Re-map users doesn't work?
pwFoo opened this issue ยท 18 comments
I tried to re-map the to the upstream, but got an error message about:
2017/07/25 19:00:49 connection from 10.42.0.1:43948 establishing failed reason: ssh: disconnect, reason 2: Change of username or service not allowed: (user2,ssh-connection) -> (map2,ssh-connection)
Is it upstream config related or not supported by sshpiper?
Hi @tg123 here are results from new tests.
I don't use pubkey and try to re-map the user. If I rename directory "map2" to "user2" (upstream user to login) it works fine.
Here is my config (user map1 -> user1):
root@f6df2cf144a4:/go# cat /var/sshpiper/map2/sshpiper_upstream
user2@sshd2:22
2017/07/25 20:36:39 connection accepted: 10.42.0.1:60584
2017/07/25 20:36:39 mapping user [map1] to [user1@sshd1:22]
2017/07/25 20:36:39 mapping private key error: open /var/sshpiper/map1/authorized_keys: no such file or directory, public key auth denied for [map1] from [10.42.0.1:60584]
2017/07/25 20:36:39 connection from 10.42.0.1:60584 establishing failed reason: ssh: disconnect, reason 2: Change of username or service not allowed: (user1,ssh-connection) -> (map1,ssh-connection)
The user mapping is lost if there isn't a pub key to auth. Password auth works fine with the additional option to disable pubkey auth at client side.
ssh -l map1 127.0.0.1 -p 2222 -o PubkeyAuthentication=no
Is there a way to get it work without the additional option -o PubkeyAuthentication=no to simplify the client login?
seems a problem if public key is not used. I will find way to address this.
Thanks! ๐
sshpiper is awesome! Haven't found another SSH RevProxy solution working fine with ssh / scp / sftp without complications! :)
I still experience that problem with the current version of sshpiperd:
2018/02/17 16:09:50 connection accepted: 127.0.0.1:59034
2018/02/17 16:09:50 mapping user [test] to [root@myserver:22]
2018/02/17 16:09:50 connection from 127.0.0.1:59034 closed reason: ssh: disconnect, reason 2: Change of username or service not allowed: (root,ssh-connection) -> (test,ssh-connection)
This happens both with and without public key authentication.
Most simple example (PermitRootLogin yes in /etc/ssh/sshd_config on myserver):
$ ls working_dir/test/
sshpiperd_upstream
$ cat working_dir/test/sshpiperd_upstream
root@myserver:22
... gives the above error log.
The redirection and authentication works fine if there is no user mapping as in:
$ cat working_dir/test/sshpiperd_upstream
myserver:22
@alexschomb v0.2 or master branch
seems a bug in v0.2
I used the commands from README, so I think it should be master branch?
go get -tags pam github.com/tg123/sshpiper/sshpiperd
go install -tags pam github.com/tg123/sshpiper/sshpiperd
cloud you please try go get -u to ensure latest version?
go get -u github.com/tg123/sshpiper/sshpiperd
I removed the old binary and reinstalled using your new command. Unfortunately the error still exists:
SSHPiper ver: DEV by Boshi Lian<farmer1992@gmail.com>
https://github.com/tg123/sshpiper
go runtime : go1.9.2
git hash : 0000000000
Listening : 0.0.0.0:2222
Server Key File : /etc/ssh/ssh_host_rsa_key
Working Dir : /usr/local/etc/sshpiperd
Additional Challenger :
Logging file : /var/log/sshpiperd.log
2018/02/18 21:06:17 SSHPiperd started
2018/02/18 21:06:24 connection accepted: 127.0.0.1:21112
2018/02/18 21:06:24 mapping user [test] to [root@myserver:22]
2018/02/18 21:06:24 connection from 127.0.0.1:21112 closed reason: ssh: disconnect, reason 2: Change of username or service not allowed: (root,ssh-connection) -> (test,ssh-connection)
cloud you please paste ssh -v piper
and please check if your GOPATH/src/github.com/tg123/sshpiper/vendor/golang.org/x/crypto/ssh/sshpiper.go if up to date with github
it is a known bug and covered by testcases and should not happen
and cloud you please go to $GOPATH/src/github.com/tg123/sshpiper/sshpiperd/e2e
run docker-compose up to paste me test result?
and
hi, sorry but I think there seems to be a misunderstanding. I don't use docker and the system that is running sshpiperd is FreeBSD 11.1. That's why there is no docker-compose command. I removed all sshpiperd files from the system (including bin, pkg and src) and reinstalled with go get -u .... Unfortunately the problem still exists.
Here is the output of ssh -v -l test -p2222 127.0.0.1:
OpenSSH_7.2p2, OpenSSL 1.0.2k-freebsd 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 2222.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2 FreeBSD-20161230 [36/841]
debug1: Remote protocol version 2.0, remote software version SSHPiper
debug1: no match: SSHPiper
debug1: Authenticating to 127.0.0.1:2222 as 'test'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:Xsw2YcVxRs9+dYlXDm0k/RCdcG2hzeAByx1LKbd9FUc
debug1: skipped DNS lookup for numerical hostname
debug1: checking without port identifier
debug1: Host '127.0.0.1' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: found matching key w/out port
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
Hello. This is the MOTD.
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 127.0.0.1 ([127.0.0.1]:2222).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: channel 0: free: client-session, nchannels 1
Connection to 127.0.0.1 closed by remote host.
Connection to 127.0.0.1 closed.
Transferred: sent 1620, received 2388 bytes, in 0.0 seconds
Bytes per second: sent 7900898.2, received 11646509.2
debug1: Exit status -1
did not use pssword but keyboard-interactive?
cloud you please show your sshd config?
I will fix if there is bug using this method
Actually I didn't have the chance to enter any password. The ssh command just rushes through, shows the MOTD and then exits. No password prompt at all:
$ ssh -p2222 127.0.0.1 -l test
Hello. This is the MOTD.
Connection to 127.0.0.1 closed by remote host.
Connection to 127.0.0.1 closed.
$ echo $?
255
Here is my /etc/ssh/sshd_config (custom port for host system sshd):
# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
# $FreeBSD: releng/11.1/crypto/openssh/sshd_config 311915 2017-01-11 05:56:40Z delphij $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
Port 223344
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin without-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# Change to yes to enable built-in password authentication.
#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
UseBlacklist yes
#VersionAddendum FreeBSD-20161230
# no default banner path
Banner /etc/issue
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Side note: I don't have any ~/.ssh/config.
caused by Banner /etc/issue you can disable it first to mitigate the issue
and I will post fix later
Thanks for reporting
Thank you very much for your fast help and the great project!
I can confirm that it is working now ๐
Side note: Has the syntax of config files changed? Before I was using the following style, but the options won't be understood anymore (e.g. unknown option: PORT):
ALLOW_BAD_USERNAME=true
CHALLENGER=pam
NO_CHECK_PERM=true
RECORD_TYPESCRIPT=true
SERVER_KEY=/etc/ssh/ssh_host_rsa_key
WORKING_DIR=/usr/local/etc/sshpiperd
LISTEN_ADDR=0.0.0.0
PORT=2222
LOG=/var/log/sshpiperd.log
sorry for the breaking change of config file
to support more plugin style upstream providers and challengers, the config file was change to /etc/sshpiperd.ini
you can get a default one via
./sshpiperd dumpconfig > /etc/sshpiperd.ini
RECORD_TYPESCRIPT=true changed to --auditor-driver=typescript-logger
Perfect, the dumpconfig works fine. Thank you for the continous development! ๐