Implement cockpit tunelling using system ssh

[adamruzicka]

No description provided.

[adamruzicka]

@mvollmer Hi, we're in the progress of switching over from net/ssh to shelling out to system's ssh binary. I took a stab at migrating cockpit tunelling bits. Could you please check if I'm not setting up some footguns with this?

[mvollmer]

(Upps, missed this. I'll check this out.)

[mvollmer]

@adamruzicka, this looks good to me. I would have to run it to find any bugs... :-)

The point of using net/ssh for this when this was written was to replicate the exact behavior of remote execution of batch commands. E.g., the Cockpit tunnel should use the exact same authentication parameters as batch rex. So if batch rex switches over to /bin/ssh and you have it all figured out there, then the Cockpit tunnel code should just do the same things regarding options and passwords, etc. In other words, don't try hard to preserve the current behavior, but try to keep it in synch with batch rex.

Thanks!

[ares]

Thanks @adamruzicka, good job on this one

[ares]

It seems like even with this, the cockpit session fails with authentication error. It may be caused by something else, since pure REX job seems to work. The target system is Fedora 35. It seems to work against Debian, however there it fails with internal server error on the cockpit side. Debian has cockpit-system 239, Fedora 35 has 259.

[ares]

And the same on Fedora 34 (cockpit-system 255)

[ares]

And interestingly enough, the SSH connection seems to be successful based on the log from the target machine

Dec 16 22:44:27 bart audit[240999]: CRYPTO_KEY_USER pid=240999 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=destroy kind=server fp=SHA256:ac:35:c8:45:99:9d:8c:f3:33:ad:21:59:96:1c:b5:56:1a:e8:6f:38:ec:71:56:9b:a9:7c:95:1c:06:b0:55:6d direction=? spid=240999 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Dec 16 22:44:27 bart audit[240998]: CRYPTO_SESSION pid=240998 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=start direction=from-server cipher=aes256-gcm@openssh.com ksize=256 mac=<implicit> pfs=curve25519-sha256 spid=240999 suid=74 rport=39844 laddr=192.168.22.12 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.22.101 terminal=? res=success'
Dec 16 22:44:27 bart audit[240998]: CRYPTO_SESSION pid=240998 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=start direction=from-client cipher=aes256-gcm@openssh.com ksize=256 mac=<implicit> pfs=curve25519-sha256 spid=240999 suid=74 rport=39844 laddr=192.168.22.12 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.22.101 terminal=? res=success'
Dec 16 22:44:27 bart audit[240998]: USER_AUTH pid=240998 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=pubkey_auth grantors=auth-key acct="root" exe="/usr/sbin/sshd" hostname=? addr=192.168.22.101 terminal=? res=success'
Dec 16 22:44:27 bart audit[240998]: CRYPTO_KEY_USER pid=240998 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=negotiate kind=auth-key fp=SHA256:d2:f1:69:06:95:32:73:d3:c8:9e:cb:70:76:5c:bf:23:d1:2b:ca:eb:6d:ef:04:91:75:f3:b9:f4:5c:6f:05:96 exe="/usr/sbin/sshd" hostname=? addr=192.168.22.101 terminal=? res=success'
Dec 16 22:44:27 bart audit[240998]: USER_ACCT pid=240998 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/sbin/sshd" hostname=192.168.22.101 addr=192.168.22.101 terminal=ssh res=success'
Dec 16 22:44:27 bart audit[240998]: CRYPTO_KEY_USER pid=240998 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=destroy kind=session fp=? direction=both spid=240999 suid=74 rport=39844 laddr=192.168.22.12 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.22.101 terminal=? res=success'
Dec 16 22:44:27 bart audit[240998]: CRED_ACQ pid=240998 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/sshd" hostname=192.168.22.101 addr=192.168.22.101 terminal=ssh res=success'
Dec 16 22:44:27 bart systemd-logind[2910]: New session 19 of user root.
Dec 16 22:44:27 bart systemd[1]: Started Session 19 of User root.
Dec 16 22:44:27 bart audit[240998]: USER_START pid=240998 uid=0 auid=0 ses=19 subj=kernel msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="root" exe="/usr/sbin/sshd" hostname=192.168.22.101 addr=192.168.22.101 terminal=ssh res=success'
Dec 16 22:44:27 bart audit[241001]: CRYPTO_KEY_USER pid=241001 uid=0 auid=0 ses=19 subj=kernel msg='op=destroy kind=server fp=SHA256:ac:35:c8:45:99:9d:8c:f3:33:ad:21:59:96:1c:b5:56:1a:e8:6f:38:ec:71:56:9b:a9:7c:95:1c:06:b0:55:6d direction=? spid=241001 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Dec 16 22:44:27 bart audit[241001]: CRED_ACQ pid=241001 uid=0 auid=0 ses=19 subj=kernel msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/sshd" hostname=192.168.22.101 addr=192.168.22.101 terminal=ssh res=success'
Dec 16 22:44:27 bart audit[240998]: USER_LOGIN pid=240998 uid=0 auid=0 ses=19 subj=kernel msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.22.101 terminal=ssh res=success'
Dec 16 22:44:27 bart audit[240998]: USER_START pid=240998 uid=0 auid=0 ses=19 subj=kernel msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.22.101 terminal=ssh res=success'
Dec 16 22:44:27 bart audit[240998]: CRYPTO_KEY_USER pid=240998 uid=0 auid=0 ses=19 subj=kernel msg='op=destroy kind=server fp=SHA256:ac:35:c8:45:99:9d:8c:f3:33:ad:21:59:96:1c:b5:56:1a:e8:6f:38:ec:71:56:9b:a9:7c:95:1c:06:b0:55:6d direction=? spid=241019 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'