#2550 closed task (fixed)
LDAP mediated SSH access not working anymore
| Reported by: | strk | Owned by: | strk |
|---|---|---|---|
| Priority: | major | Milestone: | Sysadmin Contract 2020-II |
| Component: | SysAdmin | Keywords: | |
| Cc: |
Description
According to docx in https://wiki.osgeo.org/wiki/SAC_Service_Status#Download one should be able to login to the download container by just being in the posixShell gruop and having keys published in LDAP. This is NOT the case, at the moment.
If it ever worked, it broke. It *might* (or might not) be due to the way I changed storage of ssh keys in LDAP with the work in #2542.
Initial setup of this LDAP/SSH connection was done by Regina in #2116
Other machines where this should work, according to https://trac.osgeo.org/osgeo/ticket/2116#comment:3 are:
- hop.osgeo3.osgeo.org
- hop.osgeo4.osgeo.org
- hop.osgeo7.osgeo.org
None are working for me, when I mv ~/.ssh away
Change History (10)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
I found instructions about setting up LDAP mediated SSH access buried in private repository https://git.osgeo.org/gitea/sac/osgeo7/wiki/Download-Container#user-content-enable-use-of-ldap-stored-ssh-pub-keys (I think this is a huge downside of these private repositories). Dropping a link here for easier access, but I think such info should be made public, eventually (ideally as a public ansible-deployment git repo)
comment:3 by , 3 years ago
The command to extract keys from LDAP is hold in a (still private) repository https://git.osgeo.org/gitea/sac/ssh-ldap-sshkey.git in BINARY (this is a no-no!) form. The binaries in that repository are documented to come from https://github.com/werrett/ssh-ldap-publickey in source form. We probably want debian packages for this kind of thing, or we want to use some easier simpler scripting to directly store in ansible-deployment.
comment:4 by , 3 years ago
I found that the ssh-dalp-publickey binary is just unable to fetch _all_ keys from LDAP but (only picks the first one). So this must have been broken when I changed LDAP storage format for keys (broken for me because the very first key is not the one from the client host I'm using).
I'll see if Santa gives me hope to rewrite that script to be a simple script so we can get rid of the binary repository and can put this in ansible.
comment:5 by , 3 years ago
I've added an ansible role for "ShellServer" with commit https://git.osgeo.org/gitea/sac/ansible-deployment/commit/28a0b49b4b5e546493f565f226db030af50812e3
The new role is still NOT used on deploy, as none of the intended targets have a top-level playbook yet
comment:6 by , 3 years ago
Note in the new commit above I've added a 189 bytes shell script doing the equivalent of the 5MB Go executable failing to fetch all keys from LDAP... The shell script works fine, using ldapsearch
comment:7 by , 3 years ago
| Milestone: | Sysadmin Contract 2020-III → Sysadmin Contract 2021-I |
|---|
Milestone renamed
comment:8 by , 3 years ago
| Owner: | changed from to |
|---|
comment:9 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:10 by , 3 years ago
| Milestone: | Sysadmin Contract 2021-I → Sysadmin Contract 2020-II |
|---|
NOTE: this would be a perfect job for an ansible role named something like SshProxyHost...