Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
Here is an ebuild for sshproxy. sshproxy is an ssh gateway to apply ACLs on ssh connections. Check the homepage for a more detailed description.
Created an attachment (id=90186) [edit] net-proxy/sshproxy/sshproxy-0.4.ebuild The sshproxy ebuild
Created an attachment (id=90187) [edit] net-proxy/sshproxy/sshproxy-0.4.ebuild sshproxy ebuild
Created an attachment (id=90188) [edit] net-proxy/sshproxy/files/sshproxyd.confd the conf.d/sshproxyd file
Created an attachment (id=90189) [edit] net-proxy/sshproxy/files/sshproxyd.initd the init.d/sshproxyd script
I have 2 problems with this package: a) sshproxyd creates host key before switching to daemon user, which makes id_dsa unreadable by the daemon. b) I don't know how to convince sshproxyd (using file backend) to let me connect on one of my servers. Whatever I do, it tries to connect as "admin" instead the user I set. What exactly should I write in pwdb files?
(In reply to comment #5) > I have 2 problems with this package: > a) sshproxyd creates host key before switching to daemon user, which makes > id_dsa unreadable by the daemon. I didn't notice this behaviour, how did you start sshproxyd ? > b) I don't know how to convince sshproxyd (using file backend) to let me > connect on one of my servers. Whatever I do, it tries to connect as "admin" > instead the user I set. What exactly should I write in pwdb files? <warning> The file backend is insecure for now, because it will let any user to connect to the proxy, and thus to any remote site you configured. This will change in the future, but this backend is for testing purpose until then. </warning> That said, you can check this section of the documentation to set up a remote site: http://penguin.fr/sshproxy/documentation.html#file-backend-add-sites-and-users Basically, all you have to do is to create a file named after your site's symbolic name (which can be the fqdn if you want) in the .sshproxy/pwdb (default location), and populate it with a [DEFAULT] section for the host part data, and one or more [remote_user] section as shown in the documentation. All the fields shown are mandatory. Hope this helps. David
I've configured the daemon using sshproxyd --wizard then I launched the service running /etc/init.d/sshproxyd start. Unfortunately, the key was created with root:root. This documentation is the one I followed to configure my remote server like this: [DEFAULT] ip = a.b.c.d port = 22 [mrness] mrness = my_pass Still, the user used to connect on the remote host was admin, no matter if I executed pssh technosoft.ro or pssh mrness@technosoft.ro.
(In reply to comment #7) > I've configured the daemon using sshproxyd --wizard then I launched the service > running /etc/init.d/sshproxyd start. Unfortunately, the key was created with > root:root. this is weird since the key is created on first run after the daemon changes user and bind to the listening socket... > This documentation is the one I followed to configure my remote server like > this: > [DEFAULT] > ip = a.b.c.d > port = 22 in the [DEFAULT] section you have to put a line like this: location = whatever you like > > [mrness] > mrness = my_pass the latter line must be: password = my_pass > Still, the user used to connect on the remote host was admin, no matter if I > executed pssh technosoft.ro or pssh mrness@technosoft.ro. is your pwdb file named technosoft.ro ? did you correctly set the right environment variables for pssh to point to the proxy: SSHPROXY_HOST (defaults to localhost) SSHPROXY_PORT (defaults to 2242) can uou try with the following command line with the standard ssh client (replace localhost with the name of the sever hosting the proxy): ssh -tp 2242 localhost mrness@technosoft.ro
ssh -tp 2242 localhost mrness@technosoft.ro worked, but I have few suggestions: a) use $USER or $LOGNAME in case $SSHPROXY_USER is empty, like this: PROXY_USER=${SSHPROXY_USER} if [[ -z "${PROXY_USER}" ]]; then if [[ -n "${USER}" ]]; then PROXY_USER=${USER} else PROXY_USER=${admin} fi fi b) ssh-keygen is launched as root because you used seteuid instead of setreuid/setuid (the same goes for setegid).
Created an attachment (id=90453) [edit] sshproxy-0.4.ebuild Improved ebuild (sorry, I can test it only on x86).
Created an attachment (id=90455) [edit] sshproxy.initd Don't see why should we have configurable daemon user or pid file.
Another nice-to-have things would be: a) some concise info messages at the end of pkg_config, explaining how to add entries for the 2 backends available b) warnings about file backend (lack of) security c) a long description for metadata.xml
(In reply to comment #10) > Created an attachment (id=90453) [edit] > sshproxy-0.4.ebuild > > Improved ebuild (sorry, I can test it only on x86). > I will test it on amd64. It looks much nicer than mine, thank you ;) As for the copying of the sshd host key, I'd rather not do it automatically. I've set an option in the wizard for that. And I've fixed the autogeneration of the host key not using ssh-keygen but paramiko's internal mechanism.
Created an attachment (id=90491) [edit] sshproxy-0.4.1.ebuild bump version to 0.4.1
Created an attachment (id=90492) [edit] metadata.xml added metadata.xml Hope this is not too long for a description. Also, the file sshproxy.initd should be renamed sshproxyd.initd
(In reply to comment #12) > Another nice-to-have things would be: > a) some concise info messages at the end of pkg_config, explaining how to add I've added links to corresponding parts in the documentation at the end of the wizard. > entries for the 2 backends available > b) warnings about file backend (lack of) security You have to confirm that you really want the file backend (in the wizard) > c) a long description for metadata.xml See attached file metadata.xml Thanks for your help.
now it crashes with this log: Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/sshproxy/daemon.py", line 509, in run_server _run_server(sock) File "/usr/lib/python2.4/site-packages/sshproxy/daemon.py", line 471, in _run_server service_client(client, addr, host_key_file) File "/usr/lib/python2.4/site-packages/sshproxy/daemon.py", line 197, in service_client conn = proxy.ProxyClient(userdata) File "/usr/lib/python2.4/site-packages/sshproxy/proxy.py", line 138, in __init__ print ("\nConnecting to %s by %s the %s" % IOError: [Errno 5] Input/output error If I comment out that print, it works. If I remove \n, it works. Why do you need printing stuff when you already log the same info anyway?
(In reply to comment #17) > now it crashes with this log: > Traceback (most recent call last): > File "/usr/lib/python2.4/site-packages/sshproxy/daemon.py", line 509, in > run_server > _run_server(sock) > File "/usr/lib/python2.4/site-packages/sshproxy/daemon.py", line 471, in > _run_server > service_client(client, addr, host_key_file) > File "/usr/lib/python2.4/site-packages/sshproxy/daemon.py", line 197, in > service_client > conn = proxy.ProxyClient(userdata) > File "/usr/lib/python2.4/site-packages/sshproxy/proxy.py", line 138, in > __init__ > print ("\nConnecting to %s by %s the %s" % > IOError: [Errno 5] Input/output error > > If I comment out that print, it works. If I remove \n, it works. Why do you > need printing stuff when you already log the same info anyway? > I've removed the print statement completly from this module. I've put a new tarball online with the fix: http://penguin.fr/sshproxy/download/sshproxy-0.4.1_p1.tar.gz
ok, now it works but I still have 2 more things to be done: a) you made the changes suggested in comment #9 on pssh but not on pscp. Furthermore, that comment contained an error; you should set PROXY_USER to admin, not to ${admin}. b) I don't like info messages like "Server ready, clients may login now" on service start. A service should be quiet as a mouse unless it has a fatal error to display. Anyway, if you need that, I will put a > /dev/null on the start-stop-daemon command line.
(In reply to comment #19) > ok, now it works but I still have 2 more things to be done: > a) you made the changes suggested in comment #9 on pssh but not on pscp. > Furthermore, that comment contained an error; you should set PROXY_USER to > admin, not to ${admin}. Ok, this is fixed. > b) I don't like info messages like "Server ready, clients may login now" on > service start. A service should be quiet as a mouse unless it has a fatal error > to display. Anyway, if you need that, I will put a > /dev/null on the > start-stop-daemon command line. You're right, I don't need that on services. It's just that I'm spending so much time coding that I don't see the obvious ;) I've made it silent in daemon mode. You can find an updated tarball on: http://penguin.fr/sshproxy/download/sshproxy-0.4.1_p2.tar.gz Thank you for your time.
I wanted to precise that once you think the package is ok, I will release the version 0.4.2, containing the fixes from 0.4.1_p* sub-versions. So the final ebuild will be sshproxy-0.4.2.
I'm happy with this version and I wait the release of version 0.4.2 for adding it to portage tree. P.S. I've removed the first scenario from the metadata.xml. I think it is bad practice from the security pov. Users should use ssh keys if they want to avoid dealing with lots of passwords and even then they should protect their private key with a password (ssh-agent is your friend in such cases). The other scenarios are OK, assuming the server on which sshproxy run is properly secured and sshproxy daemon don't allow users to retrieve passwords or private keys.
(In reply to comment #22) > I'm happy with this version and I wait the release of version 0.4.2 for adding > it to portage tree. Ok, 0.4.2 was released a couple minutes ago: http://penguin.fr/sshproxy/download/sshproxy-0.4.2.tar.gz > P.S. I've removed the first scenario from the metadata.xml. I think it is bad > practice from the security pov. Users should use ssh keys if they want to avoid > dealing with lots of passwords and even then they should protect their private > key with a password (ssh-agent is your friend in such cases). > > The other scenarios are OK, assuming the server on which sshproxy run is > properly secured and sshproxy daemon don't allow users to retrieve passwords or > private keys. OK for me.
fixed in cvs. thanks!
There seems to be a problem with the tarball or the digest: kalash sshproxy # emerge -av sshproxy These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild U ] net-proxy/sshproxy-0.4.2 [0.4.1] USE="mysql" 49 kB Total size of downloads: 49 kB Would you like to merge these packages? [Yes/No] >>> Emerging (1 of 1) net-proxy/sshproxy-0.4.2 to / >>> Downloading ftp://ftp.free.fr/pub/Distributions_Linux/Gentoo/distfiles/sshproxy-0.4.2.tar.gz --21:57:21-- ftp://ftp.free.fr/pub/Distributions_Linux/Gentoo/distfiles/sshproxy-0.4.2.tar.gz => `/usr/portage/distfiles/sshproxy-0.4.2.tar.gz' Resolving ftp.free.fr... 212.27.60.27 Connecting to ftp.free.fr|212.27.60.27|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /pub/Distributions_Linux/Gentoo/distfiles ... done. ==> PASV ... done. ==> RETR sshproxy-0.4.2.tar.gz ... No such file `sshproxy-0.4.2.tar.gz'. >>> Downloading ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/distfiles/sshproxy-0.4.2.tar.gz --21:57:22-- ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/distfiles/sshproxy-0.4.2.tar.gz => `/usr/portage/distfiles/sshproxy-0.4.2.tar.gz' Resolving ftp.belnet.be... 193.190.198.20, 2001:6a8:3c80:0:203:baff:fe39:f931 Connecting to ftp.belnet.be|193.190.198.20|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /mirror/rsync.gentoo.org/gentoo/distfiles ... done. ==> PASV ... done. ==> RETR sshproxy-0.4.2.tar.gz ... No such file `sshproxy-0.4.2.tar.gz'. >>> Downloading http://penguin.fr/sshproxy/download/sshproxy-0.4.2.tar.gz --21:57:22-- http://penguin.fr/sshproxy/download/sshproxy-0.4.2.tar.gz => `/usr/portage/distfiles/sshproxy-0.4.2.tar.gz' Resolving penguin.fr... 88.191.11.242 Connecting to penguin.fr|88.191.11.242|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 50,596 (49K) [application/x-gzip] 100%[=================================================================================================================================================================>] 50,596 222.76K/s 21:57:23 (221.80 KB/s) - `/usr/portage/distfiles/sshproxy-0.4.2.tar.gz' saved [50596/50596] >>> checking ebuild checksums !!! Digest verification failed: !!! /usr/portage/net-proxy/sshproxy/sshproxy-0.4.2.ebuild !!! Reason: Filesize does not match recorded size !!! Got: 1550 !!! Expected: 1448 I didn't change the tarball since the release, and its md5 is: fce42652f7f0cf18ee33f92512cae676 The size is: 50596 bytes Thanks
(In reply to comment #25) > There seems to be a problem with the tarball or the digest: File a new bug.
The error is about the size of the .ebuild file. Indeed, the file should have 1550 bytes. Try to re-sync your portage tree.
(In reply to comment #27) > The error is about the size of the .ebuild file. Indeed, the file should have > 1550 bytes. > > Try to re-sync your portage tree. Sorry, that was it. Thanks for all.
