Not Restricted to Path /opt/kc-ssh-pam

Question

Not Restricted to Path /opt/kc-ssh-pam

pichilianiGustavo opened this issue a year ago · 10 comments

Hi, thanks for this module, it´s incredible intuitive to use and super functional.

I would like to suggest, is there a possibillity to include a feature where the compiled code is not restricted to the location of the file being exactly /opt/kc-ssh-pam ? I´ve tested it out changing file names and directories but it only works in this specific location, as iti is explicit in the conf.go file.

As the log states, here is what happens:

The location of my files where /opt/MyDir/kc-ssh-pam/

*** Wed Nov 22 09:12:29 2023
2023/11/22 09:12:29 Error reading config file: Config File "config" Not Found in "[/ /opt/kc-ssh-pam /etc /.config]"

Again, thanks for this amazing project.

Answer 1 · 2023-11-22T12:54:21.000Z

Hello @pichilianiGustavo ,
The binary it self can be hosted in any location, its the config which is restricted to following paths.
/opt/kc-ssh-pam/config.toml
/etc/config.toml
$HOME/.config/config.toml
If your config is in one of these locations then it will not error out, by default it looks for the config file in these locations.
I see your point though, it will be useful to have the option for specifying the location of config file with a flag.
Can you test again by setting the config via following env variables either by adding to .bashrc or exporting, and check if you still run into the same error

export KC_SSH_REALM="master"
export KC_SSH_ENDPOINT="https://keycloak.example.com"
export KC_SSH_CLIENTID="keycloak-client-id"
export KC_SSH_CLIENTSECRET="MIKEcHObWmI3V3pF1hcSqC9KEILfLN"
export KC_SSH_CLIENTSCOPE="openid"

Answer 2 · 2023-11-22T14:08:20.000Z

Hi @kha7iq

Thanks for the quick response.

So, i´ve tested this scenario, adding the dir containing the config file in my environment file, where it should find the config, but the error persists. The binary did not find the correct path of the config file, even though this path is defined in $PATH var.

I think it would be useful to specify the location through a flag, giving more possibilities of customization.

Answer 3 · 2023-11-22T14:12:18.000Z

I think i was not able to convey properly , we definitely need to add the config.toml file in one of these location at the moment.
I was just saying that if you don't add the config.toml in any location but export the variables with config values will it still error out ?
i.e Add the following in your .bashrc or .zshrc and try after thtat

export KC_SSH_REALM="master"
export KC_SSH_ENDPOINT="https://keycloak.example.com"
export KC_SSH_CLIENTID="keycloak-client-id"
export KC_SSH_CLIENTSECRET="MIKEcHObWmI3V3pF1hcSqC9KEILfLN"
export KC_SSH_CLIENTSCOPE="openid"

Answer 4 · 2023-11-22T14:25:08.000Z

Ohh, sorry about that, i undestood it in the wrong way. I thought it was for trhe config file to be available through de PATH var in my filesystem.

I will try this now and let you know.

Answer 5 · 2023-11-22T14:59:28.000Z

Unfortunately same result. I´ve added in the .bashrc the exports with my keycloak information, but it also did not find the config file when opening another putty session :(

Should I try another solution? I´ve also tried adding the same exports in /etc/profile.d as a custom file, so it would read and export those values as the OS initiates, but it also gave the same error.

Answer 6 · 2023-11-23T03:15:36.000Z

I tried to reproduce the error you mentioned without success.
Download the binary , extract it /new-temp-folder

❯ pwd
/new-temp-folder

❯ echo test/pass | ./kc-ssh-pam
2023/11/23 11:12:33 Failed to retrieve provider configuration: oidc: failed to decode provider discovery object: expected Content-Type = application/json, got "text/html; charset=utf-8": invalid character '<' looking for beginning of value

As you can see the error is about wrong endpoint loaded from config, but the config it self can be loaded properly.

From your error i can say that you are running kc-ssh-pam from / and there is no config.toml in /.
As long as you have config in the same folder you can run the service from any path.

Answer 7 · 2023-11-23T05:05:10.000Z

@pichilianiGustavo Check out the new version and README.
You can now optionally specify the location of config file with -c flag or by exporting the path of config in KC_SSH_CONFIG variable.

❯ /opt/kc-ssh-pam/kc-ssh-pam --version
Version: 0.1.2
Build Date: 2023-11-23T04:57:04Z
Commit SHA: 7e2d7af27752185f0e8fdf66e41309254e495202

PR #4

Answer 8 · 2023-11-23T12:07:14.000Z

@kha7iq Thanks for the update!! I will test it out today and will give you a feedback here.

I also would like to thank you for the code and quick response for a new feature.

Answer 9 · 2023-11-23T12:40:30.000Z

@kha7iq I´ve tested and it worked just as expected! Thanks for the update!

[root@srv365aeswebrtc kc-ssh-pam.0.1.2]# ll
total 6716
-rw-r--r-- 1 root root 166 Nov 23 09:32 config.toml
-rwxr-xr-x 1 root root 6873088 Nov 23 01:55 kc-ssh-pam
[root@srv365aeswebrtc kc-ssh-pam.0.1.2]# pwd
/opt/365ti/kc-ssh-pam.0.1.2
[root@srv365aeswebrtc kc-ssh-pam.0.1.2]# cat /etc/pam.d/sshd
auth sufficient pam_exec.so expose_authtok log=/var/log/kc-ssh-pam.log /opt/365ti/kc-ssh-pam.0.1.2/kc-ssh-pam -c /opt/365ti/kc-ssh-pam.0.1.2/config.toml

I´ve also tested with the variable and worked fine.

Answer 10 · 2023-11-23T15:13:24.000Z

You are welcome, i am glad it works well for you now and thanks for testing out the feature.