Bug #17786
open[deployment][webshell][shellinabox] centos 7's shellinabox is not pam-enabled
0%
Description
EPEL's shellinabox
package is not pam enabled and therefore we can't make authentication work using arvados' tokens.
Inspecting the SRPM SPEC file, it shows that shellinabox
build process inspects the OS to decide if PAM & Openssl should be enabled.
From the tarball's files, you can see that the parameter used to make a decision is:
--disable-runtime-loading ShellInABox will try to load the OpenSSL, and PAM libraries at run-time, if it has been compiled with support for these libraries, and if the operating system supports dynamic loading of libraries. This allows you to install the same binary on different systems independent of whether they have OpenSSL and PAM enabled. If you would rather directly link these libraries into the binary, thus making them a hard dependency, then disable runtime-loading.])
and then, when building the RPM in a default environment, you can see that the checks fail:
checking security/pam_appl.h usability... no checking security/pam_appl.h presence... no checking for security/pam_appl.h... no checking security/pam_client.h usability... no checking security/pam_client.h presence... no checking for security/pam_client.h... no checking security/pam_misc.h usability... no checking security/pam_misc.h presence... no checking for security/pam_misc.h... no
finishing with a pam-disabled package, which will completely ignore
/etc/pam.d/shellinabox
file and won't allow you to use :AUTH:HOME:SHELL
as the method to authenticate the users, giving you an error likeJun 09 04:06:30 hostname shellinaboxd[14721]: [server] Cannot look up user id "AUTH"!
If you add the missing devel
files to the building env
yum install -y pam-devel openssl-devel
and rebuild the package with
rpmbuild --rebuild shellinabox-2.20-5.el7.src.rpm
you'll get a pam-enabled package that can work using
:AUTH:HOME:SHELL
authentication and an arvados-modified version of centos' /etc/pam.d/login
file
We need to do this for Arvados and add the package to our repository.
Updated by Javier Bértoli over 3 years ago
I forgot to mention, I filled a bug report with EPEL, which has not been dealt with yet.
Updated by Javier Bértoli over 3 years ago
Centos7 has selinux
and also this issue is relevant. Apparently it was fixed, but no new release was done including it, so either we should re-package it using a newer version of the code or apply a selinux
fix, like
- this one
audit2allow -a -M login semodule -i login.pp
- or this other one
# grep shellinaboxd /var/log/audit/audit.log |grep denied type=AVC msg=audit(1625855028.222:187183): avc: denied { transition } for pid=19158 comm="shellinaboxd" path="/usr/bin/bash" dev="dm-0" ino=1978 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
Using the error id, create a policygrep 1625855028.222:187183 /var/log/audit/audit.log | audit2allow -M shellinabox_workaround ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i shellinabox_workaround.pp
Enable the policysemodule -i shellinabox_workaround.pp
Then, use this PAM config for Arvados /etc/pam.d/shellinabox
(quite similar to the one for login
)
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth [success=1 default=ignore] /usr/lib/pam_arvados.so api.ClusterID.domain shell.ClusterID.domain auth substack system-auth auth include postlogin account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so