ukpdap18d:3022@apps       file=client/client.go:177
DEBU[0000] checking host key of ukpdap18d:3022@apps
     file=client/keyagent.go:105
INFO[0000] proxyClient.GetSites() returned: [{"name":"apps","lastconnected":"2016-09-14T09:12:14.291136957+01:00","status":"online"}]  file=client/client.go:113
INFO[0000] connecting to node: @apps                     file=client/client.go:177
DEBU[0000] checking host key of @apps
                   file=client/keyagent.go:105
Traceback (most recent call last):
  File "/usr/bin/lshell", line 27, in <module>
    lshell.main()
  File "/usr/lib/python2.6/site-packages/lshell.py", line 1446, in main
    userconf = CheckConfig(args).returnconf()
  File "/usr/lib/python2.6/site-packages/lshell.py", line 762, in __init__
    self.get_config_user()
  File "/usr/lib/python2.6/site-packages/lshell.py", line 1227, in get_config_user
    os.environ['PATH'] = os.environ['PATH'] + self.conf['env_path']
  File "/usr/lib64/python2.6/UserDict.py", line 22, in __getitem__
    raise KeyError(key)
KeyError: 'PATH'
Connection to ukpdap18d:3022 closed from the remote side

Nothing really special. It is working with bash, but not with that shell lshell. The point is that it was working with the last release of teleport when I submit the error, I don't know exactly what changes.

[kontsevoy]

@guanana it's the same issue as before: the PATH variable is not set, and the current version has the fix, so seeing the output of teleport version and tsh version (both server and client) would be great, thanks.

[guanana]

Basically is now merged?

My version: is on both (client and server) 1.0.5 (last release)

[kontsevoy]

Yes, somehow the original fix did not get merged into master by accident. It's been re-merged, we'll push 1.0.6 out soon (or you can build your own from current master)