Affects Version/s: None
Fix Version/s: None
Component/s: vcld (backend)
In Linux images, the ext_sshd service is dynamically generated when an image is loaded and reconfigured when the computer is reserved. The ext_sshd service is configured with /etc/ssh/ext_sshd/external_sshd_config. This file is generated by using the regular /etc/ssh/sshd_config file as a template. The following hard-coded parameter modifications are then applied to external_sshd_config:
ListenAddress <remote IP>
AllowUsers <reservation user>
The ext_sshd service and all associated files including external_sshd_config are deleted before an image is captured. When the image is loaded, the sshd_config file stored in the image is used as the template.
The only way to customize the ext_sshd service is by using a vcl_post_reserve script. There's a timing problem with this. vcl_post_reserve gets executed after
- vcld detects the user clicked the Connect button
- firewall opened to user's IP
- connect methods processed, ext_sshd running
At this point, the user is able to connect to the computer via SSH. If you need to customize any of the ext_sshd configuration parameters which can't be customized in sshd_config because they'd break management node communication, you'd have to do it here and then restart the service. This leaves a window of 1 to several seconds when the ext_sshd service was configured and listening without the customizations.
This problem came up in an image which required using Duo for multifactor authentication. ext_sshd could be configured properly by the vcl_post_reserve script, but it left a window when a user could login without going through Duo.
There are a few ways to improve this. The simplest, though the the prettiest, would be to extend the configure_sshd_config_file and configure_ext_sshd_config_file subroutines in Linux.pm to check for the existence of some other file to use as a template for external_sshd_config (instead of sshd_config). Perhaps something like /root/.vclcontrol/external_sshd_config.template. The hard-coded parameter modifications listed above would still need to be applied.