Re: [9fans] Re: Fun with sshsession
> Steve, > I'm glad to hear you got it sorted out. Now that our fall term is > over, I can come up for air. But I didn't have much to add to > your search anyway. Hey Brian, no worries! I've just returned from an extended holiday break myself - I apologize for the delay in responding. > About the only thing I've done with it since Geoff's clean-up > was recently adding some new key exchange algorithms since > OpenSSH no longer supports the original required KEX algorithms > out of the box. The server side of things was always a little > goofy. It does carry the fingerprints of being developed to > allow customers to ssh into appliances that didn't share an > auth server. I never got around to doing much aimed at making > it natural for non-Plan 9 clients to log into a full Plan 9 > environment with ssh. There never seemed to be a lot of motivation > because drawterm seemed to provide a better interface. The > main exception would be using sam -r from a non-Plan 9 system. To be honest, the current implementation does precisely what I need it to do - run an rc script from a non-Plan 9 host in the event of sudden power loss with no frills or embellishment. It's made life quite a bit nicer now that I've moved venti over to a BSD system in the rack. > Not that any of that is relevant to the issue you ran into, but > it might help provide a little context to anyone wondering how > and why that implementation works the way it does. That makes perfect sense. Thanks again for following up! Cheers, Steve -- 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/Ta343100f1654631e-M6a73b3009434678954355ff0 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
Re: [9fans] Re: Fun with sshsession
On Thu, Dec 08, 2022 at 06:06:21PM -0600, Steven Stallion wrote: > > I found another interesting wrinkle. It appears this issue seems to > > only affect diskless CPU servers. I'm able to SSH successfully to my > > auth and file servers. > > Mystery solved! It turns out this was the same issue Cinap fixed in > auth/as last year. sshsession was inheriting the host owner factotum > after capuse, which was leading to breakage on hosts other than the > file server. Steve, I'm glad to hear you got it sorted out. Now that our fall term is over, I can come up for air. But I didn't have much to add to your search anyway. About the only thing I've done with it since Geoff's clean-up was recently adding some new key exchange algorithms since OpenSSH no longer supports the original required KEX algorithms out of the box. The server side of things was always a little goofy. It does carry the fingerprints of being developed to allow customers to ssh into appliances that didn't share an auth server. I never got around to doing much aimed at making it natural for non-Plan 9 clients to log into a full Plan 9 environment with ssh. There never seemed to be a lot of motivation because drawterm seemed to provide a better interface. The main exception would be using sam -r from a non-Plan 9 system. In the end, it ended up being a perfect example of an implementation influenced by lots of "here's something cool that could be done with it" ideas. But then pretty much none of the cool capabilities ever got used. I do still use the client functionality a lot from a Pi 400 running a slightly enhanced copy of Richard's Pi image in the classroom talking to my BSD laptop and the department's Linux cluster. Not that any of that is relevant to the issue you ran into, but it might help provide a little context to anyone wondering how and why that implementation works the way it does. BLS -- 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/Ta343100f1654631e-Md53baf982ecb1d9255d61ee1 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
[9fans] Re: Fun with sshsession
> I found another interesting wrinkle. It appears this issue seems to > only affect diskless CPU servers. I'm able to SSH successfully to my > auth and file servers. Mystery solved! It turns out this was the same issue Cinap fixed in auth/as last year. sshsession was inheriting the host owner factotum after capuse, which was leading to breakage on hosts other than the file server. I've attached (and submitted to 9legacy) a patch to address the issue in the Labs implementation. To wit, I was able to duplicate this issue on every implementation of SSH v2 that's available. Cheers, Steve -- 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/Ta343100f1654631e-M32b0c9ee1d3d680c6ba88ca5 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription This patch corrects non-host owner filesystem permissions in sshsession. Prior to these changes, SSH sessions would inherit the host owner factotum, which lead to incorrect permissions on hosts other than the file server. These changes are similar to those submitted by Cinap Lenrek to address a related issue in auth/as: https://git.9front.org/plan9front/plan9front/55a0abdd439964793a5ebceb23776d162a0436d2/patch --- /n/sources/plan9/sys/src/cmd/ssh2/sshsession.c Sun May 6 14:55:41 2012 +++ /sys/src/cmd/ssh2/sshsession.c Thu Dec 8 17:14:10 2022 @@ -89,6 +89,27 @@ } /* + * mount factotum after auth + */ +static void +mountfactotum(int ctlfd) +{ + int fd; + + fd = open("/srv/factotum", ORDWR); + if (fd < 0) { + syslog(0, "ssh", "can't open /srv/factotum: %r"); + hangup(ctlfd); + exits("open"); + } + if (mount(fd, -1, "/mnt", MREPL, "") < 0) { + syslog(0, "ssh", "can't mount /srv/factotum in /mnt: %r"); + hangup(ctlfd); + exits("can't mount"); + } +} + +/* * mount tunnel if there isn't one visible. */ static void @@ -135,6 +156,7 @@ return 0; auth(buf, n, ctlfd); + mountfactotum(ctlfd); p = strchr(buf, '@'); if (p == nil)
Re: [9fans] Re: Fun with sshsession
That's fantastic. I'll give this a spin - thanks so much! On Wed, Dec 7, 2022 at 12:40 PM michaelian ennis wrote: > > The last thing fixed before Coraid shut down was permitting more than > a single exec on an open channel. Bruce Wong fixed it. > > Ian > > On Wed, Dec 7, 2022 at 9:37 AM Steven Stallion wrote: > > > Has anyone on the list gotten sshsession up and running supporting > > > non-host owner logins? > > > > I found another interesting wrinkle. It appears this issue seems to > > only affect diskless CPU servers. I'm able to SSH successfully to my > > auth and file servers. > > > > Cheers, > > Steve > > -- 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T752f10d492990bed-M16eeff79ba8647afbe8ac15c Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
Re: [9fans] Re: Fun with sshsession
The last thing fixed before Coraid shut down was permitting more than a single exec on an open channel. Bruce Wong fixed it. Ian On Wed, Dec 7, 2022 at 9:37 AM Steven Stallion wrote: > > Has anyone on the list gotten sshsession up and running supporting > > non-host owner logins? > > I found another interesting wrinkle. It appears this issue seems to > only affect diskless CPU servers. I'm able to SSH successfully to my > auth and file servers. > > Cheers, > Steve > -- 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T752f10d492990bed-Md0dc9d6e3b6312776fc2f0b0 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
[9fans] Re: Fun with sshsession
> Has anyone on the list gotten sshsession up and running supporting > non-host owner logins? I found another interesting wrinkle. It appears this issue seems to only affect diskless CPU servers. I'm able to SSH successfully to my auth and file servers. Cheers, Steve -- 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T752f10d492990bed-Me4dcc93599f000ff2aac1318 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription