#bastion (2021-01)

https://github.com/cloudposse/bastion

Discuss cloudposse/bastion

2021-01-20

2021-01-13

Bill Clark avatar
Bill Clark

Agreed. I struggled with changing methods years ago when I deployed a fanout dirxml driver for Novell Idm. Teleport I will have to check it out.

2021-01-12

Bill Clark avatar
Bill Clark

@Erik Osterman (Cloud Posse) Can you confirm what these should be set to?

***Are these settings in gak.env absolutely necessary and/or do they truly relate back to github? In my case I created an orgnaization on github called sl-dtc-cas***
GITHUB_API_TOKEN=****************
GITHUB_ORGANIZATION=sl-dtc-cas
GITHUB_TEAM=ssh
SYNC_USERS_GID=500
SYNC_USERS_GROUPS=sudo
SYNC_USERS_SHELL=/usr/bin/sudosh
SYNC_USERS_ROOT=/
SYNC_USERS_INTERVAL=60
ETCD_ENDPOINT=<http://etcd:2379>
ETCD_TTL=86400
ETCD_PREFIX=github-authorized-keys
LISTEN=:301
INTEGRATE_SSH=false
LOG_LEVEL=debug
LINUX_USER_ADD_TPL=adduser -D -s {shell} {username}
LINUX_USER_ADD_WITH_GID_TPL=adduser -D -s {shell} -u {gid} {username}
LINUX_USER_ADD_TO_GROUP_TPL=addgroup {group}
SSH_AUTHORIZED_KEYS_COMMAND_USER=root
SSH_RESTART_TPL=echo "sshd restart"
Bill Clark avatar
Bill Clark

compose ➤ docker logs compose_gak_1 git:master* {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubAPIToken - 7cde4**********62d52”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubOrganization - s***s”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubTeamName - **”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubTeamID - *”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: EtcdEndpoints - [http://etcd:2379]”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: EtcdPrefix - github-authorized-keys”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: EtcdTTL - 24h0m0s seconds”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: UserGID - 500”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: UserGroups - [sudo]”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: UserShell - /usr/bin/sudosh”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: Root - /”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: Interval - 60 seconds”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: IntegrateWithSSH - false”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: Listen - :301”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“level”<i class=”em em-“info”,”msg””></i>“Run syncUsers job on start”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”No such team name or id could be found”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} {“level”<i class=”em em-“info”,”msg””></i>“Start jobs scheduler”,”time”<i class=”em em-“2021-01-12T22”></i>03:55Z”} [GIN-debug] [WARNING] Running in “debug” mode. Switch to “release” mode in production.

  • using env: export GIN_MODE=release
  • using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /user/:name/authorized_keys –> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers) [GIN-debug] Listening and serving HTTP on :301 {“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”No such team name or id could be found”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-12T22”></i>04:55Z”} {“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”No such team name or id could be found”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-12T22”></i>05:56Z”} {“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”No such team name or id could be found”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-12T22”></i>06:57Z”} {“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”No such team name or id could be found”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-12T22”></i>07:58Z”} [GIN] 2021/01/12 - 2252 | 404 | 1.1µs | 172.22.0.1 | GET / [GIN] 2021/01/12 - 2252 | 404 | 600ns | 172.22.0.1 | GET /favicon.ico

Bill Clark avatar
Bill Clark

Im starting to think that the username being cutoff is some display glitch or ls bug. The problem is that the authorized-keys file is not being placed in /home/slalombclark/

Bill Clark avatar
Bill Clark

Only other issue I could identify was the files under ../compose/scripts those three scripts did not have execute permissions and the #! path to bash was wrong. It was set to /bin/bash and my host system has bash under /usr/bin/bash. So I changed those but still no improvement…

Bill Clark avatar
Bill Clark

The compose_bastion_1 container exits and the compose_gak_1 container has these logs: scripts ➤ docker logs compose_gak_1 git:master* {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubAPIToken - 7cde4**********62d52”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubOrganization - s**s”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubTeamName - ***”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubTeamID - *”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: EtcdEndpoints - [http://etcd:2379]”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: EtcdPrefix - github-authorized-keys”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: EtcdTTL - 24h0m0s seconds”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: UserGID - 500”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: UserGroups - [sudo]”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: UserShell - /usr/bin/sudosh”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: Root - /”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: Interval - 60 seconds”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: IntegrateWithSSH - false”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: Listen - :301”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“level”<i class=”em em-“info”,”msg””></i>“Run syncUsers job on start”,”time”<i class=”em em-“2021-01-12T23”></i>15:14Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [adduser -D -s /usr/bin/sudosh -u 500 slalombclark]”,”time”<i class=”em em-“2021-01-12T23”></i>15:15Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [addgroup sudo]”,”time”<i class=”em em-“2021-01-12T23”></i>15:15Z”} Created user slalombclark Added user slalombclark to group sudo {“level”<i class=”em em-“info”,”msg””></i>“Start jobs scheduler”,”time”<i class=”em em-“2021-01-12T23”></i>15:15Z”} [GIN-debug] [WARNING] Running in “debug” mode. Switch to “release” mode in production.

  • using env: export GIN_MODE=release
  • using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /user/:name/authorized_keys –> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers) [GIN-debug] Listening and serving HTTP on :301

Bill Clark avatar
Bill Clark

I fixed the compose_bastion_1 issues. Turns out the bash path need to stay what it was. No errors there now. Now to determine why the authorized_keys file does not get put in my /home dir…

Bill Clark avatar
Bill Clark

{“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [adduser -D -s /usr/bin/sudosh -u 500 slalombclark]”,”time”<i class=”em em-“2021-01-12T23”></i>28:35Z”} Created user slalombclark {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [addgroup sudo]”,”time”<i class=”em em-“2021-01-12T23”></i>28:35Z”} Added user slalombclark to group sudo {“level”<i class=”em em-“info”,”msg””></i>“Start jobs scheduler”,”time”<i class=”em em-“2021-01-12T23”></i>28:35Z”} [GIN-debug] [WARNING] Running in “debug” mode. Switch to “release” mode in production.

  • using env: export GIN_MODE=release
  • using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /user/:name/authorized_keys –> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers) [GIN-debug] Listening and serving HTTP on :301 {“job”<i class=”em em-“syncUsers”,”level””></i>“debug”,”msg”:”User slalombclark exists - skip creation”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-12T23”></i>29:36Z”}

Bill Clark avatar
Bill Clark

OK. interesting development. I did create group called ssh in my github and I add another email/user to the group. I noticed in the logs now it only creates one user and interestingly enough even though the env variable in gak.env reads SYNC_USERS_GID=500. The errro I can see states adduser: uid ‘500’ in use What is going on? Is there some sort of UID/GID mixup happening?

Bill Clark avatar
Bill Clark

{“level”<i class=”em em-“info”,”msg””></i>“Run syncUsers job on start”,”time”<i class=”em em-“2021-01-13T01”></i>02:49Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [adduser -D -s /usr/bin/bash -u 500 hellrotbill]”,”time”<i class=”em em-“2021-01-13T01”></i>02:50Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [addgroup sudo]”,”time”<i class=”em em-“2021-01-13T01”></i>02:50Z”} Created user hellrotbill Added user hellrotbill to group sudo {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [adduser -D -s /usr/bin/bash -u 500 slalombclark]”,”time”<i class=”em em-“2021-01-13T01”></i>02:50Z”} adduser: uid ‘500’ in use <————————————————

{“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”exit status 1”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T01”></i>02:50Z”} {“level”<i class=”em em-“info”,”msg””></i>“Start jobs scheduler”,”time”<i class=”em em-“2021-01-13T01”></i>02:50Z”} [GIN-debug] [WARNING] Running in “debug” mode. Switch to “release” mode in production.

  • using env: export GIN_MODE=release
  • using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /user/:name/authorized_keys –> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers) [GIN-debug] Listening and serving HTTP on :301 ============================================================= [email protected]:~/Projects/bastion/examples/compose$ cat gak.env GITHUB_API_TOKEN=************* GITHUB_ORGANIZATION=sl-dtc-cas GITHUB_TEAM=ssh SYNC_USERS_GID=500 <—————————— SYNC_USERS_GROUPS=sudo SYNC_USERS_SHELL=/usr/bin/bash SYNC_USERS_ROOT=/ SYNC_USERS_INTERVAL=60 ETCD_ENDPOINT=http://etcd:2379 ETCD_TTL=86400 ETCD_PREFIX=github-authorized-keys LISTEN=:301 INTEGRATE_SSH=false LOG_LEVEL=debug LINUX_USER_ADD_TPL=adduser -D -s {shell} {username} LINUX_USER_ADD_WITH_GID_TPL=adduser -D -s {shell} -u {gid} {username} LINUX_USER_ADD_TO_GROUP_TPL=addgroup {group} SSH_AUTHORIZED_KEYS_COMMAND_USER=root SSH_RESTART_TPL=echo “sshd restart”

Bill Clark avatar
Bill Clark

There are numerous problems with the gak.env file. I looked at the settings over github-authorized-keys and the etcd_endpoint port numbers are transposed. I also stripped out the bad flag of -g in the LINUX_USER_ADD_WITH_GID_TPL. Still there are errors and now it wont create the users in /etc/passwd /etc/group. But it’s also troublesome that the there are errors with findin /etch/ssh/shd_config file being found. I need more understanding how these environment variables are passed around and the dependencies…

Bill Clark avatar
Bill Clark

Here is where I left things. I will post the entries in gak.env and bastion.env and then the logs of each container. #bastion

Bill Clark avatar
Bill Clark

[email protected]:~/Projects/bastion/examples/compose$ cat gak.env GITHUB_API_TOKEN=7cd*******d52 GITHUB_ORGANIZATION=sl-dtc-cas GITHUB_TEAM=ssh SYNC_USERS_GID=500 SYNC_USERS_GROUPS=sudo SYNC_USERS_SHELL=/bin/bash SYNC_USERS_ROOT=/host SYNC_USERS_INTERVAL=300 ETCD_ENDPOINT=http://localhost:2739 ETCD_TTL=86400 ETCD_PREFIX=github-authorized-keys LISTEN=:301 INTEGRATE_SSH=true LOG_LEVEL=debug LINUX_USER_ADD_TPL=adduser -D -s {shell} {username} LINUX_USER_ADD_WITH_GID_TPL=adduser -D -s {shell} {username} LINUX_USER_ADD_TO_GROUP_TPL=addgroup -g {gid} {group} SSH_AUTHORIZED_KEYS_COMMAND_USER=root SSH_RESTART_TPL=echo “sshd restart” [email protected]:~/Projects/bastion/examples/compose$ cat bastion.env API_URL=http://gak:301/user/%s/authorized_keys MFA_PROVIDER=google-authenticator SLACK_ENABLED=true SLACK_WEBHOOK_URL=https://hooks.slack.com/services/T01J4J3QE3X/B01J4KK8************* SSH_AUTHORIZED_KEYS_COMMAND=/usr/bin/github-authorized-keys SSH_AUTHORIZED_KEYS_COMMAND_USER=root LOGLEVEL=DEBUG

Slack API

Slack APIs allow you to integrate complex services with Slack to go beyond the integrations we provide out of the box.

Bill Clark avatar
Bill Clark

[email protected]:~/Projects/bastion/examples/compose$ docker logs compose_etcd_1 2021-01-13 0232.819816 I | etcdmain: etcd Version: 2.3.7 2021-01-13 0232.819876 I | etcdmain: Git SHA: fd17c91 2021-01-13 0232.819886 I | etcdmain: Go Version: go1.6.2 2021-01-13 0232.819889 I | etcdmain: Go OS/Arch: linux/amd64 2021-01-13 0232.819893 I | etcdmain: setting maximum number of CPUs to 8, total number of available CPUs is 8 2021-01-13 0232.819896 W | etcdmain: no data-dir provided, using default data-dir ./default.etcd 2021-01-13 0232.820493 I | etcdmain: listening for peers on http://localhost:2380 2021-01-13 0232.820590 I | etcdmain: listening for peers on http://localhost:7001 2021-01-13 0232.820670 I | etcdmain: listening for client requests on http://0.0.0.0:2379 2021-01-13 0232.820727 I | etcdmain: listening for client requests on http://0.0.0.0:4001 2021-01-13 0232.821258 I | etcdserver: name = default 2021-01-13 0232.821282 I | etcdserver: data dir = default.etcd 2021-01-13 0232.821287 I | etcdserver: member dir = default.etcd/member 2021-01-13 0232.821290 I | etcdserver: heartbeat = 100ms 2021-01-13 0232.821293 I | etcdserver: election = 1000ms 2021-01-13 0232.821296 I | etcdserver: snapshot count = 10000 2021-01-13 0232.821302 I | etcdserver: advertise client URLs = http://0.0.0.0<i class="em em-2379,<http”></i>//0.0.0.0:4001> 2021-01-13 0232.821306 I | etcdserver: initial advertise peer URLs = http://localhost<i class="em em-2380,<http”></i>//localhost:7001> 2021-01-13 0232.821318 I | etcdserver: initial cluster = default=http://localhost<i class="em em-2380,default=<http”></i>//localhost:7001> 2021-01-13 0232.823548 I | etcdserver: starting member ce2a822cea30bfca in cluster 7e27652122e8b2ae 2021-01-13 0232.823594 I | raft: ce2a822cea30bfca became follower at term 0 2021-01-13 0232.823602 I | raft: newRaft ce2a822cea30bfca [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0] 2021-01-13 0232.823606 I | raft: ce2a822cea30bfca became follower at term 1 2021-01-13 0232.824099 I | etcdserver: starting server… [version: 2.3.7, cluster version: to_be_decided] 2021-01-13 0232.824971 N | etcdserver: added local member ce2a822cea30bfca [http://localhost:2380 http://localhost:7001] to cluster 7e27652122e8b2ae 2021-01-13 0233.224279 I | raft: ce2a822cea30bfca is starting a new election at term 1 2021-01-13 0233.224381 I | raft: ce2a822cea30bfca became candidate at term 2 2021-01-13 0233.224387 I | raft: ce2a822cea30bfca received vote from ce2a822cea30bfca at term 2 2021-01-13 0233.224395 I | raft: ce2a822cea30bfca became leader at term 2 2021-01-13 0233.224400 I | raft: raft.node: ce2a822cea30bfca elected leader ce2a822cea30bfca at term 2 2021-01-13 0233.224904 I | etcdserver: published {Name:default ClientURLs//0.0.0.0:2379> http://0.0.0.0:4001]} to cluster 7e27652122e8b2ae 2021-01-13 0233.224983 I | etcdserver: setting up the initial cluster version to 2.3 2021-01-13 0233.226985 N | etcdserver: set the initial cluster version to 2.3

Bill Clark avatar
Bill Clark

Initializing duo Initializing enforcer

  • Enabling Enforcer
  • Enabling Clean Home Initializing google-authenticator
  • Enabling Google Authenticator MFA Initializing hostname Initializing rate-limit
  • Enabling Rate Limits
  • Users will be locked for 300s after 5 failed logins
  • Fail delay of 3000000 micro-seconds Initializing secure-proc
  • Locking down /proc Initializing slack
  • Enabling Slack Notifications Initializing ssh-api-url
  • Setting SSH Authorized Keys API URL Initializing ssh-audit
  • Enabling SSH Audit Logs Initializing ssh-authorized-keys-command
  • Enabling SSH Authorized Keys Command Initializing ssh-host-key Generating public/private rsa key pair. Your identification has been saved in /etc/ssh/ssh_host_rsa_key. Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: SHA256:VrbNLba/MRTcZPZ5sfOni0EsKOMR/oWrvvGDvRWu+68 [email protected] The key’s randomart image is: +—[RSA 2048]—-+ | .+| | . ==| | . o o++| | . . = = . .+| | = S = B o o| | . * + = + ..| | ooo o o + | | .+oo + + | | .+.==Eoo +. | +—-[SHA256]—–+ Initializing ssh-log-level
  • Setting SSH LogLevel to DEBUG debug1: Set /proc/self/oom_score_adj from 0 to -1000 debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22.
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Please use markdown or snippets. It’s very hard to read these pastes.

Bill Clark avatar
Bill Clark

Oh I see. Like this

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Aha… hrmm… WSL. Haven’t spent much time with that.

Bill Clark avatar
Bill Clark

I find WLS2 to be my happy compromise. Otherwise I would probably be in Ubuntu with WINE to use all our MS corporate tools. Now understand the etiquette in slack. Sorry they make me stay in Teams primarily.

Bill Clark avatar
Bill Clark

[email protected]:~/Projects/bastion/examples/compose$ docker logs compose_gak_1 {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubAPIToken - 7cde4**********62d52”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubOrganization - s***s”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubTeamName - **”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: GithubTeamID - *”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: EtcdEndpoints - [http://localhost:2739]”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: EtcdPrefix - github-authorized-keys”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: EtcdTTL - 24h0m0s seconds”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: UserGID - 500”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: UserGroups - [sudo]”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: UserShell - /bin/bash”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: Root - /host”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: Interval - 300 seconds”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: IntegrateWithSSH - true”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“RootCmd”,”level””></i>“info”,”method”<i class=”em em-“RunE”,”msg””></i>“Config: Listen - :301”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“level”<i class=”em em-“info”,”msg””></i>“Run syncUsers job on start”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [adduser -D -s /bin/bash hellrotbill]”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”fork/exec /usr/sbin/adduser: no such file or directory”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”}

{“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [adduser -D -s /bin/bash slalombclark]”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”}

{“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”fork/exec /usr/sbin/adduser: no such file or directory”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“level”<i class=”em em-“info”,”msg””></i>“Run ssh integration job on start”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“job”:”sshIntegrate”,”level”<i class=”em em-“info”,”msg””></i>“Ensure file /usr/bin/github-authorized-keys”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“FileEnsure”,”msg””></i>“File /usr/bin/github-authorized-keys not found”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“FileEnsure”,”msg””></i>“Can not read file /usr/bin/github-authorized-keys”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“job”:”sshIntegrate”,”level”<i class=”em em-“info”,”msg””></i>“Ensure exec mode for file /usr/bin/github-authorized-keys”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“job”:”sshIntegrate”,”level”<i class=”em em-“info”,”msg””></i>“Ensure AuthorizedKeysCommand line in sshd_config”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“FileEnsureLineMatch”,”msg””></i>“File /etc/ssh/sshd_config not fould”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“job”:”sshIntegrate”,”level”<i class=”em em-“info”,”msg””></i>“Ensure AuthorizedKeysCommandUser line in sshd_config”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“FileEnsureLineMatch”,”msg””></i>“File /etc/ssh/sshd_config not fould”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“job”:”sshIntegrate”,”level”<i class=”em em-“info”,”msg””></i>“Restart ssh”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [echo "sshd restart"]”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“job”:”sshIntegrate”,”level”<i class=”em em-“info”,”msg””></i>“Output: “,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“job”<i class=”em em-“sshIntegrate”,”level””></i>“error”,”msg”<i class=”em em-“Error”></i> fork/exec /bin/echo: no such file or directory”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} {“level”<i class=”em em-“info”,”msg””></i>“Start jobs scheduler”,”time”<i class=”em em-“2021-01-13T02”></i>15:35Z”} [GIN-debug] [WARNING] Running in “debug” mode. Switch to “release” mode in production.

  • using env: export GIN_MODE=release
  • using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /user/:name/authorized_keys –> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers) [GIN-debug] Listening and serving HTTP on :301 [GIN] 2021/01/13 - 0216 | 404 | 800ns | 192.168.112.1 | GET / {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [adduser -D -s /bin/bash hellrotbill]”,”time”<i class=”em em-“2021-01-13T02”></i>20:36Z”}

{“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”fork/exec /usr/sbin/adduser: no such file or directory”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>20:36Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [adduser -D -s /bin/bash slalombclark]”,”time”<i class=”em em-“2021-01-13T02”></i>20:36Z”}

{“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”fork/exec /usr/sbin/adduser: no such file or directory”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>20:36Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [adduser -D -s /bin/bash hellrotbill]”,”time”<i class=”em em-“2021-01-13T02”></i>25:36Z”}

{“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”fork/exec /usr/sbin/adduser: no such file or directory”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>25:36Z”} {“class”<i class=”em em-“Linux”,”level””></i>“debug”,”method”<i class=”em em-“TemplateCommand”,”msg””></i>“Command: [adduser -D -s /bin/bash slalombclark]”,”time”<i class=”em em-“2021-01-13T02”></i>25:36Z”} {“job”<i class=”em em-“syncUsers”,”level””></i>“error”,”msg”:”fork/exec /usr/sbin/adduser: no such file or directory”,”subsystem”:”jobs”,”time”<i class=”em em-“2021-01-13T02”></i>25:36Z”}

Bill Clark avatar
Bill Clark

Thinking I have been doing this all wrong. Perhaps I should be doing everything from build-harness first?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Hey @ - so sorry that you’re struggling through this. We’re not actively using this project as we moved to Teleport https://github.com/gravitational/teleport

gravitational/teleport

Secure Access for Developers that doesn’t get in the way. - gravitational/teleport

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The docker composition was provided by someone else in the community.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
 {"job":"syncUsers","level":"error","msg":"fork/exec /usr/sbin/adduser: no such file or directory","subsystem":"jobs","time":"2021-01-13T02:25:36Z"}

this indicates that the configuration does not match the linux distro

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

what makes it hard (and why there are so many environment variables) is that every linux distro seemingly has a different adduser commadn that takes different arguments in different orders.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Modify the command templates relative to the linux distro: https://github.com/cloudposse/github-authorized-keys#command-templates

cloudposse/github-authorized-keys

Use GitHub teams to manage system user accounts and authorized_keys - cloudposse/github-authorized-keys

2021-01-11

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So a few things to look for: • check the output of the container and see if there’s any meaningful logs coming from github-authorized-keys • check /etc/passwd on the container to see if the user was added • check /home/ to see if the user directory was created and that the authorized_keys file is there

Bill Clark avatar
Bill Clark

I just realized that I could used the docker dashboard to get in with the cli. Sorry. Im a bit of a docker newbie. Anyhow. There was nothing in /etc/passwd/ or /home. I pasted the output of the docker logs on that compose_gak_1 container. I notice it does mention in syncUser error no such team name or id could be found

Bill Clark avatar
Bill Clark

Im getting closer. Went back to Github and created a team called team1 and adjusted the settings. Now the user is created in /etc/passwd and the homedir is created. However it did not create the authorized_keys file

Bill Clark avatar
Bill Clark

I noticed the home directory ownership is incorrect. It cuts off the owner:group…instead of of reading slalombclark it reads slalombc slalombc

2021-01-07

Bill Clark avatar
Bill Clark

I followed the docker-compose directions to build bastion and keep getting ssh permission denied (public key). I tested that key and it works with github. My SSH output is: compose ➤ ssh -v -i ~/.ssh/id_rsa [email protected] -p 1234 git:master* OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to localhost [127.0.0.1] port 1234. debug1: Connection established. debug1: identity file /home/wclark/.ssh/id_rsa type 0 debug1: identity file /home/wclark/.ssh/id_rsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8 debug1: match: OpenSSH_7.8 pat OpenSSH compat 0x04000000 debug1: Authenticating to localhost:1234 as ‘slalombclark’ debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: rsa-sha2-512 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-rsa SHA256:w/R+luyZE7cMpit14QWtF1eB56G3/u1UmER0GQ1Yb6g debug1: Host ‘[localhost]:1234’ is known and matches the RSA host key. debug1: Found key in /home/wclark/.ssh/known_hosts:11 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/wclark/.ssh/id_rsa RSA SHA256:mvcoDfIzCExUx6PLA6cWsUsRiXQNYpWK9S9tmQoQqoI explicit agent debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/wclark/.ssh/id_rsa RSA SHA256:mvcoDfIzCExUx6PLA6cWsUsRiXQNYpWK9S9tmQoQqoI explicit agent debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. [email protected]: Permission denied (publickey).

Bill Clark avatar
Bill Clark

the gak github-authorized-keys piece is a mystery to me…

Bill Clark avatar
Bill Clark

ok a possible documentation interpretation problem. When I look at the github-authorized-keys project the GITHUB_TEAM=ssh / the bastion examples do not do into detail on that and so I would think I need to have a github team under my org and name it there. I have tried both to no avail…

Bill Clark avatar
Bill Clark

The other odd thing is the Host key verification failing when I try to auth to the bastion docker. Why would it look at my home dir known_hosts file? I thought the docker image was using the github-authorized-keys api method. #bastion @ confused…

Bill Clark avatar
Bill Clark

I like the bastion and github-authorized-keys concepts. But no idea how to debug these

    keyboard_arrow_up