Opened 7 months ago

Closed 6 months ago

Last modified 4 months ago

#2550 closed task (fixed)

LDAP mediated SSH access not working anymore

Reported by: strk Owned by: strk
Priority: major Milestone: Sysadmin Contract 2020-II
Component: Systems Admin Keywords:
Cc:

Description

According to docx in https://wiki.osgeo.org/wiki/SAC_Service_Status#Download one should be able to login to the download container by just being in the posixShell gruop and having keys published in LDAP. This is NOT the case, at the moment.

If it ever worked, it broke. It *might* (or might not) be due to the way I changed storage of ssh keys in LDAP with the work in #2542.

Initial setup of this LDAP/SSH connection was done by Regina in #2116

Other machines where this should work, according to https://trac.osgeo.org/osgeo/ticket/2116#comment:3 are:

  • hop.osgeo3.osgeo.org
  • hop.osgeo4.osgeo.org
  • hop.osgeo7.osgeo.org

None are working for me, when I mv ~/.ssh away

Change History (10)

comment:1 Changed 7 months ago by strk

NOTE: this would be a perfect job for an ansible role named something like SshProxyHost?...

comment:2 Changed 7 months ago by strk

I found instructions about setting up LDAP mediated SSH access buried in private repository https://git.osgeo.org/gitea/sac/osgeo7/wiki/Download-Container#user-content-enable-use-of-ldap-stored-ssh-pub-keys (I think this is a huge downside of these private repositories). Dropping a link here for easier access, but I think such info should be made public, eventually (ideally as a public ansible-deployment git repo)

comment:3 Changed 7 months ago by strk

The command to extract keys from LDAP is hold in a (still private) repository https://git.osgeo.org/gitea/sac/ssh-ldap-sshkey.git in BINARY (this is a no-no!) form. The binaries in that repository are documented to come from https://github.com/werrett/ssh-ldap-publickey in source form. We probably want debian packages for this kind of thing, or we want to use some easier simpler scripting to directly store in ansible-deployment.

comment:4 Changed 7 months ago by strk

I found that the ssh-dalp-publickey binary is just unable to fetch _all_ keys from LDAP but (only picks the first one). So this must have been broken when I changed LDAP storage format for keys (broken for me because the very first key is not the one from the client host I'm using).

I'll see if Santa gives me hope to rewrite that script to be a simple script so we can get rid of the binary repository and can put this in ansible.

comment:5 Changed 7 months ago by strk

I've added an ansible role for "ShellServer?" with commit https://git.osgeo.org/gitea/sac/ansible-deployment/commit/28a0b49b4b5e546493f565f226db030af50812e3

The new role is still NOT used on deploy, as none of the intended targets have a top-level playbook yet

comment:6 Changed 7 months ago by strk

Note in the new commit above I've added a 189 bytes shell script doing the equivalent of the 5MB Go executable failing to fetch all keys from LDAP... The shell script works fine, using ldapsearch

comment:7 Changed 7 months ago by robe

Milestone: Sysadmin Contract 2020-IIISysadmin Contract 2021-I

Milestone renamed

comment:8 Changed 6 months ago by robe

Owner: changed from sac@… to strk

comment:9 Changed 6 months ago by robe

Resolution: fixed
Status: newclosed

comment:10 Changed 4 months ago by robe

Milestone: Sysadmin Contract 2021-ISysadmin Contract 2020-II
Note: See TracTickets for help on using tickets.