From tore@fud.no Wed Dec 4 20:32:35 2013 Received: from greed.fud.no (nat64-243-osl2.n.bitbit.net [87.238.61.243]) by underdog.stansell.org (8.14.7/8.14.7) with ESMTP id rB4KVw2H023368 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 4 Dec 2013 20:32:35 GMT Received: from [2a02:c0:2:4:1194:6:0:1000] (port=39875 helo=sloth.fud.no) by greed.fud.no with esmtpsa (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1VoJ6z-0006xO-DQ; Wed, 04 Dec 2013 21:31:57 +0100 Message-ID: <529F913C.6020805@fud.no> Date: Wed, 04 Dec 2013 21:31:56 +0100 From: Tore Anderson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: users@conserver.com Subject: Problems exec consoles using expect scripts Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.5 () BAYES_00 X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.16 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 20:32:35 -0000 Hi, When using consoles that are exec-ing expect scripts, I get troubles like line buffering of input and local echo. I have the following console definitions: console test-ssh { master localhost; type exec; exec "ssh server"; } console test-expect { master localhost; type exec; exec "expect-console"; } Where the script "expect-console" contains only the following: --- #!/usr/bin/expect -- spawn ssh server interact --- The conserver user's ssh key is installed on "server", so both consoles connect fine and I get a shell on "server". However, on the "test-expect" console input is being line buffered and I get local echo. So if I e.g. run mc, arrow up/down key presses to navigate the menus doesn't get registered until I press the enter key, at which point everything happens as once. (However, the arrow up/down keypresses gets echoed back to the console immediately as ^[OA / ^[OB and similar garbage.) Same with using e.g. "less", in order to go to the next page, I have to press space+enter, and q+enter to quit. If I do "su", the password I enter gets echoed back to me. I am pretty sure this is not ssh's fault, as I can replace the ssh command with an "ipmitool sol activate" command and get the exact same behaviour. However, if I run the "expect-console" script directly from the shell on the server running conserver, it works perfectly. It's only when the script is invoked from within conserver that the problems occur. Have anyone experienced this issue and/or have any suggestions on how to fix it? If so that would be greatly appreciated! I'm running Ubuntu 12.04 x86_64 with the distribution packages of both conserver (version 8.1.18) and expect (version 5.45), for what it's worth. Best regards, Tore Anderson From cfowler@outpostsentinel.com Wed Dec 4 20:48:14 2013 Received: from support.opsdc.com (support.opsdc.com [65.254.219.9]) by underdog.stansell.org (8.14.7/8.14.7) with ESMTP id rB4Klb1o023785 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 4 Dec 2013 20:48:13 GMT Received: from [192.168.100.2] ([192.168.100.2]) (authenticated bits=0) by support.opsdc.com (8.13.8/8.13.8) with ESMTP id rB4KlX6Z020016 for ; Wed, 4 Dec 2013 15:47:34 -0500 Message-ID: <529F94F0.7000607@outpostsentinel.com> Date: Wed, 04 Dec 2013 15:47:44 -0500 From: Chris Fowler User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130803 Thunderbird/17.0.8 MIME-Version: 1.0 To: users@conserver.com Subject: Re: Problems exec consoles using expect scripts References: <529F913C.6020805@fud.no> In-Reply-To: <529F913C.6020805@fud.no> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -1.5 () BAYES_00 X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.16 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 20:48:14 -0000 I ran into a problem like this a while back. What I did is write a program that would execute the script on a pseudo tty. That program sets up the master and slave ptys appropriately. Chris From glance@acc.umu.se Wed Dec 4 22:34:35 2013 Received: from mail.acc.umu.se (mail.acc.umu.se [130.239.18.156]) by underdog.stansell.org (8.14.7/8.14.7) with ESMTP id rB4MXwSm027516 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 4 Dec 2013 22:34:35 GMT Received: from localhost (localhost [127.0.0.1]) by amavisd-new (Postfix) with ESMTP id 54B9F730; Wed, 4 Dec 2013 23:33:57 +0100 (MET) X-Virus-Scanned: amavisd-new at acc.umu.se Received: by mail.acc.umu.se (Postfix, from userid 24471) id A95D072F; Wed, 4 Dec 2013 23:33:56 +0100 (MET) Date: Wed, 4 Dec 2013 23:33:56 +0100 From: Anton Lundin To: Chris Fowler Subject: Re: Problems exec consoles using expect scripts Message-ID: <20131204223356.GU15570@kennedy.acc.umu.se> References: <529F913C.6020805@fud.no> <529F94F0.7000607@outpostsentinel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <529F94F0.7000607@outpostsentinel.com> User-Agent: Mutt/1.5.22 (2013-10-16) X-Spam-Score: -2.549 () BAYES_00,RP_MATCHES_RCVD X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 Cc: users@conserver.com X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.16 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 22:34:35 -0000 On 04 December, 2013 - Chris Fowler wrote: > I ran into a problem like this a while back. > > What I did is write a program that would execute the script on a pseudo tty. > That program sets up the master and slave ptys appropriately. > I just solved it by exec'ing ssh -tt directly. That forces ssh to allocate a pty in the other end and do all the processing there. //Anton -- Anton Lundin +46702-161604 From bryan@conserver.com Wed Dec 4 23:01:08 2013 Received: from [192.168.0.102] (c-98-248-230-102.hsd1.ca.comcast.net [98.248.230.102]) (authenticated bits=0) by underdog.stansell.org (8.14.7/8.14.7) with ESMTP id rB4N17A8028315 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 4 Dec 2013 23:01:08 GMT Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) Subject: Re: Problems exec consoles using expect scripts From: Bryan Stansell In-Reply-To: <529F913C.6020805@fud.no> Date: Wed, 4 Dec 2013 15:01:07 -0800 Message-Id: References: <529F913C.6020805@fud.no> To: users@conserver.com X-Mailer: Apple Mail (2.1822) X-Spam-Score: 0.411 () BAYES_00,HELO_MISC_IP,RDNS_DYNAMIC X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by underdog.stansell.org id rB4N17A8028315 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.16 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 23:01:08 -0000 I just ran a similar test on my mac (easiest thing with expect at this point), and all seemed mostly well (no line buffering/echo issues). Conserver does (or is supposed to, if it detects support) allocate pseudo-ttys when execing consoles. In the past, it's worked on Solaris and Linux, but I haven't tested or looked at how it behaves in quite a while. Guess it's time to build an Ubuntu VM... Bryan From tore@fud.no Wed Dec 4 23:22:56 2013 Received: from greed.fud.no (nat64-243-osl2.n.bitbit.net [87.238.61.243]) by underdog.stansell.org (8.14.7/8.14.7) with ESMTP id rB4NLiqv029270 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 4 Dec 2013 23:22:21 GMT Received: from [2a02:c0:2:4:1194:6:0:1000] (port=40532 helo=sloth.fud.no) by greed.fud.no with esmtpsa (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1VoLlH-00025j-Ef; Thu, 05 Dec 2013 00:21:43 +0100 Message-ID: <529FB906.40309@fud.no> Date: Thu, 05 Dec 2013 00:21:42 +0100 From: Tore Anderson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: Bryan Stansell , users@conserver.com Subject: Re: Problems exec consoles using expect scripts References: <529F913C.6020805@fud.no> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.5 () BAYES_00 X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.16 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 23:22:56 -0000 * Bryan Stansell > I just ran a similar test on my mac (easiest thing with expect at > this point), and all seemed mostly well (no line buffering/echo > issues). Conserver does (or is supposed to, if it detects support) > allocate pseudo-ttys when execing consoles. In the past, it's worked > on Solaris and Linux, but I haven't tested or looked at how it > behaves in quite a while. It does indeed appear to do so: tore@conserver:~$ console -x | grep test test-expect on /dev/pts/0 at Local test-ssh on /dev/pts/19 at Local Also, to comment on Anton's suggestion to use "ssh -tt" - this yields the exact same results as without. If I add "-v" to the ssh command line I can confirm that the ssh client reports "debug1: Entering interactive session." both when it's being run directly and when it's being started from expect. Tore From gyurgyikms@ornl.gov Thu Dec 5 13:53:43 2013 Received: from mta02.ornl.gov (mta02.ornl.gov [128.219.177.12]) by underdog.stansell.org (8.14.7/8.14.7) with ESMTP id rB5Dr6gd014935 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Thu, 5 Dec 2013 13:53:42 GMT X-SG: RELAYLIST X-IronPort-AV: E=Sophos;i="4.93,833,1378872000"; d="scan'208";a="52336004" Received: from emgwy1.ornl.gov ([160.91.254.9]) by iron2.ornl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 05 Dec 2013 08:17:00 -0500 Received: from gyurgyik-desktop.ccs.ornl.gov (mailclient1.ccs.ornl.gov [160.91.195.98]) by emgwy1.ornl.gov (Postfix) with ESMTP id B9F35100A6A for ; Thu, 5 Dec 2013 08:17:00 -0500 (EST) Message-ID: <52A07CCC.9040403@ornl.gov> Date: Thu, 05 Dec 2013 08:17:00 -0500 From: Matthew Gyurgyik User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130912 Thunderbird/17.0.9 MIME-Version: 1.0 To: users@conserver.com Subject: pam authentication with one-time use passwords Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -3.002 () BAYES_00,RP_MATCHES_RCVD X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.16 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Dec 2013 13:53:43 -0000 Hello. When attempting use pam with conserver, I noticed that conserver was sending multiple authentications to PAM. As our security policy mandates one-time authentication tokens (rsa), multiple authentications using the same password fail. Poking around in the code I identified 4 places where CheckPasswd() is called. master.c:464 (CheckPasswd(pCLServing, pCLServing->accmd->string, FLAGFALSE) != AUTH_SUCCESS) master.c:568 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) group.c:3389 (CheckPasswd(pCLServing, pCLServing->accmd->string, FLAGFALSE) != AUTH_SUCCESS) group.c:3495 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) When connecting from a remote client, it seems the authentication code in master.c is called and then the authentication code in group.c is called. Would it be possible to call CheckPasswd() once, store the result in a global variable, and then pass that global variable to each of the conditional statements? Additionally, it would appear that the if statement (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) at master.c:568 and group.c:3495 will never evaluate true. As I understand the code, the second variable passed into CheckPasswd should be the user password and in this case, this is blank. The CheckPasswd function doesn't do anything special with a blank password. My c knowledge in nearly non-existent and therefore my grasp of the authentication code is poor. I don't know the difference between master.c and group.c and why authentication is happening in both master.c and group.c. Thank you, Matthew Gyurgyik -- Matthew Gyurgyik HPC System Administrator National Center for Computational Sciences Oak Ridge National Laboratory 865-576-7099 From bryan@conserver.com Thu Dec 5 17:02:39 2013 Received: from [192.168.0.102] (c-98-248-230-102.hsd1.ca.comcast.net [98.248.230.102]) (authenticated bits=0) by underdog.stansell.org (8.14.7/8.14.7) with ESMTP id rB5H2cgf022369 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Thu, 5 Dec 2013 17:02:38 GMT Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) Subject: Re: pam authentication with one-time use passwords From: Bryan Stansell In-Reply-To: <52A07CCC.9040403@ornl.gov> Date: Thu, 5 Dec 2013 09:02:38 -0800 Message-Id: <2E3072DC-DD83-4641-9E31-37DF8BDDFCB1@conserver.com> References: <52A07CCC.9040403@ornl.gov> To: users@conserver.com X-Mailer: Apple Mail (2.1822) X-Spam-Score: 0.413 () BAYES_00,HELO_MISC_IP,RDNS_DYNAMIC X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by underdog.stansell.org id rB5H2cgf022369 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.16 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Dec 2013 17:02:39 -0000 I think you've stumbled into new territory (one-time passwords and conserver). The problem is that there are multiple conserver processes - one "master" and multiple "console" instances. When the client logs into a console, it first talks to the master, asks what process is managing that console, then goes to that other process and asks for access. There are things you can do with the master process (like telling it to reload the config) so the client has to authenticate there to protect the information and functionality. And, of course, it needs to log in to the console. And if you have a multi-master setup, one master redirects you to another master which then redirects you to...you get the idea. Without a "global" authentication scheme, I'm not sure how to make it happen (which is yet another layer of "trust" that would require setup, maintenance, etc). But if there's a good API (maybe even platform-specific?) that already exists to mitigate that, I'd love to hear about it. As it stands, the conserver code has nothing available but making authentication checks when each process gets a connection. Bryan On Dec 5, 2013, at 5:17 AM, Matthew Gyurgyik wrote: > Hello. > > When attempting use pam with conserver, I noticed that conserver was sending multiple authentications to PAM. As our security policy mandates one-time authentication tokens (rsa), multiple authentications using the same password fail. > > Poking around in the code I identified 4 places where CheckPasswd() is called. > > master.c:464 (CheckPasswd(pCLServing, pCLServing->accmd->string, FLAGFALSE) != AUTH_SUCCESS) > master.c:568 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) > group.c:3389 (CheckPasswd(pCLServing, pCLServing->accmd->string, FLAGFALSE) != AUTH_SUCCESS) > group.c:3495 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) > > When connecting from a remote client, it seems the authentication code in master.c is called and then the authentication code in group.c is called. > > Would it be possible to call CheckPasswd() once, store the result in a global variable, and then pass that global variable to each of the conditional statements? > > Additionally, it would appear that the if statement (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) at master.c:568 and group.c:3495 will never evaluate true. As I understand the code, the second variable passed into CheckPasswd should be the user password and in this case, this is blank. The CheckPasswd function doesn't do anything special with a blank password. > > My c knowledge in nearly non-existent and therefore my grasp of the authentication code is poor. I don't know the difference between master.c and group.c and why authentication is happening in both master.c and group.c. > > Thank you, > Matthew Gyurgyik > > > > > > -- > Matthew Gyurgyik > HPC System Administrator > National Center for Computational Sciences > Oak Ridge National Laboratory > 865-576-7099 > > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users From bryan@conserver.com Thu Dec 5 17:05:29 2013 Received: from [192.168.0.102] (c-98-248-230-102.hsd1.ca.comcast.net [98.248.230.102]) (authenticated bits=0) by underdog.stansell.org (8.14.7/8.14.7) with ESMTP id rB5H5S7w022482 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Thu, 5 Dec 2013 17:05:28 GMT Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) Subject: Re: Problems exec consoles using expect scripts From: Bryan Stansell In-Reply-To: Date: Thu, 5 Dec 2013 09:05:27 -0800 Message-Id: References: <529F913C.6020805@fud.no> To: users@conserver.com X-Mailer: Apple Mail (2.1822) X-Spam-Score: 0.413 () BAYES_00,HELO_MISC_IP,RDNS_DYNAMIC X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by underdog.stansell.org id rB5H5S7w022482 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.16 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Dec 2013 17:05:29 -0000 Good news is I was able to replicate the issue on my shiny new Ubuntu VM. I haven't got a clue why it's happening, though I haven't dug in much. More poking around as I have time... Bryan On Dec 4, 2013, at 3:01 PM, Bryan Stansell wrote: > Guess it's time to build an Ubuntu VM... > > Bryan From cfowler@outpostsentinel.com Thu Dec 5 17:12:33 2013 Received: from support.opsdc.com (support.opsdc.com [65.254.219.9]) by underdog.stansell.org (8.14.7/8.14.7) with ESMTP id rB5HBObW022691 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 5 Dec 2013 17:12:03 GMT Received: from [192.168.1.153] (adsl-068-157-136-125.sip.asm.bellsouth.net [68.157.136.125]) (authenticated bits=0) by support.opsdc.com (8.13.8/8.13.8) with ESMTP id rB5HBIi6019635; Thu, 5 Dec 2013 12:11:19 -0500 User-Agent: K-9 Mail for Android In-Reply-To: References: <529F913C.6020805@fud.no> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----SBTRK5L2U4UG8AP06MI644TD534O7G" Subject: Re: Problems exec consoles using expect scripts From: Chris Fowler Date: Thu, 05 Dec 2013 12:11:17 -0500 To: Bryan Stansell , users@conserver.com Message-ID: <33676e1c-31a5-4d51-8761-3bc037b22251@email.android.com> X-Spam-Score: -1.499 () BAYES_00,HTML_MESSAGE X-Scanned-By: MIMEDefang 2.72 on 198.151.248.21 X-BeenThere: users@conserver.com X-Mailman-Version: 2.1.16 Precedence: list List-Id: Conserver Users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Dec 2013 17:12:33 -0000 ------SBTRK5L2U4UG8AP06MI644TD534O7G Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I do what the original poster does, but I use PERL with Expect. Bryan Stansell wrote: >Good news is I was able to replicate the issue on my shiny new Ubuntu >VM. I haven't got a clue why it's happening, though I haven't dug in >much. More poking around as I have time... > >Bryan > >On Dec 4, 2013, at 3:01 PM, Bryan Stansell wrote: >> Guess it's time to build an Ubuntu VM... >> >> Bryan > > >_______________________________________________ >users mailing list >users@conserver.com >https://www.conserver.com/mailman/listinfo/users ------SBTRK5L2U4UG8AP06MI644TD534O7G Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit I do what the original poster does, but I use PERL with Expect.

Bryan Stansell <bryan@conserver.com> wrote:
Good news is I was able to replicate the issue on my shiny new Ubuntu VM.  I haven't got a clue why it's happening, though I haven't dug in much.  More poking around as I have time...

Bryan

On Dec 4, 2013, at 3:01 PM, Bryan Stansell <bryan@conserver.com> wrote:
Guess it's time to build an Ubuntu VM...

Bryan



users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
------SBTRK5L2U4UG8AP06MI644TD534O7G--