Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
In Linux images, the ext_sshd service is dynamically generated when an image is loaded and reconfigured when the computer is reserved. The ext_sshd service is configured with /etc/ssh/ext_sshd/external_sshd_config. This file is generated by using the regular /etc/ssh/sshd_config file as a template. The following hard-coded parameter modifications are then applied to external_sshd_config:
ListenAddress <remote IP>
PasswordAuthentication yes
PermitRootLogin no
PidFile /var/run/ext_sshd.pid
X11Forwarding yes
AllowUsers <reservation user>
The ext_sshd service and all associated files including external_sshd_config are deleted before an image is captured. When the image is loaded, the sshd_config file stored in the image is used as the template.
The only way to customize the ext_sshd service is by using a vcl_post_reserve script. There's a timing problem with this. vcl_post_reserve gets executed after
- vcld detects the user clicked the Connect button
- $self->os->grant_access()
- firewall opened to user's IP
- connect methods processed, ext_sshd running
- $self->os->update_cluster()
At this point, the user is able to connect to the computer via SSH. If you need to customize any of the ext_sshd configuration parameters which can't be customized in sshd_config because they'd break management node communication, you'd have to do it here and then restart the service. This leaves a window of 1 to several seconds when the ext_sshd service was configured and listening without the customizations.
This problem came up in an image which required using Duo for multifactor authentication. ext_sshd could be configured properly by the vcl_post_reserve script, but it left a window when a user could login without going through Duo.
There are a few ways to improve this. The simplest, though the the prettiest, would be to extend the configure_sshd_config_file and configure_ext_sshd_config_file subroutines in Linux.pm to check for the existence of some other file to use as a template for external_sshd_config (instead of sshd_config). Perhaps something like /root/.vclcontrol/external_sshd_config.template. The hard-coded parameter modifications listed above would still need to be applied.