9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed
* [9fans] Re: Fun with sshsession
@ 2022-12-07 17:36 Steven Stallion
  2022-12-07 18:39 ` michaelian ennis
  0 siblings, 1 reply; 6+ messages in thread
From: Steven Stallion @ 2022-12-07 17:36 UTC (permalink / raw)
  To: 9fans

> Has anyone on the list gotten sshsession up and running supporting
> non-host owner logins?

I found another interesting wrinkle.  It appears this issue seems to
only affect diskless CPU servers.  I'm able to SSH successfully to my
auth and file servers.

Cheers,
Steve


------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/T752f10d492990bed-Me4dcc93599f000ff2aac1318
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [9fans] Re: Fun with sshsession
  2022-12-07 17:36 [9fans] Re: Fun with sshsession Steven Stallion
@ 2022-12-07 18:39 ` michaelian ennis
  2022-12-07 18:41   ` Steven Stallion
  0 siblings, 1 reply; 6+ messages in thread
From: michaelian ennis @ 2022-12-07 18:39 UTC (permalink / raw)
  To: 9fans

The last thing fixed before Coraid shut down was permitting more than
a single exec on an open channel. Bruce Wong fixed it.

Ian

On Wed, Dec 7, 2022 at 9:37 AM Steven Stallion <sstallion@gmail.com> wrote:
> > Has anyone on the list gotten sshsession up and running supporting
> > non-host owner logins?
> 
> I found another interesting wrinkle.  It appears this issue seems to
> only affect diskless CPU servers.  I'm able to SSH successfully to my
> auth and file servers.
> 
> Cheers,
> Steve
> 

------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/T752f10d492990bed-Md0dc9d6e3b6312776fc2f0b0
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [9fans] Re: Fun with sshsession
  2022-12-07 18:39 ` michaelian ennis
@ 2022-12-07 18:41   ` Steven Stallion
  0 siblings, 0 replies; 6+ messages in thread
From: Steven Stallion @ 2022-12-07 18:41 UTC (permalink / raw)
  To: 9fans

That's fantastic. I'll give this a spin - thanks so much!

On Wed, Dec 7, 2022 at 12:40 PM michaelian ennis
<michaelian.ennis@gmail.com> wrote:
>
> The last thing fixed before Coraid shut down was permitting more than
> a single exec on an open channel. Bruce Wong fixed it.
>
> Ian
>
> On Wed, Dec 7, 2022 at 9:37 AM Steven Stallion <sstallion@gmail.com> wrote:
> > > Has anyone on the list gotten sshsession up and running supporting
> > > non-host owner logins?
> >
> > I found another interesting wrinkle.  It appears this issue seems to
> > only affect diskless CPU servers.  I'm able to SSH successfully to my
> > auth and file servers.
> >
> > Cheers,
> > Steve
> >

------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/T752f10d492990bed-M16eeff79ba8647afbe8ac15c
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [9fans] Re: Fun with sshsession
  2022-12-19 22:27 ` Brian L. Stuart
@ 2023-01-03 19:07   ` Steven Stallion
  0 siblings, 0 replies; 6+ messages in thread
From: Steven Stallion @ 2023-01-03 19:07 UTC (permalink / raw)
  To: 9fans

> Steve,
> I'm glad to hear you got it sorted out.  Now that our fall term is
> over, I can come up for air.  But I didn't have much to add to
> your search anyway.

Hey Brian, no worries!  I've just returned from an extended holiday
break myself - I apologize for the delay in responding.

> About the only thing I've done with it since Geoff's clean-up
> was recently adding some new key exchange algorithms since
> OpenSSH no longer supports the original required KEX algorithms
> out of the box.  The server side of things was always a little
> goofy.  It does carry the fingerprints of being developed to
> allow customers to ssh into appliances that didn't share an
> auth server.  I never got around to doing much aimed at making
> it natural for non-Plan 9 clients to log into a full Plan 9
> environment with ssh.  There never seemed to be a lot of motivation
> because drawterm seemed to provide a better interface.  The
> main exception would be using sam -r from a non-Plan 9 system.

To be honest, the current implementation does precisely what I need it
to do - run an rc script from a non-Plan 9 host in the event of sudden
power loss with no frills or embellishment.  It's made life quite a
bit nicer now that I've moved venti over to a BSD system in the rack.

> Not that any of that is relevant to the issue you ran into, but
> it might help provide a little context to anyone wondering how
> and why that implementation works the way it does.

That makes perfect sense. Thanks again for following up!

Cheers,
Steve


------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Ta343100f1654631e-M6a73b3009434678954355ff0
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [9fans] Re: Fun with sshsession
  2022-12-09  0:06 Steven Stallion
@ 2022-12-19 22:27 ` Brian L. Stuart
  2023-01-03 19:07   ` Steven Stallion
  0 siblings, 1 reply; 6+ messages in thread
From: Brian L. Stuart @ 2022-12-19 22:27 UTC (permalink / raw)
  To: 9fans

On Thu, Dec 08, 2022 at 06:06:21PM -0600, Steven Stallion wrote:
> > I found another interesting wrinkle.  It appears this issue seems to
> > only affect diskless CPU servers.  I'm able to SSH successfully to my
> > auth and file servers.
> 
> Mystery solved!  It turns out this was the same issue Cinap fixed in
> auth/as last year.  sshsession was inheriting the host owner factotum
> after capuse, which was leading to breakage on hosts other than the
> file server.

Steve,
I'm glad to hear you got it sorted out.  Now that our fall term is
over, I can come up for air.  But I didn't have much to add to
your search anyway.

About the only thing I've done with it since Geoff's clean-up
was recently adding some new key exchange algorithms since
OpenSSH no longer supports the original required KEX algorithms
out of the box.  The server side of things was always a little
goofy.  It does carry the fingerprints of being developed to
allow customers to ssh into appliances that didn't share an
auth server.  I never got around to doing much aimed at making
it natural for non-Plan 9 clients to log into a full Plan 9
environment with ssh.  There never seemed to be a lot of motivation
because drawterm seemed to provide a better interface.  The
main exception would be using sam -r from a non-Plan 9 system.

In the end, it ended up being a perfect example of an implementation
influenced by lots of "here's something cool that could be done
with it" ideas.  But then pretty much none of the cool capabilities
ever got used.  I do still use the client functionality a lot
from a Pi 400 running a slightly enhanced copy of Richard's
Pi image in the classroom talking to my BSD laptop and the
department's Linux cluster.

Not that any of that is relevant to the issue you ran into, but
it might help provide a little context to anyone wondering how
and why that implementation works the way it does.

BLS



------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Ta343100f1654631e-Md53baf982ecb1d9255d61ee1
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [9fans] Re: Fun with sshsession
@ 2022-12-09  0:06 Steven Stallion
  2022-12-19 22:27 ` Brian L. Stuart
  0 siblings, 1 reply; 6+ messages in thread
From: Steven Stallion @ 2022-12-09  0:06 UTC (permalink / raw)
  To: 9fans

[-- Attachment #1: Type: text/plain, Size: 842 bytes --]

> I found another interesting wrinkle.  It appears this issue seems to
> only affect diskless CPU servers.  I'm able to SSH successfully to my
> auth and file servers.

Mystery solved!  It turns out this was the same issue Cinap fixed in
auth/as last year.  sshsession was inheriting the host owner factotum
after capuse, which was leading to breakage on hosts other than the
file server.

I've attached (and submitted to 9legacy) a patch to address the issue
in the Labs implementation.  To wit, I was able to duplicate this
issue on every implementation of SSH v2 that's available.

Cheers,
Steve

------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Ta343100f1654631e-M32b0c9ee1d3d680c6ba88ca5
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

[-- Attachment #2: ssh2-factotum.diff --]
[-- Type: text/plain, Size: 1167 bytes --]

This patch corrects non-host owner filesystem permissions in
sshsession.  Prior to these changes, SSH sessions would inherit the
host owner factotum, which lead to incorrect permissions on hosts
other than the file server.

These changes are similar to those submitted by Cinap Lenrek to
address a related issue in auth/as:

https://git.9front.org/plan9front/plan9front/55a0abdd439964793a5ebceb23776d162a0436d2/patch

--- /n/sources/plan9/sys/src/cmd/ssh2/sshsession.c	Sun May  6 14:55:41 2012
+++ /sys/src/cmd/ssh2/sshsession.c	Thu Dec  8 17:14:10 2022
@@ -89,6 +89,27 @@
 }
 
 /*
+ * mount factotum after auth
+ */
+static void
+mountfactotum(int ctlfd)
+{
+	int fd;
+
+	fd = open("/srv/factotum", ORDWR);
+	if (fd < 0) {
+		syslog(0, "ssh", "can't open /srv/factotum: %r");
+		hangup(ctlfd);
+		exits("open");
+	}
+	if (mount(fd, -1, "/mnt", MREPL, "") < 0) {
+		syslog(0, "ssh", "can't mount /srv/factotum in /mnt: %r");
+		hangup(ctlfd);
+		exits("can't mount");
+	}
+}
+
+/*
  * mount tunnel if there isn't one visible.
  */
 static void
@@ -135,6 +156,7 @@
 		return 0;
 
 	auth(buf, n, ctlfd);
+	mountfactotum(ctlfd);
 
 	p = strchr(buf, '@');
 	if (p == nil)

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2023-01-03 19:07 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-07 17:36 [9fans] Re: Fun with sshsession Steven Stallion
2022-12-07 18:39 ` michaelian ennis
2022-12-07 18:41   ` Steven Stallion
2022-12-09  0:06 Steven Stallion
2022-12-19 22:27 ` Brian L. Stuart
2023-01-03 19:07   ` Steven Stallion

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).