Invirt Project

invirt replaces sshd_config, locks everyone out of system

Bug #569609 reported by Daniel Clark
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Invirt Project
Won't Fix
Undecided
Unassigned

Bug Description

New invirt install. Invirt replaces sshd_config with a symlink to a new sshd_config file. In my / ismith case, this caused us to be locked out of the system. I think this would also prevent inclusion into debian. IMHO should just doc what changes are needed (and why) to a README.Debian file.

These are the differences between the working file and the file invirt installed.

root@bogomips:/etc/ssh# diff -U 0 sshd_config.not-invirt sshd_config.invirt
--- sshd_config.not-invirt 2010-04-24 20:00:24.000000000 -0400
+++ sshd_config.invirt 2010-01-27 22:23:52.000000000 -0500
@@ -26 +26 @@
-PermitRootLogin without-password
+PermitRootLogin yes
@@ -32 +31,0 @@
-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u
@@ -48 +47 @@
-ChallengeResponseAuthentication no
+ChallengeResponseAuthentication yes
@@ -60,2 +59,4 @@
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+GSSAPIStrictAcceptorCheck no
+GSSAPICleanupCredentials yes

The major change that prevented all logins on the system is the loss of the line:
-AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u

I'm guessing that what invirt cares about is just the "GSSAPI" lines, so perhaps some sed or something could be used (but user should be prompted via IMHO).

Greg Price (gregprice)
Changed in invirt:
status: New → Won't Fix
Revision history for this message
Greg Price (gregprice) wrote :

Ouch, sorry about that. Unfortunately, there isn't really a good way to do better than this. Your easiest solution is probably not to use the invirt-ssh-config package on your Invirt hosts; alternatively you could post-process the ssd_config in your install script.

If you look at the source of invirt-ssh-config, you'll see that we do in fact use sed to change only the lines we care about -- but we do this at build time, from the pristine upstream configuration file. It'd be a little worrying to try to write a sed script to work on the existing sshd_config on the system. That file could be in an arbitrary state, so it might be difficult or impossible to confirm that the output of the script was always a reasonable config file.

You probably saw this, but for readers of the bug thread: invirt-ssh-config leaves the original sshd_config present on the system, as /etc/ssh/sshd_config.invirt-orig. That file is restored as /etc/ssh/sshd_config if invirt-ssh-config is uninstalled.

Revision history for this message
Greg Price (gregprice) wrote :

I'm looking forward to the new version of install-invirt.sh that you produce from your experience installing Invirt. Please feel free to handle the SSH configuration in that script how you think best -- with documentation, a prompt, an option to use invirt-ssh-config, a sed script, whatever.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.