Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FR: ensure that pam_mkhomedir works when used via Tailscale SSH #11854

Open
oxtoacart opened this issue Apr 23, 2024 · 4 comments
Open

FR: ensure that pam_mkhomedir works when used via Tailscale SSH #11854

oxtoacart opened this issue Apr 23, 2024 · 4 comments
Assignees
@oxtoacart
Labels
fr Feature request needs-triage

Comments

@oxtoacart
Copy link
Contributor

oxtoacart commented Apr 23, 2024
edited
Loading

What are you trying to do?

Connect to a Linux server from a VSCode client using Tailscale SSH. The Linux server has pam_mkhomedir configured and should automatically create the user's homedir with the start of the ssh session.

How should we solve this?

No response

What is the impact of not solving this?

No response

Anything else?

No response
@oxtoacart oxtoacart added needs-triage fr Feature request labels Apr 23, 2024
@oxtoacart oxtoacart self-assigned this Apr 23, 2024
oxtoacart added a commit that referenced this issue Apr 24, 2024
@oxtoacart
ssh/tailssh: fall back to /usr/bin/su if /usr/bin/login is not an option
155d3af 
This works on more recent versions of Linux and has the
benefit of allow PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
@oxtoacart oxtoacart mentioned this issue Apr 24, 2024
Closed
oxtoacart added a commit that referenced this issue Apr 25, 2024
@oxtoacart
ssh/tailssh: fall back to /usr/bin/su if /usr/bin/login is not an option
841b65e 
This works on more recent versions of Linux and has the
benefit of allow PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 25, 2024
@oxtoacart
ssh/tailssh: fall back to /usr/bin/su if /usr/bin/login is not an option
1158035 
This works on more recent versions of Linux and has the
benefit of allow PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 25, 2024
@oxtoacart
ssh/tailssh: fall back to /usr/bin/su if /usr/bin/login is not an option
8911ec0 
This works on more recent versions of Linux and has the
benefit of allow PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 25, 2024
@oxtoacart
ssh/tailssh: fall back to su if login is not an option
bdf9e0d 
This works on more recent versions of Linux and has the
benefit of allow PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 25, 2024
@oxtoacart
ssh/tailssh: fall back to su if login is not an option
6e0e297 
This works on more recent versions of Linux and has the
benefit of allowing PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 25, 2024
@oxtoacart
ssh/tailssh: fall back to su if login is not an option
36d63a9 
This works on more recent versions of Linux and has the
benefit of allowing PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 25, 2024
@oxtoacart
ssh/tailssh: fall back to su if login is not an option
5a9a813 
This works on more recent versions of Linux and has the
benefit of allowing PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 25, 2024
@oxtoacart
ssh/tailssh: fall back to su if login is not an option
d618f4b 
This works on more recent versions of Linux and has the
benefit of allowing PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 26, 2024
@oxtoacart
ssh/tailssh: fall back to su if login is not an option
286c23d 
This works on more recent versions of Linux and has the
benefit of allowing PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 26, 2024
@oxtoacart
ssh/tailssh: fall back to su if login is not an option
28cc388 
This works on more recent versions of Linux and has the
benefit of allowing PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 26, 2024
@oxtoacart
ssh/tailssh: fall back to su if login is not an option
5d83f4c 
This works on more recent versions of Linux and has the
benefit of allowing PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 26, 2024
@oxtoacart
ssh/tailssh: fall back to su if login is not an option
fee3aeb 
This works on more recent versions of Linux and has the
benefit of allowing PAM login actions to run.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 27, 2024
@oxtoacart
ssh/tailssh: add integration tests for ssh
793170f 
Adds basic integration tests for beIncubator that run on
- MacOS
- Ubuntu
- Fedora

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 27, 2024
@oxtoacart
ssh/tailssh: add integration tests for ssh
5fb8dd7 
Adds basic integration tests for beIncubator that run on
- MacOS
- Ubuntu
- Fedora

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 27, 2024
@oxtoacart
ssh/tailssh: add integration tests for ssh
a70c685 
Adds basic integration tests for beIncubator that run on
- MacOS
- Ubuntu
- Fedora

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 27, 2024
@oxtoacart
ssh/tailssh: add integration tests for ssh
ed451ec 
Adds basic integration tests for beIncubator that can run on:

  - MacOS
  - Ubuntu
  - Fedora

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Apr 27, 2024
@oxtoacart
ssh/tailssh: add integration tests for ssh
cc0bd02 
Adds basic integration tests for beIncubator that can run on:

  - MacOS
  - Ubuntu
  - Fedora

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue May 3, 2024
@oxtoacart
ssh/tailssh: fall back to using su when no TTY available on Linux
9093c54 
This allows pam authentication to run for ssh sessions, triggering
automation like pam_mkhomedir. Note - this does not apply to SFTP,
only shells and remotely executed commands.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
@oxtoacart oxtoacart mentioned this issue May 3, 2024
Merged
@oxtoacart
Copy link
Contributor Author

oxtoacart commented May 3, 2024
edited
Loading

This overlaps somewhat with #9395.

oxtoacart added a commit that referenced this issue May 16, 2024
@oxtoacart
ssh/tailssh: fall back to using su when no TTY available on Linux
11349ab 
This allows pam authentication to run for ssh sessions, triggering
automation like pam_mkhomedir. Note - this does not apply to SFTP,
only shells and remotely executed commands.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue May 28, 2024
@oxtoacart
ssh/tailssh: fall back to using su when no TTY available on Linux
db2ff56 
This allows pam authentication to run for ssh sessions, triggering
automation like pam_mkhomedir. Note - this does not apply to SFTP,
only shells and remotely executed commands.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue May 29, 2024
@oxtoacart
ssh/tailssh: fall back to using su when no TTY available on Linux
0385cfc 
This allows pam authentication to run for ssh sessions, triggering
automation like pam_mkhomedir.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue May 29, 2024
@oxtoacart
ssh/tailssh: fall back to using su when no TTY available on Linux
a9cd6a8 
This allows pam authentication to run for ssh sessions, triggering
automation like pam_mkhomedir.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue May 29, 2024
@oxtoacart
ssh/tailssh: fall back to using su when no TTY available on Linux
e2fa96e 
This allows pam authentication to run for ssh sessions, triggering
automation like pam_mkhomedir.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue May 29, 2024
@oxtoacart
ssh/tailssh: fall back to using su when no TTY available on Linux
08a9551 
This allows pam authentication to run for ssh sessions, triggering
automation like pam_mkhomedir.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
@cshei
Copy link

cshei commented Jun 12, 2024

FYI some of these changes appear to have removed some workarounds for Tailscale SSH on SELinux and it no longer works on a Fedora 40 host: #12442

chen8945 pushed a commit to Ckid-Home/tailscale that referenced this issue Jul 31, 2024
@oxtoacart @chen8945
ssh/tailssh: fall back to using su when no TTY available on Linux
c3ef452 
This allows pam authentication to run for ssh sessions, triggering
automation like pam_mkhomedir.

Updates tailscale#11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
@process
Copy link

process commented Aug 6, 2024

Is there a way to try out the new su-based process starting? It seems my nodes are configured with NodeAttrSSHBehaviorV1 / --force-v1-behavior, which disables the use of su. I'm not sure how to disable that option.

I am hopeful this will solve some of the issues related to environment differences between OpenSSH and Tailscale SSH. We're trying to get /etc/environment available for commands. It works on a normal shell, but not when running as part of the ssh command. Other related issues are possibly #12080, and older issues like #5285 and #5715.

su will go through a PAM session start, which will set up various environmental variables, notably via pam_systemd.so. AFAICT, this must be done by a session leader, meaning the incubator has to exec it.

There is already createSession in incubator_linux.go, but I suspect there is something not working. If I run ssh myserver loginctl user-status, it does not list a typical session ID like I see when I do ssh myserver.

oxtoacart added a commit that referenced this issue Aug 6, 2024
@oxtoacart
ssh/tailssh: add ability for force V2 behavior using new feature flag
719d093 
Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
@oxtoacart oxtoacart mentioned this issue Aug 6, 2024
Merged
@oxtoacart
Copy link
Contributor Author

@process I've opened a PR to allow enabling the new behavior via node attribute. I'll let you know once it's available on unstable.

oxtoacart added a commit that referenced this issue Aug 8, 2024
@oxtoacart
ssh/tailssh: add ability for force V2 behavior using new feature flag
4b1b2b1 
Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Aug 8, 2024
@oxtoacart
ssh/tailssh: add ability to force V2 behavior using new feature flag
a873da4 
Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Aug 16, 2024
@oxtoacart
ssh/tailssh: add ability to force V2 behavior using new feature flag
d855ec8 
Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Aug 16, 2024
@oxtoacart
ssh/tailssh: add ability to force V2 behavior using new feature flag
925ef4c 
Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Aug 16, 2024
@oxtoacart
ssh/tailssh: add ability to force V2 behavior using new feature flag
9034700 
Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Aug 21, 2024
@oxtoacart
ssh/tailssh: add ability to force V2 behavior using new feature flag
5007f86 
Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
Asutorufa pushed a commit to Asutorufa/tailscale that referenced this issue Aug 23, 2024
@oxtoacart @Asutorufa
ssh/tailssh: fall back to using su when no TTY available on Linux
ef2e609 
This allows pam authentication to run for ssh sessions, triggering
automation like pam_mkhomedir.

Updates tailscale#11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
oxtoacart added a commit that referenced this issue Aug 29, 2024
@oxtoacart
ssh/tailssh: add ability to force V2 behavior using new feature flag
ecc4515 
Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oxtoacart oxtoacart

Labels
fr Feature request needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cshei @process @oxtoacart