Andy Kurth created VCL-1108:
-------------------------------
Summary: Improve flexibility in how sshd is configured in Linux
images
Key: VCL-1108
URL: https://issues.apache.org/jira/browse/VCL-1108
Project: VCL
Issue Type: Improvement
Components: vcld (backend)
Reporter: Andy Kurth
In Linux images, the *ext_sshd* service is dynamically generated when an image
is loaded and reconfigured when the computer is reserved. The ext_sshd service
is configured with */etc/ssh/ext_sshd/external_sshd_config*. This file is
generated by using the regular */etc/ssh/sshd_config* file as a template. The
following hard-coded parameter modifications are then applied to
external_sshd_config:
{{ListenAddress <remote IP>}}
{{PasswordAuthentication yes}}
{{PermitRootLogin no}}
{{PidFile /var/run/ext_sshd.pid}}
{{X11Forwarding yes}}
{{AllowUsers <reservation user>}}
The *ext_sshd* service and all associated files including
*external_sshd_config* are deleted before an image is captured. When the image
is loaded, the *sshd_config* file stored in the image is used as the template.
The only way to customize the ext_sshd service is by using a *vcl_post_reserve*
script. There's a timing problem with this. *vcl_post_reserve* gets executed
after
# vcld detects the user clicked the Connect button
# $self->os->grant_access()
## firewall opened to user's IP
## connect methods processed, ext_sshd running
# $self->os->update_cluster()
At this point, the user is able to connect to the computer via SSH. If you
need to customize any of the ext_sshd configuration parameters _which can't be
customized in sshd_config because they'd break management node communication_,
you'd have to do it here and then restart the service. This leaves a window of
1 to several seconds when the ext_sshd service was configured and listening
without the customizations.
This problem came up in an image which required using Duo for multifactor
authentication. ext_sshd could be configured properly by the
*vcl_post_reserve* script, but it left a window when a user could login without
going through Duo.
There are a few ways to improve this. The simplest, though the the prettiest,
would be to extend the *configure_sshd_config_file* and
*configure_ext_sshd_config_file* subroutines in *Linux.pm* to check for the
existence of some other file to use as a template for external_sshd_config
_(instead of sshd_config)_. Perhaps something like
*/root/.vclcontrol/external_sshd_config.template*. The hard-coded parameter
modifications listed above would still need to be applied.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
