t00dm
commented
1 week ago Two users this week affected by being able to write their config prior to setting their UNIX short name.
Open t00dm opened 1 week ago
t00dm
commented
1 week ago Two users this week affected by being able to write their config prior to setting their UNIX short name.
milliams
commented
1 week ago I'm not sure how this is happening. It should be rejected by Conch if the short name is missing with an error like:
Caused by:
{"message":"Something went wrong: Could not decode JWT\n\nCaused by:\n JSON error: missing field `short_name` at line 1 column 374"}which we have seen multiple users getting when they are in this situation (which suggests that this check is working).
In the event that their short name is set, but to an empty string, Conch should also reject that at https://github.com/isambard-sc/conch/blob/0.1.9/src/main.rs#L293 but that should only happen if Keycloak (via Waldur) is setting the short name to an empty string explicitly.
To debug this I'd need to see a user, at the point they're getting this happening, so I can check how everything is configured in the background.
Reject authentication with suitable error if UNIX short name has not been set. A failure message and suitable warning or link to documentation should be produced instead of a successful clifton authentication.
At the moment it appears a user can still use
clifton authwithout setting a UNIX short-name and they can attempt to SSH login, but the bastion sees.project(nothing before the dot). This makes it appear there is an SSH error when the issue is a failure to follow the guide or set a UNIX short name.clifton ssh-*should also fail the same way.