Bug #17786


[deployment][webshell][shellinabox] centos 7's shellinabox is not pam-enabled

Added by Javier Bértoli about 1 year ago. Updated about 1 year ago.

Assigned To:
Target version:
Start date:
Due date:
% Done:


Estimated time:
Story points:


EPEL's shellinabox package is not pam enabled and therefore we can't make authentication work using arvados' tokens.

Inspecting the SRPM SPEC file, it shows that shellinabox build process inspects the OS to decide if PAM & Openssl should be enabled.

From the tarball's files, you can see that the parameter used to make a decision is:

--disable-runtime-loading ShellInABox will try to load the OpenSSL, and PAM
                            libraries at run-time, if it has been compiled with
                            support for these libraries, and if the operating
                            system supports dynamic loading of libraries. This
                            allows you to install the same binary on different
                            systems independent of whether they have OpenSSL
                            and PAM enabled.  If you would rather directly link
                            these libraries into the binary, thus making them a
                            hard dependency, then disable runtime-loading.])

and then, when building the RPM in a default environment, you can see that the checks fail:

checking security/pam_appl.h usability... no
checking security/pam_appl.h presence... no
checking for security/pam_appl.h... no
checking security/pam_client.h usability... no
checking security/pam_client.h presence... no
checking for security/pam_client.h... no
checking security/pam_misc.h usability... no
checking security/pam_misc.h presence... no
checking for security/pam_misc.h... no

finishing with a pam-disabled package, which will completely ignore /etc/pam.d/shellinabox file and won't allow you to use :AUTH:HOME:SHELL as the method to authenticate the users, giving you an error like
Jun 09 04:06:30 hostname shellinaboxd[14721]: [server] Cannot look up user id "AUTH"!

If you add the missing devel files to the building env

yum install -y pam-devel openssl-devel

and rebuild the package with
rpmbuild --rebuild shellinabox-2.20-5.el7.src.rpm

you'll get a pam-enabled package that can work using :AUTH:HOME:SHELL authentication and an arvados-modified version of centos' /etc/pam.d/login file

We need to do this for Arvados and add the package to our repository.

Actions #2

Updated by Javier Bértoli about 1 year ago

I forgot to mention, I filled a bug report with EPEL, which has not been dealt with yet.

Actions #3

Updated by Javier Bértoli about 1 year ago

Centos7 has selinux and also this issue is relevant. Apparently it was fixed, but no new release was done including it, so either we should re-package it using a newer version of the code or apply a selinux fix, like

  • this one
    audit2allow -a -M login
    semodule -i login.pp
  • or this other one
    # grep shellinaboxd /var/log/audit/audit.log |grep denied
    type=AVC msg=audit(1625855028.222:187183): avc:  denied  { transition } for  pid=19158 comm="shellinaboxd" path="/usr/bin/bash" dev="dm-0" ino=1978 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

    Using the error id, create a policy
    grep 1625855028.222:187183 /var/log/audit/audit.log | audit2allow -M shellinabox_workaround
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:
    semodule -i shellinabox_workaround.pp

    Enable the policy
    semodule -i shellinabox_workaround.pp

Then, use this PAM config for Arvados /etc/pam.d/shellinabox (quite similar to the one for login)

auth [user_unknown=ignore success=ok ignore=ignore default=bad]
auth [success=1 default=ignore] /usr/lib/ api.ClusterID.domain shell.ClusterID.domain
auth       substack     system-auth
auth       include      postlogin
account    required
account    include      system-auth
password   include      system-auth
# close should be the first session rule
session    required close
session    required
session    optional
# open should only be followed by sessions to be executed in the user context
session    required open
session    required
session    optional force revoke
session    include      system-auth
session    include      postlogin
-session   optional


Also available in: Atom PDF