Project

General

Profile

Actions
Copy link

Bug #17786

closed

[deployment][webshell][shellinabox] centos 7's shellinabox is not pam-enabled

Added by Javier Bértoli almost 3 years ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
-
Story points:
-
Release:
Postponed
Release relationship:
Auto

Description

EPEL's shellinabox package is not pam enabled and therefore we can't make authentication work using arvados' tokens.

Inspecting the SRPM SPEC file, it shows that shellinabox build process inspects the OS to decide if PAM & Openssl should be enabled.

From the tarball's files, you can see that the parameter used to make a decision is:

--disable-runtime-loading ShellInABox will try to load the OpenSSL, and PAM
                            libraries at run-time, if it has been compiled with
                            support for these libraries, and if the operating
                            system supports dynamic loading of libraries. This
                            allows you to install the same binary on different
                            systems independent of whether they have OpenSSL
                            and PAM enabled.  If you would rather directly link
                            these libraries into the binary, thus making them a
                            hard dependency, then disable runtime-loading.])

and then, when building the RPM in a default environment, you can see that the checks fail:

checking security/pam_appl.h usability... no
checking security/pam_appl.h presence... no
checking for security/pam_appl.h... no
checking security/pam_client.h usability... no
checking security/pam_client.h presence... no
checking for security/pam_client.h... no
checking security/pam_misc.h usability... no
checking security/pam_misc.h presence... no
checking for security/pam_misc.h... no

finishing with a pam-disabled package, which will completely ignore /etc/pam.d/shellinabox file and won't allow you to use :AUTH:HOME:SHELL as the method to authenticate the users, giving you an error like
Jun 09 04:06:30 hostname shellinaboxd[14721]: [server] Cannot look up user id "AUTH"!

If you add the missing devel files to the building env

yum install -y pam-devel openssl-devel

and rebuild the package with
rpmbuild --rebuild shellinabox-2.20-5.el7.src.rpm

you'll get a pam-enabled package that can work using :AUTH:HOME:SHELL authentication and an arvados-modified version of centos' /etc/pam.d/login file

We need to do this for Arvados and add the package to our repository.

Actions
Copy link
 #2

Updated by Javier Bértoli almost 3 years ago

I forgot to mention, I filled a bug report with EPEL, which has not been dealt with yet.

Actions
Copy link
 #3

Updated by Javier Bértoli almost 3 years ago

Centos7 has selinux and also this issue is relevant. Apparently it was fixed, but no new release was done including it, so either we should re-package it using a newer version of the code or apply a selinux fix, like

  • this one 
    audit2allow -a -M login
semodule -i login.pp
  • or this other one
    # grep shellinaboxd /var/log/audit/audit.log |grep denied

type=AVC msg=audit(1625855028.222:187183): avc:  denied  { transition } for  pid=19158 comm="shellinaboxd" path="/usr/bin/bash" dev="dm-0" ino=1978 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

    Using the error id, create a policy
    grep 1625855028.222:187183 /var/log/audit/audit.log | audit2allow -M shellinabox_workaround
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i shellinabox_workaround.pp

    Enable the policy
    semodule -i shellinabox_workaround.pp

Then, use this PAM config for Arvados /etc/pam.d/shellinabox (quite similar to the one for login)

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth [success=1 default=ignore] /usr/lib/pam_arvados.so api.ClusterID.domain shell.ClusterID.domain
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

Actions
Copy link
 #4

Updated by Peter Amstutz about 1 year ago

  • Release set to 60
Actions
Copy link
 #5

Updated by Brett Smith 3 months ago

  • Status changed from New to Closed

We don't support CentOS 7 anymore.

Actions
Copy link

Also available in: Atom PDF