h3idan/parallel-ssh

Problem with pass protected ssh private key

Closed this issue · 23 comments

What steps will reproduce the problem :

1. Protect your ssh private key with a password.
2. Run pssh :
/tmp/pssh-2.0/bin$ ./pssh -v -h /tmp/hosts.txt -o /tmp/output/ -e
/tmp/error/ ls
[1] 16:38:04 [FAILURE] server1 Exited with error code 255
[2] 16:38:09 [FAILURE] server2 Exited with error code 255
[3] 16:38:10 [FAILURE] server3 Exited with error code 255

3. /tmp/pssh-2.0/bin$ cat /tmp/error/*
ssh_askpass: exec(/usr/lib/pymodules/python2.5/psshlib/askpass.py):
Permission denied
Permission denied (publickey,password).
ssh_askpass: exec(/usr/lib/pymodules/python2.5/psshlib/askpass.py):
Permission denied
Permission denied (publickey,password).
ssh_askpass: exec(/usr/lib/pymodules/python2.5/psshlib/askpass.py):
Permission denied
Permission denied (publickey,password).

Am I missing something ?

Thanks in advance,
Marc

Original issue reported on code.google.com by dooblem...@positon.org on 21 Dec 2009 at 3:42

It's not a bug, it's a missing feature. It will be great if pssh  would ask you 
for
your password, but it does not.

Original comment by dr.bro...@gmail.com on 23 Dec 2009 at 12:48

Does the "-A" option do what you want?

Original comment by amcna...@gmail.com on 16 Feb 2010 at 7:43

Thanks for your response.

Yes, with the -A option it asks me my password.

But it does exactly the same as before. No matter if I type in the good 
password or not.

Can you test it with an ssh protected key on your side ? 

Original comment by dooblem...@positon.org on 18 Feb 2010 at 4:53

Thanks for letting me know that this is still a problem with the -A option.  I 
will 
try to reproduce it and look into the problem.  Thanks.

Original comment by amcna...@gmail.com on 18 Feb 2010 at 6:35

I looked into this a little more, and it looks like this is a packaging bug or 
openssh 
problem.  What distro are you using?  What version of ssh do you have (run `ssh 
-V`)?

Original comment by amcna...@gmail.com on 18 Feb 2010 at 9:01

Oh, and can you give me the exact output of pssh when you specify the -A 
option, in 
addition to letting me know the version of ssh?  Thanks.

Original comment by amcna...@gmail.com on 18 Feb 2010 at 9:02

[deleted comment]
No problem!
Here it is :

~/telech/pssh-2.0/bin$ mkdir /tmp/output
~/telech/pssh-2.0/bin$ mkdir /tmp/error
~/telech/pssh-2.0/bin$ vi /tmp/hosts.txt
~/telech/pssh-2.0/bin$ ./pssh -v -A -h /tmp/hosts.txt -o /tmp/output/ -e 
/tmp/error/ ls
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 15:22:27 [FAILURE] server1 Exited with error code 255
[2] 15:22:27 [FAILURE] server2 Exited with error code 255
mamau@lotus:~/telech/pssh-2.0/bin$ cat /tmp/error/*
ssh_askpass: exec(/usr/lib/pymodules/python2.5/psshlib/askpass.py): Permission 
denied
Permission denied (publickey,password).
ssh_askpass: exec(/usr/lib/pymodules/python2.5/psshlib/askpass.py): Permission 
denied
Permission denied (publickey,password).
~/telech/pssh-2.0/bin$ ssh -V
OpenSSH_5.3p1 Debian-1, OpenSSL 0.9.8k 25 Mar 2009

.. And I'm under Debian sid unstable.

Original comment by dooblem...@positon.org on 19 Feb 2010 at 2:27

Okay.  It took me a little longer to track this down because I misinterpreted 
something in the execve man page.  Anyway, this is a packaging bug.  Would you 
please 
open a report with Debian?  The Debian package needs to be changed to set the 
executable bit for /usr/lib/pymodules/python2.5/psshlib/askpass.py.  It looks 
like the 
same problem is in Fedora, so I'll open a report there.

Original comment by amcna...@gmail.com on 19 Feb 2010 at 6:22

On Sat, Feb 20, 2010 at 02:54:19PM +1000, Andrew Pollock wrote:
>
> Actually why is /usr/lib/pymodules/python2.5/psshlib/askpass.py being
> executed directly? Shouldn't that get imported and then something called
> from it?

The askpass.py file gets executed by ssh when it needs a password.  The ssh man 
page
has a pretty good description of how this works:

     SSH_ASKPASS           If ssh needs a passphrase, it will read the
                           passphrase from the current terminal if it was run
                           from a terminal.  If ssh does not have a terminal
                           associated with it but DISPLAY and SSH_ASKPASS are
                           set, it will execute the program specified by
                           SSH_ASKPASS and open an X11 window to read the
                           passphrase.  This is particularly useful when call-
                           ing ssh from a .xsession or related script.  (Note
                           that on some machines it may be necessary to redi-
                           rect the input from /dev/null to make this work.)

If making askpass.py executable really turns out to be a problem, you could move
askpass.py to someplace like /usr/libexec/pssh/askpass.py and then change
psshlib/task.py to refer to this location explicitly.

Replace the lines:

    root, ext = os.path.splitext(os.path.abspath(askpass.__file__))
    environ['SSH_ASKPASS'] = '%s.py' % root

with something like:

    environ['SSH_ASKPASS'] = '/usr/libexec/pssh/askpass.py'

In pssh version 2.0, you'll need to _copy_ askpass.py to that location (and also
leave it as a read-only module in psshlib).  In version 2.1, this will be a 
little
bit easier, so you can actually just _move_ the file.  Version 2.1 will be 
probably
be released in the next week or so.

If it would make it easier, I could make this process a bit simpler, starting in
version 2.1.  I could make it so you just change one line at the top of task.py 
from
"ASKPASS_PATH = None" to "ASKPASS_PATH = '/usr/libexec/pssh/askpass.py'".  
Would this
help?  If you would use this, I would be happy to add it, but I won't bother 
unless
it would actually make a difference.

Please let me know if you have any questions or ideas, and let me know what you 
end
up doing.  Thanks for your help.

Original comment by amcna...@gmail.com on 20 Feb 2010 at 6:21

By the way, if you're trying to reproduce this problem, you don't actually have 
to
use a password-protected ssh key.  The "-A" option works for any situation 
where ssh
wants to prompt for a password.  So the simplest reproducing case is to use 
"-A" to
try to connect to a remote system for which passwords are allowed but keys are 
not
set up.

Original comment by amcna...@gmail.com on 20 Feb 2010 at 6:29

I figured out how to open a Debian bug report and created one for this issue.  
Here's
a link:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570609

Original comment by amcna...@gmail.com on 20 Feb 2010 at 6:32

Ok, I think you discovered another bug in the Debian version, nice.

Now I totally removed my pssh Debian package, in order to be sure to test the 
right
pssh and psshlibs.

I think the -A option only works with hosts asking for a password. It doesn't 
work to
unlock the ssh private key.

The tests I made with pssh version 2.0 :

With my ssh protected private key :

ssh SERVER # works well without asking any pass (ssh-agent running with key 
unlocked)

pssh-2.0/bin$ ./pssh -v -h /tmp/hosts -o /tmp/output/ -e /tmp/error/ ls
[1] 12:07:05 [FAILURE] SERVER Exited with error code 255
pssh-2.0/bin$ cat /tmp/error/SERVER
Permission denied.  Please create SSH keys or use the -A option to
provide a password. 
Permission denied (publickey,password).

Same test with -A option and typing in my private key pass :
pssh-2.0/bin$ cat /tmp/error/SERVER
Permission denied (publickey,password).

Same test with -A option and typing in the server pass :
pssh-2.0/bin$ cat /tmp/error/SERVER
Permission denied (publickey,password).

Now when I test with a fresh account with no private key, and -A option, and 
typing
in the server pass, It works well.

In fact, there is no need to ask any password in my case, because my private 
key is
unlocked by ssh-agent. Just calling ssh works without any pass.

Thanks a lot for your support.
Marc

Original comment by dooblem...@positon.org on 22 Feb 2010 at 11:13

Ok, I made one test again. Maybe we are searching the wrong way.

I managed to make it work with my ssh private key !!

In fact, I had to tell pssh the right user in the hosts file :

SERVER root
instead of just :
SERVER

I have "User root" in my ~/.ssh/config file, in order to tell ssh to use "root" 
as
default user instead of my own username.

SSH called from pssh seems to ignore the user config. No ?

Original comment by dooblem...@positon.org on 22 Feb 2010 at 11:23

dooblempub, it looks like you found two separate problems. :)  Would you mind 
posting 
the problem from comment #14 as a separate issue?  Thanks!

Original comment by amcna...@gmail.com on 22 Feb 2010 at 5:44

I suggest the following fix:

- create a small wrapper in /usr/libexec/pssh/askpass
(together with other ssh askpass bins) and keep askpass.py as is. 

- Change task.py with a simple one liner:

--- task.py~    2009-10-20 23:20:04.000000000 +0200
+++ task.py     2010-02-22 17:18:13.920299074 +0100
@@ -59,7 +59,8 @@
         # askpass.py to get a provided password.  If the module file is
         # askpass.pyc, we replace the extension.
         root, ext = os.path.splitext(os.path.abspath(askpass.__file__))
-        environ['SSH_ASKPASS'] = '%s.py' % root
+        #environ['SSH_ASKPASS'] = '%s.py' % root
+        environ['SSH_ASKPASS'] = '/usr/libexec/pssh/askpass'
         if askpass_socket:
             environ['PSSH_ASKPASS_SOCKET'] = askpass_socket
         # Work around a mis-feature in ssh where it won't call SSH_ASKPASS

askpass in libexec attached. 

Implemented this gives python logic in python dirs and bins in /usr/libexec, 
which is
FHS way.









Original comment by terjeros@gmail.com on 22 Feb 2010 at 6:30

Attachments:

terjeros, I just added a file to the repository called libexec/pssh_askpass, 
which is 
basically the same as the file you attached.  I also added an executable_path() 
function to askpass.py which can try several paths to find an executable pssh.  
For 
now, the list includes /usr/libexec/pssh/pssh_askpass and 
/usr/local/libexec/pssh/pssh_askpass.  Take a look and see what you think.

If you like this change, then all I have to do is figure out how to make 
setup.py 
install the file to /usr/libexec.

Original comment by amcna...@gmail.com on 22 Feb 2010 at 10:31

  • Changed state: Started
Okay, it looks like there's no way to get setup.py to install things to 
/usr/libexec.  
From the setuptools documentation, "Note, by the way, that this encapsulation 
of data 
files means that you can't actually install data files to some arbitrary 
location on a 
user's machine; this is a feature, not a bug."

What if the RPM just copied libexec/pssh_askpass to 
/usr/libexec/pssh/pssh_askpass?

Original comment by amcna...@gmail.com on 22 Feb 2010 at 10:55

You can add something like this:

diff --git a/setup.py b/setup.py
index 84d64e7..b572d74 100644
--- a/setup.py
+++ b/setup.py
@@ -34,5 +34,6 @@ setup(
         ],

     packages = find_packages(),
+    data_files = [('/usr/libexec/pssh', ['bin/askpass'])], 
     scripts = [os.path.join("bin", p) for p in ["pssh", "pnuke", "prsync", "pslurp",
"pscp"]]
     )

However, the execute bit must be set by other means it seems.

Anyway, this is easy to fix in the rpm spec, your call.





Original comment by terjeros@gmail.com on 23 Feb 2010 at 8:53

I'll keep on looking for a way to get setuptools to set the execute bit.  If I 
can't 
find an easy way to do that, I do have an alternative idea.  We could put 
pssh-askpass 
into bin/ (so setuptools will make it executable) and then make pssh look for 
either 
/usr/bin/pssh-askpass or /usr/libexec/pssh/pssh-askpass.  Then it would be in 
/usr/bin 
by default, but packagers could move it to /usr/libexec at their discretion.  
What do 
you think of this idea?  Of course, I'll keep trying to find a good way to get 
the 
execute bit set in setuptools.

Original comment by amcna...@gmail.com on 23 Feb 2010 at 11:20

I've read some more documentation, blog entries, etc., and as far as I can 
tell, 
setuptools really doesn't want to deal with anything other than scripts and 
modules.  
So I'm committing a change that puts pssh-askpass into the bin directory, and 
packagers can move this to /usr/libexec.  Does that sound good?

Original comment by amcna...@gmail.com on 24 Feb 2010 at 12:08

I've touched this up one last time, and I think that this is a good, clean 
solution.  
I've put pssh-askpass into the bin directory, and I added some text to the 
INSTALL 
file directing packagers to move this from /usr/bin/pssh-askpass to 
/usr/libexec/pssh/pssh-askpass.  I've done some testing, and it looks like 
everything 
works in either location.

I think I'm about ready to cut a 2.1 release including this change, and I think 
it 
will be better for everyone.  I'll mark this bug as fixed, but please reopen it 
if 
you have any reservations about the solution.  Thanks to everyone for helping.

Original comment by amcna...@gmail.com on 24 Feb 2010 at 5:45

  • Changed state: Fixed
Thanks, No problem.

Anyway Issue 14 (ssh user config) solved my problem. Once my ssh key is 
unlocked,
pssh works fine (no need for -A option).

Original comment by dooblem...@positon.org on 26 Feb 2010 at 1:23