Project

General

Profile

Actions
Copy link

Bug #17786

closed

[deployment][webshell][shellinabox] centos 7's shellinabox is not pam-enabled

Added by Javier Bértoli over 3 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
-
Story points:
-
Release:
Postponed
Release relationship:
Auto

Description

EPEL's shellinabox package is not pam enabled and therefore we can't make authentication work using arvados' tokens.

Inspecting the SRPM SPEC file, it shows that shellinabox build process inspects the OS to decide if PAM & Openssl should be enabled.

From the tarball's files, you can see that the parameter used to make a decision is:

--disable-runtime-loading ShellInABox will try to load the OpenSSL, and PAM
                            libraries at run-time, if it has been compiled with
                            support for these libraries, and if the operating
                            system supports dynamic loading of libraries. This
                            allows you to install the same binary on different
                            systems independent of whether they have OpenSSL
                            and PAM enabled.  If you would rather directly link
                            these libraries into the binary, thus making them a
                            hard dependency, then disable runtime-loading.])

and then, when building the RPM in a default environment, you can see that the checks fail:

checking security/pam_appl.h usability... no
checking security/pam_appl.h presence... no
checking for security/pam_appl.h... no
checking security/pam_client.h usability... no
checking security/pam_client.h presence... no
checking for security/pam_client.h... no
checking security/pam_misc.h usability... no
checking security/pam_misc.h presence... no
checking for security/pam_misc.h... no

finishing with a pam-disabled package, which will completely ignore /etc/pam.d/shellinabox file and won't allow you to use :AUTH:HOME:SHELL as the method to authenticate the users, giving you an error like
Jun 09 04:06:30 hostname shellinaboxd[14721]: [server] Cannot look up user id "AUTH"!

If you add the missing devel files to the building env

yum install -y pam-devel openssl-devel

and rebuild the package with
rpmbuild --rebuild shellinabox-2.20-5.el7.src.rpm

you'll get a pam-enabled package that can work using :AUTH:HOME:SHELL authentication and an arvados-modified version of centos' /etc/pam.d/login file

We need to do this for Arvados and add the package to our repository.

Actions
Copy link

Also available in: Atom PDF