New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Console access from the Web-UI with Shell In a Box #518

Closed
schakrava opened this Issue Oct 27, 2014 · 7 comments

Comments

Projects
None yet
5 participants
@schakrava
Member

schakrava commented Oct 27, 2014

No description provided.

@schakrava schakrava added this to the Inner Sunset milestone Oct 27, 2014

@schakrava schakrava modified the milestones: Yosemite, Inner Sunset Nov 14, 2014

@schakrava schakrava assigned priyaganti and unassigned sujeetsr Jan 23, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 4, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 4, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 6, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 6, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 6, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 6, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 6, 2016

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer Jul 6, 2016

Member

Hi all @priyaganti @phillxnet @schakrava , here is a preview for ongoing shell access implementation on Rockstor, hope you'll enjoy it 😃

https://youtu.be/ekGDnPxj13E

Todo list

  • Increase nginx security to avoid direct access to shell page outside Rockstor (testing) (06/07/2016 on 02c5a92)
  • Add shellinabox service management over services page (07/07/2016 on 5080e8f, 4b7abda, 24cd465, a0cc630)
  • Add shellinabox service customization :define different port and maybe define black on white or white on black shell css / connection type login or ssh with tooltip warning on ssh direct root access (1edfdf1, 2dde15b, 36fa59e, 400c556, 5c0e2ee, dd8cae0, 3e3c075)
  • Add shellinabox service switch on button directly on shell page (07/07/2016 on dcd7ecc)
  • Add Fullscreen feature to shell (07/07/2016 on e65e42d)
  • Add buildout default conf and set service stop on first run (09/07/2016 on 226b44e)
  • Add Shell In a Box option to open in a popup window (11/07/2016 on c924daf)
Member

MFlyer commented Jul 6, 2016

Hi all @priyaganti @phillxnet @schakrava , here is a preview for ongoing shell access implementation on Rockstor, hope you'll enjoy it 😃

https://youtu.be/ekGDnPxj13E

Todo list

  • Increase nginx security to avoid direct access to shell page outside Rockstor (testing) (06/07/2016 on 02c5a92)
  • Add shellinabox service management over services page (07/07/2016 on 5080e8f, 4b7abda, 24cd465, a0cc630)
  • Add shellinabox service customization :define different port and maybe define black on white or white on black shell css / connection type login or ssh with tooltip warning on ssh direct root access (1edfdf1, 2dde15b, 36fa59e, 400c556, 5c0e2ee, dd8cae0, 3e3c075)
  • Add shellinabox service switch on button directly on shell page (07/07/2016 on dcd7ecc)
  • Add Fullscreen feature to shell (07/07/2016 on e65e42d)
  • Add buildout default conf and set service stop on first run (09/07/2016 on 226b44e)
  • Add Shell In a Box option to open in a popup window (11/07/2016 on c924daf)
@phillxnet

This comment has been minimized.

Show comment
Hide comment
@phillxnet

phillxnet Jul 6, 2016

Member

@MFlyer This looks great, you are really knocking out some great stuff. Good luck with the security side, not something I can help with unfortunately (the security side). I take if from the text within the video that initial login is to be limited to admin user only, with su to root there after, is that right? Does this mean that the admin password is over https (as normal) and the root password is then inside a ssh session of it's own which is in turn also inside the https?

Member

phillxnet commented Jul 6, 2016

@MFlyer This looks great, you are really knocking out some great stuff. Good luck with the security side, not something I can help with unfortunately (the security side). I take if from the text within the video that initial login is to be limited to admin user only, with su to root there after, is that right? Does this mean that the admin password is over https (as normal) and the root password is then inside a ssh session of it's own which is in turn also inside the https?

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer Jul 6, 2016

Member

Hi @phillxnet , security side is a challenge to me too eheheh (had to find a way to let shell only inside Rockstor without locking it at all - not so easy because of shellinabox structure and probably only possible with some nginx hacks)

I take if from the text within the video that initial login is to be limited to admin user only, with su to root there after, is that right? Does this mean that the admin password is over https (as normal) and the root password is then inside a ssh session of it's own which is in turn also inside the https?

First part you're right!
Shellinabox configured to only allow access from localhost with LOGIN auth that is like a tty login (root user hasn't login auth so we ensure 2 logins: any web-ui created user next su with root) where you should never auth directly with root (our choice :) )
Less secure alternative: SSH auth allowing direct root login (not our choice!)

HTTPS

Actually there's a new nginx location named shell (48a953f) that acts like on socket.io address, shellinabox not directly on https because of proxy_pass with current django-nginx already on https (django-nginx over https -> access to /shell address -> nginx proxy_pass moves to http://127.0.0.1:4200, not exposed to frontend, like socket.io), so yes, we're always under https 👍

Flyer

Member

MFlyer commented Jul 6, 2016

Hi @phillxnet , security side is a challenge to me too eheheh (had to find a way to let shell only inside Rockstor without locking it at all - not so easy because of shellinabox structure and probably only possible with some nginx hacks)

I take if from the text within the video that initial login is to be limited to admin user only, with su to root there after, is that right? Does this mean that the admin password is over https (as normal) and the root password is then inside a ssh session of it's own which is in turn also inside the https?

First part you're right!
Shellinabox configured to only allow access from localhost with LOGIN auth that is like a tty login (root user hasn't login auth so we ensure 2 logins: any web-ui created user next su with root) where you should never auth directly with root (our choice :) )
Less secure alternative: SSH auth allowing direct root login (not our choice!)

HTTPS

Actually there's a new nginx location named shell (48a953f) that acts like on socket.io address, shellinabox not directly on https because of proxy_pass with current django-nginx already on https (django-nginx over https -> access to /shell address -> nginx proxy_pass moves to http://127.0.0.1:4200, not exposed to frontend, like socket.io), so yes, we're always under https 👍

Flyer

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer Jul 6, 2016

Member

Nginx security / avoid direct access to shell : 02c5a92 😉

Obviously someone hacking could modify http request header, but:

  1. This assumes he/she already knows about Rockstor on lan
  2. He/she knows Rockstor hostname/ip

And if 1 & 2...he/she has to know a Rockstor web ui account infos (uname&pass) and Rockstor root pass

I think current protection can be ok

Flyer

Member

MFlyer commented Jul 6, 2016

Nginx security / avoid direct access to shell : 02c5a92 😉

Obviously someone hacking could modify http request header, but:

  1. This assumes he/she already knows about Rockstor on lan
  2. He/she knows Rockstor hostname/ip

And if 1 & 2...he/she has to know a Rockstor web ui account infos (uname&pass) and Rockstor root pass

I think current protection can be ok

Flyer

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 6, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 7, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 7, 2016

Added shellinaboxd service for issue #518
Actually not a configurable service
Possible custom config: shell colors (black-white
or white-black). Port customization not required
because shellinaboxd accessible via nginx proxy
only from localhost, so service port not exposed

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 7, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 7, 2016

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer Jul 7, 2016

Member

Hi all, on 5080e8f, 4b7abda, 24cd465 and a0cc630 got a nicely switchable Shellinaboxd service 😃

switch-def
switch

Customization

  • port customization not required because under nginx proxy (so no direct access)
  • css customization? Maybe! :)
  • access method (LOGIN or SSH) customization?? What do you think about that @schakrava @phillxnet (I'd prefer force only LOGIN more secure auth - that let only uid>1000 users to log + next su command)

Flyer

Member

MFlyer commented Jul 7, 2016

Hi all, on 5080e8f, 4b7abda, 24cd465 and a0cc630 got a nicely switchable Shellinaboxd service 😃

switch-def
switch

Customization

  • port customization not required because under nginx proxy (so no direct access)
  • css customization? Maybe! :)
  • access method (LOGIN or SSH) customization?? What do you think about that @schakrava @phillxnet (I'd prefer force only LOGIN more secure auth - that let only uid>1000 users to log + next su command)

Flyer

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 7, 2016

Added service switch capabilities directly on shell page #518
If service running user get shell
If service of user get bootstrap switch
If service switched on hide switch and render shell

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 7, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 7, 2016

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer Jul 8, 2016

Member

Note for delevopers / testers: found out that if you exit shell we get a
POST https://rockstone/shell/? 400 (Bad Request)

That's not Rockstor / implementation fault, just shellinabox not handling correctly chunked data

Flyer

Member

MFlyer commented Jul 8, 2016

Note for delevopers / testers: found out that if you exit shell we get a
POST https://rockstone/shell/? 400 (Bad Request)

That's not Rockstor / implementation fault, just shellinabox not handling correctly chunked data

Flyer

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 8, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 8, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

Added shellinaboxd service for issue #518
Actually not a configurable service
Possible custom config: shell colors (black-white
or white-black). Port customization not required
because shellinaboxd accessible via nginx proxy
only from localhost, so service port not exposed

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

Added service switch capabilities directly on shell page #518
If service running user get shell
If service of user get bootstrap switch
If service switched on hide switch and render shell

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

Mods to shllinaboxd conf writing for #518
Default is connection from localhost only (under nginx)
no-beep to avoid known problems with FF and vlc plugin
ssl disabled cos already on our ssl
User free to choose between ssh and login connection
Important: sometimes shellinaboxd return !=0 codes
also if config ok and running, so avoided rc checks

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

Added shellinaboxd defaults vals on settings.py on #518
To @schakrava: shellinaboxd config file on first run was already
present in /conf/shellinaboxd.in (check on buildout) so this is
not really necessary (cos those 4 vals never change), but you're right
it's better and more well-ordered :)

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

Added new function to prep_db for #518
No way with settings because detach val to False (false not possible)
while service table requires a lowercase val of false/true
Coding on it would mess, while having just services_configs sounds ok:
One func define defaults services and default configs if present

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 14, 2016

@schakrava schakrava closed this in 57b10a8 Jul 14, 2016

@schakrava schakrava changed the title from Console access from the Web-UI to Support Console access from the Web-UI with Shell In a Box Nov 1, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment