#2550: LDAP mediated SSH access not working anymore
---------------------------+----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone: Sysadmin Contract 2020-III
Component: Systems Admin | Keywords:
---------------------------+----------------------------------------
According to docx in
https://wiki.osgeo.org/wiki/SAC_Service_Status#Download one should be able
to login to the download container by just being in the posixShell gruop
and having keys published in LDAP. This is NOT the case, at the moment.
If it ever worked, it broke. It *might* (or might not) be due to the way I
changed storage of ssh keys in LDAP with the work in #2542.
Initial setup of this LDAP/SSH connection was done by Regina in #2116
Other machines where this should work, according to
https://trac.osgeo.org/osgeo/ticket/2116#comment:3 are:
- hop.osgeo3.osgeo.org
- hop.osgeo4.osgeo.org
- hop.osgeo7.osgeo.org
None are working for me, when I mv ~/.ssh away
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2550>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2550: LDAP mediated SSH access not working anymore
---------------------------+-----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone: Sysadmin Contract 2020-III
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+-----------------------------------------
Comment (by strk):
NOTE: this would be a perfect job for an ansible role named something like
SshProxyHost...
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2550#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2550: LDAP mediated SSH access not working anymore
---------------------------+-----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone: Sysadmin Contract 2020-III
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+-----------------------------------------
Comment (by strk):
I found instructions about setting up LDAP mediated SSH access buried in
private repository https://git.osgeo.org/gitea/sac/osgeo7/wiki/Download-
Container#user-content-enable-use-of-ldap-stored-ssh-pub-keys (I think
this is a huge downside of these private repositories).
Dropping a link here for easier access, but I think such info should be
made public, eventually (ideally as a public ansible-deployment git repo)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2550#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2550: LDAP mediated SSH access not working anymore
---------------------------+-----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone: Sysadmin Contract 2020-III
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+-----------------------------------------
Comment (by strk):
The command to extract keys from LDAP is hold in a (still private)
repository https://git.osgeo.org/gitea/sac/ssh-ldap-sshkey.git in BINARY
(this is a no-no!) form.
The binaries in that repository are documented to come from
https://github.com/werrett/ssh-ldap-publickey in source form. We probably
want debian packages for this kind of thing, or we want to use some easier
simpler scripting to directly store in ansible-deployment.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2550#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2550: LDAP mediated SSH access not working anymore
---------------------------+-----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone: Sysadmin Contract 2020-III
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+-----------------------------------------
Comment (by strk):
I found that the ssh-dalp-publickey binary is just unable to fetch _all_
keys from LDAP but (only picks the first one). So this must have been
broken when I changed LDAP storage format for keys (broken for me because
the very first key is not the one from the client host I'm using).
I'll see if Santa gives me hope to rewrite that script to be a simple
script so we can get rid of the binary repository and can put this in
ansible.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2550#comment:4>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2550: LDAP mediated SSH access not working anymore
---------------------------+-----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone: Sysadmin Contract 2020-III
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+-----------------------------------------
Comment (by strk):
I've added an ansible role for "ShellServer" with commit
https://git.osgeo.org/gitea/sac/ansible-
deployment/commit/28a0b49b4b5e546493f565f226db030af50812e3
The new role is still NOT used on deploy, as none of the intended targets
have a top-level playbook yet
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2550#comment:5>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2550: LDAP mediated SSH access not working anymore
---------------------------+-----------------------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: major | Milestone: Sysadmin Contract 2020-III
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+-----------------------------------------
Comment (by strk):
Note in the new commit above I've added a 189 bytes shell script doing the
equivalent of the 5MB Go executable failing to fetch all keys from LDAP...
The shell script works fine, using ldapsearch
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2550#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2550: LDAP mediated SSH access not working anymore
---------------------------+---------------------------------------
Reporter: strk | Owner: strk
Type: task | Status: new
Priority: major | Milestone: Sysadmin Contract 2021-I
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+---------------------------------------
Changes (by robe):
* owner: sac@… => strk
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2550#comment:8>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2550: LDAP mediated SSH access not working anymore
---------------------------+---------------------------------------
Reporter: strk | Owner: strk
Type: task | Status: closed
Priority: major | Milestone: Sysadmin Contract 2021-I
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+---------------------------------------
Changes (by robe):
* status: new => closed
* resolution: => fixed
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2550#comment:9>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2550: LDAP mediated SSH access not working anymore
---------------------------+----------------------------------------
Reporter: strk | Owner: strk
Type: task | Status: closed
Priority: major | Milestone: Sysadmin Contract 2020-II
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+----------------------------------------
Changes (by robe):
* milestone: Sysadmin Contract 2021-I => Sysadmin Contract 2020-II
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2550#comment:10>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.