Uploaded image for project: 'VCL'
  1. VCL
  2. VCL-1108

Improve flexibility in how sshd is configured in Linux images

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • vcld (backend)
    • None

    Description

      In Linux images, the ext_sshd service is dynamically generated when an image is loaded and reconfigured when the computer is reserved.  The ext_sshd service is configured with /etc/ssh/ext_sshd/external_sshd_config.  This file is generated by using the regular /etc/ssh/sshd_config file as a template.  The following hard-coded parameter modifications are then applied to external_sshd_config:

      ListenAddress <remote IP>
      PasswordAuthentication yes
      PermitRootLogin no
      PidFile /var/run/ext_sshd.pid
      X11Forwarding yes
      AllowUsers <reservation user>

       

      The ext_sshd service and all associated files including external_sshd_config are deleted before an image is captured.  When the image is loaded, the sshd_config file stored in the image is used as the template.

      The only way to customize the ext_sshd service is by using a vcl_post_reserve script.  There's a timing problem with this.  vcl_post_reserve gets executed after

      1. vcld detects the user clicked the Connect button
      2. $self->os->grant_access()
        1. firewall opened to user's IP
        2. connect methods processed, ext_sshd running
      3. $self->os->update_cluster()

      At this point, the user is able to connect to the computer via SSH.  If you need to customize any of the ext_sshd configuration parameters which can't be customized in sshd_config because they'd break management node communication, you'd have to do it here and then restart the service.  This leaves a window of 1 to several seconds when the ext_sshd service was configured and listening without the customizations.

      This problem came up in an image which required using Duo for multifactor authentication.  ext_sshd could be configured properly by the vcl_post_reserve script, but it left a window when a user could login without going through Duo.

      There are a few ways to improve this.  The simplest, though the the prettiest, would be to extend the configure_sshd_config_file and configure_ext_sshd_config_file subroutines in Linux.pm to check for the existence of some other file to use as a template for external_sshd_config (instead of sshd_config).  Perhaps something like /root/.vclcontrol/external_sshd_config.template.  The hard-coded parameter modifications listed above would still need to be applied.

       

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            arkurth Andrew Kurth
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated: