liftoff / GateOne

Gate One is an HTML5-powered terminal emulator and SSH client
http://liftoffsoftware.com/Products/GateOne
Other
6.28k stars 925 forks source link

Login error #179

Closed ghost closed 11 years ago

ghost commented 11 years ago

everytime after i enter my username i get following error:

command-line line 0: garbage at end of line; "With".

i am using PAM Authentication with 2 modified files i modified gateone.py and ssh_connect.py to match the correct env setting for my python.

liftoff commented 11 years ago

What version of Gate One are you using? Also, where are you getting that error? Inside Gate One on the web page from ssh_connect.py or somewhere else?

ghost commented 11 years ago

using the latest git revision and i get that after i enter the username after hostname and port in web side

http://gyazo.com/b5219ab44c8ef6b10e739548fa27c42d Screenshot for reference

EDIT: are there more files that define "env" value as i only edited those 2 (my python executable is "python26" using CentOS 5) (i use "grep -lir env *.py" in the GO root dir to find those values, so is the executable defined other ways?)

liftoff commented 11 years ago

Can you paste your server.conf? Also, please tell me precisely what you changed... That error message is coming from the 'ssh' command. Can you run 'ssh root@localhost' from the command line as root (outside of Gate One)?

One last thing to check: When you've got Gate One open to that error message cat the ssh:1:* file in /tmp/gateone/ directory and paste it in here. It might not be being created properly.

ghost commented 11 years ago

CONF below

-- coding: utf-8 --

locale = "en_US" pam_service = "login" syslog_facility = "daemon" syslog_host = None enable_unix_socket = False port = 8080 uid = "0" url_prefix = "/" user_dir = "/opt/gateone/users" dtach = True certificate = "ssh.cer" log_to_stderr = False session_logs_max_age = "30d" gid = "0" pid_file = "/tmp/gateone.pid" sso_realm = None cookie_secret = "ZDg1MzFmM2MyNGI3NDYwYWEyNTQ4M2ZiMzZiNTJiM2Y4N" pam_realm = "Login With UNIX Account" ca_certs = None sso_service = "HTTP" https_redirect = False syslog_session_logging = False api_keys = "" disable_ssl = False session_logging = True session_dir = "/tmp/gateone" auth = "pam" address = "" api_timestamp_window = "30s" log_file_num_backups = 10 logging = "info" embedded = False origins = "https://ssh.mc15.tk:8080" unix_socket_path = "/tmp/gateone.sock" ssl_auth = "none" log_file_max_size = 104857600 session_timeout = "5d" command = "/opt/gateone/plugins/ssh/scripts/ssh_connect.py -S '/tmp/gateone/%SESSION%/%SHORT_SOCKET%' --sshfp -a '-oUserKnownHostsFile=\"%USERDIR%/%USER%/ssh/known_hosts\"'" debug = False js_init = "" keyfile = "ssh.key" log_file_prefix = "/opt/gateone/logs/webserver.log"

exact changes are:

!/usr/bin/env python changed to #!/usr/bin/env python26

TMP file is not being created at all, but all those random string directories are (using dtach)

ssh via prompt works

i use supervisor to manage the installation if that matters (simple start stop) is this latest revision somehow "broken" for certain setups like mine? i have 3 different pythons installed but i made sure all deps exist for GO for last reference all this worked on older revisions

liftoff commented 11 years ago

Try changing the shebang to use the full path to python26 instead of using /usr/bin/env. Also, when you're using python 2.6 on the command line do you need to source anything beforehand? Something like, 'source /some/path/bin/activate'?

ghost commented 11 years ago

not working and i dont need to source anything

liftoff commented 11 years ago

I honestly have no idea what is causing it to not work for you. I have never seen this problem before--or even anything remotely like it.

What I really need to see is the script that is generated by ssh_connect.py... It'll be in /tmp/gateone (or whatever your session dir is) inside of one of those random session ID directories. It will start with ssh: and should remain there until you close the terminal.

Another quick thing to try: Change the 'command' in your server.conf to something like, "/bin/login". If that works (to login to the Gate One server like it's a console) then the problem is most definitely with either ssh_connect.py or the environment.

ghost commented 11 years ago

funny thing is, that the older revisions worked like a charm...

EDIT: i managed to scavenge that ssh tmp file in the SID directory.. output as follows:

!/bin/sh

This variable is for easy retrieval later

SSH_SOCKET='/tmp/gateone/Y2UxZmFjMzYwYzFlNDhlMGE2YWE2NmQxZDZkMDk5ODk0Y/RsVDmf8' ssh -M -S'/tmp/gateone/Y2UxZmFjMzYwYzFlNDhlMGE2YWE2NmQxZDZkMDk5ODk0Y/RsVDmf8' -x -F'/opt/gateone/users/niko@Login With UNIX Account/ssh/config' -oNoHostAuthenticationForLocalhost=yes -oVerifyHostKeyDNS=yes -oPreferredAuthentications='keyboard-interactive,password' -oIdentityFile='/dev/null' -oSendEnv=GO_TERM -p 22 -l root -oUserKnownHostsFile="/opt/gateone/users/niko@Login With UNIX Account/ssh/known_hosts" localhost echo '[Press Enter to close this terminal]' read waitforuser rm -f /tmp/gateone/Y2UxZmFjMzYwYzFlNDhlMGE2YWE2NmQxZDZkMDk5ODk0Y/ssh:1:root@localhost:22 # Cleanup exit 0

i think the problem lies in my pam realm "Login With UNIX Account" which has spaces. are those counted as garbage?

liftoff commented 11 years ago

You've nailed it! It's those spaces in your pam_realm setting. Realms aren't supposed to have spaces in them but that's irrelevant because I'm considering the lack of automatic escaping of spaces a bug. I can also see the usefulness of using a helpful message as your realm (since that's what shows up when the dialog asks you for your credentials).

"I can fix it!"

I'm preparing a HUGE commit right now that completely changes around Gate One's architecture (needed lots of automated migration logic). I'll see if I can get a fix included.

liftoff commented 11 years ago

I can't reproduce this on Ubuntu 12.10 or 12.04... I set my pam_realm to "Login With UNIX Account" just like you have and I'm not getting that error. It seems to work fine.

What's the version of SSH you're using? "ssh -V" should tell you.

ghost commented 11 years ago

i use SSH 4.3p2 with openssl 0.9.8e which is standard in CentOS 5 Repository. Should i compile latest one?(6.1p1) ( i have latest openssl compiled in /alt/openssl for PHP but i could use that aswell for new SSH Build)

EDIT: i built the latest OpenSSH RPMs and they are ready to be deployed if required

2nd EDIT: would it be possibility to remove the PAM realm from the user folder name,keeping only the username?

3rd EDIT: yup... i updated to SSH 6,1p1 with OpenSSL 1.0.1 and its working now

4th EDIT: can there also be a possibility for autologin to local ssh via the UNIX user used in PAM so double login would not be required?

5th EDIT: to return into 2nd edit, the PAM Realm.. can it be replaced with socket.gethostname() to get the server hostname after the username?

6th EDIT: i tried the convenience plugin, and when i click on user or group line i get "timeout exceeded or command failed to execute" when doing "getent group/passwd root" (in fact all "background" commands fail)

7th EDIT: oh well.. lets add some bug reports shall we? i got an semi-error in commands when importing public/private pair http://gyazo.com/4fe431abc21066715d338c5cdf954be2 like so,the randomart command is invalid. the end of the picture,whic i didn't get, says too many arguments, and also, "Bits" read as "usage:". in fact, much of the information is incorrect if i can see it (the image will show it off a bit more)

8th EDIT: i cannot generate new SSH Keys as i get the following: There was a problem generating SSH keys: [u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ', u' ']

9th EDIT: when i select the private key as default,it wont get used

10th EDIT: the known_hosts for users are placed wrong. they are placed in users root directory, but they should be in users/username/.ssh like so: http://gyazo.com/f01e4416f5cb5f6e1ef09140f28b18d0 ("niko@Login" is the known_hosts)

liftoff commented 11 years ago

Responses are numbered:

2: The realm part of the username is included in the directory creation to ensure uniqueness. In the future Gate One will support multiple simultaneous realms based on configuration/policy. If I only created the directory as, "niko" for niko@realm1 it would conflict if there ended up being a niko@realm2.

3: Great. I had a very strong suspicion it was a bug in the older version of OpenSSH that came with CentOS.

4: Yes, for local autologin you can set your "command = 'su - echo %USER% | cut -d@ -f1'". Why the echo/cut thing? To get rid of the @REALM part. For reference, I will be pushing a commit soon that allows Gate One to support multiple simultaneous "command" options. So you could open an "SSH" terminal or "local" (or whatever else you want to call it).

5: You mean you want the pam_realm to be forcibly set to the hostname? That doesn't seem very configurable. I suppose I could allow for a %HOSTNAME% variable to be used in the setting or something like that. Would that work?

6: This will require more investigation. Can you run gateone.py with --logging=debug and paste the relevant output when you try and fail a background command? It might be that the OpenSSH folks renamed some options in the newer version (6.1--I tested and it works fine in 6.0).

7: This is most definitely a problem related to the version of SSH you're using. I'll add some logic to detect the version/capabilities so it doesn't generate that bad output.

8: Does this happen for all types of keys (ECDSA, RSA, DSA) or just one particular kind?

9: I think this is a bug I just fixed in the code I'm working on... There's a bug in ssh_connect.py where it is using the old 'ssh' directory when it should be using the new '.ssh' name. I'll be pushing the commit soon... Just need to put some finishing touches on configuration migration logic.

10: Yep. That's a bug: It will be fixed in the next commit.

ghost commented 11 years ago

i did not mean directly to "force" the hostname, but to add username@hostname struct in the folder,keeping pam_realm as is, so the directory can be 1 solid line.. and the debug log is here: http://pastebin.com/PthvJzz2

the log covers the background commands and the ssh create failure... be warned though.. lots of u' s

SSH error is found in lines 142-153

liftoff commented 11 years ago

Oh I see what you're saying... So instead of using the realm in the directory name I should just use the hostname. That still causes a problem with multiple realms. You could still have two different users with the same username but in different realms. The name of the directory needs to be unique somehow. I could use a hash but then it would be very difficult to figure out which user is which to examine their logs.

ghost commented 11 years ago

my main target in this argument was to get a solid line in directory, or even quote the command so it is read as whole (AFAIK it should work)

PS. got anything from the debug logs?

EDIT! you made a mistake with the new commit. the startup does not aknowledge the new plugins dir in applications/etc/etc Traceback (most recent call last): File "gateone.py", line 328, in PLUGINS = get_plugins(os.path.join(GATEONE_DIR, 'plugins')) File "/opt/gateone/utils.py", line 823, in get_plugins for directory in os.listdir(plugin_dir): OSError: [Errno 2] No such file or directory: '/opt/gateone/plugins'

i completely erased old and reinstalled

liftoff commented 11 years ago

Sorry about the broken latest commit... I realized it was broken for new(ish) installs of Gate One but it took me a while to get a fix out due to the complexity. I ended up re-writing almost all of main() in order to make it more robust in the process of converting the old server.conf format to the new settings format and also have it generate new generic defaults (in the right places).

I just pushed a commit that should fix all of that. The only thing left to fix (related to the changes) is the parts of Gate One that timeout sessions. I need a generic watcher process and hooks inside of applications/plugins that can get called as part of the session timeout process. That's what I'll be working on next :)