Closed guanana closed 7 years ago
Confirmed. Teleport does not process /etc/login.defs
resulting in $PATH not being set on custom shells.
@guanana Can you please try this build and let me know if it works on your system: http://s3.gravitational.io/ev/teleport-v1.0.4-linux-amd64-bin.tar.gz
This build must report this version (Notice git ref):
> teleport version
Teleport v1.0.4 git:v1.0.4-3-gbedc5d5
Yes! It works perfect! Thank you!
Hi, I was checking more deptly the patch and I just found in some of the servers just in some sessions it load the PATH env with a shorter version.... I mean
Load normal ssh
MAIL=/var/spool/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
PWD=/root
LANG=en_GB.UTF-8
SELINUX_LEVEL_REQUESTED=
HISTCONTROL=ignoredups
SHLVL=1
HOME=/root
LOGNAME=root
CVS_RSH=ssh
server-apps ~ # whoami root
Log with teleport
MAIL=/var/spool/mail/
**PATH=/usr/local/sbin:/usr/sbin:/sbin::/root/bin
PWD=/root
**LANG=en_US.UTF-8
HISTCONTROL=ignoredups
SHLVL=1
HOME=/root
**LOGNAME=
CVS_RSH=ssh
server-apps ~ # /usr/bin/whoami root
@guanana can you attach /etc/login.defs
file from that machine please? Thanks.
Nothing special really with root user (I think we never change it). The special user is other, it is because of that I didn't advertise this fail before, because the "special" user seems to works just fine.
/etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
@guanana ok I have a beta build for you:
http://s3.gravitational.io/ev/teleport-v1.0.5-beta.1-linux-amd64-bin.tar.gz
The reported version should be:
> teleport version
Teleport v1.0.5-beta.1 git:v1.0.4-5-gd078086
It may not match the defaults on your system (you have a rare case of ENV_SUPATH
not defined) but the behavior should be acceptable and compatible.
Yes, it seems to solve the problem.
Thanks again for your quick reply.
@guanana this will be merged into the official 1.0.5 release. Meanwhile you can use the binaries provided above. Thanks for reporting this!
Hi, It seems to be solved but I just found that with the new version I receive this error and automatic disconnection
Traceback (most recent call last):
File "/usr/bin/lshell", line 27, in
lshell.main()
File "/usr/lib/python2.6/site-packages/lshell.py", line 1446, in main
userconf = CheckConfig(args).returnconf()
File "/usr/lib/python2.6/site-packages/lshell.py", line 762, in init
self.get_config_user()
File "/usr/lib/python2.6/site-packages/lshell.py", line 1227, in get_config_user
os.environ['PATH'] = os.environ['PATH'] + self.conf['env_path']
File "/usr/lib64/python2.6/UserDict.py", line 22, in getitem
raise KeyError(key)
KeyError: 'PATH'
@guanana can you post the output of teleport -d version
please?
[root@teleport-proxy-1 etc]# tsh -d --proxy=teleport-proxy-1.example.local --user smith2 -l viewlogs ssh ukpdap18d
INFO[0000] using FSLocalKeyStore file=client/keystore.go:73
INFO[0000] returning cert /root/.tsh/keys/teleport-proxy-1.example.local/smith2.cert valid until 2016-09-14 20:11:25.218737744 +0000 UTC file=client/keystore.go:187
ERRO[0000] open /root/.tsh/keys/teleport-proxy-2.example.local/smith2.cert: no such file or directory file=client/keystore.go:166
INFO[0000] SSH_AUTH_SOCK is not set. Is local SSH agent running? file=client/api.go:1027
INFO[0000] returning cert /root/.tsh/keys/teleport-proxy-1.example.local/smith2.cert valid until 2016-09-14 20:11:25.218737744 +0000 UTC file=client/keystore.go:187
ERRO[0000] open /root/.tsh/keys/teleport-proxy-2.example.local/smith2.cert: no such file or directory file=client/keystore.go:166
INFO[0000] connecting to proxy: teleport-proxy-1.example.local:3023 with host login joe2 file=client/api.go:819
DEBU[0000] checking host key of teleport-proxy-1.example.local:3023
file=client/keyagent.go:105
INFO[0000] Successfully authenticated with teleport-proxy-1.example.local:3023 file=client/api.go:831
INFO[0000] proxyClient.GetSites() returned: [{"name":"apps","lastconnected":"2016-09-14T09:12:14.248192262+01:00","status":"online"}] file=client/client.go:113
INFO[0000] connecting to node: ukpdap18d:3022@apps file=client/client.go:177
DEBU[0000] checking host key of ukpdap18d:3022@apps
file=client/keyagent.go:105
INFO[0000] proxyClient.GetSites() returned: [{"name":"apps","lastconnected":"2016-09-14T09:12:14.291136957+01:00","status":"online"}] file=client/client.go:113
INFO[0000] connecting to node: @apps file=client/client.go:177
DEBU[0000] checking host key of @apps
file=client/keyagent.go:105
Traceback (most recent call last):
File "/usr/bin/lshell", line 27, in <module>
lshell.main()
File "/usr/lib/python2.6/site-packages/lshell.py", line 1446, in main
userconf = CheckConfig(args).returnconf()
File "/usr/lib/python2.6/site-packages/lshell.py", line 762, in __init__
self.get_config_user()
File "/usr/lib/python2.6/site-packages/lshell.py", line 1227, in get_config_user
os.environ['PATH'] = os.environ['PATH'] + self.conf['env_path']
File "/usr/lib64/python2.6/UserDict.py", line 22, in __getitem__
raise KeyError(key)
KeyError: 'PATH'
Connection to ukpdap18d:3022 closed from the remote side
Nothing really special. It is working with bash, but not with that shell lshell. The point is that it was working with the last release of teleport when I submit the error, I don't know exactly what changes.
@guanana it's the same issue as before: the PATH
variable is not set, and the current version has the fix, so seeing the output of teleport version
and tsh version
(both server and client) would be great, thanks.
Basically is now merged?
My version: is on both (client and server) 1.0.5 (last release)
Yes, somehow the original fix did not get merged into master by accident. It's been re-merged, we'll push 1.0.6 out soon (or you can build your own from current master)
Hi,
I'm trying to establish a connection into one machine with one user that has not defined the default bash shell. Instead of that it has lshell (restricted shell). I cannot connect (I can without any problem with another users that use bash). Could you please tell me which are the dependencies needed in the remote shell to connect (not the proxy or the auth server, just the node), or tell me if tsh is just expecting bash and is because of that it fails?
I attach you the debug if it is useful
BTW Perfect job with the last bug, thanks!
[root@teleport-auth ~]# tsh --proxy=teleport-proxy-1 --user=test -l viewlogs -d ssh live-cluster-2
Client-Logs