IRC chat logs for #ltsp on irc.libera.chat (webchat)


Channel log from 12 June 2019   (all times are UTC)

00:22dsjii has left IRC (dsjii!~david@2600:380:a035:2b15:68db:caff:fe86:8f41, Ping timeout: 248 seconds)
01:02vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Quit: leaving)
03:50Sleaker has left IRC (Sleaker!quasselcor@2604:880:a:7::e1b, Ping timeout: 248 seconds)
03:52Sleaker has joined IRC (Sleaker!quasselcor@2604:880:a:7::e1b)
04:34kjackal has joined IRC (kjackal!~quassel@2a02:587:3105:3300:d0a7:2240:510:3d60)
05:04alkisg has left IRC (alkisg!~alkisg@ubuntu/member/alkisg, Ping timeout: 245 seconds)
07:01alkisg has joined IRC (alkisg!~alkisg@ubuntu/member/alkisg)
07:04woernie has joined IRC (woernie!~werner@p5B29636A.dip0.t-ipconnect.de)
07:20stellasolitaria has joined IRC (stellasolitaria!~jhonny5@159.213.93.166)
07:27statler has joined IRC (statler!~Georg@gwrz3.lohn24.de)
07:56ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)
08:35
<alkisg>
Hmm, if an ltsp user opens a terminal and runs `su - another-user`, and he knows the password, do we want to mount /home/another-user via sshfs etc, or prohibit that? I'd go with allow...
10:08GodFather has joined IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com)
11:54Faith has joined IRC (Faith!~Paty_@unaffiliated/faith)
12:01dsjii has joined IRC (dsjii!~david@2600:380:a035:2b15:68db:caff:fe86:8f41)
12:19dsjii has left IRC (dsjii!~david@2600:380:a035:2b15:68db:caff:fe86:8f41)
13:02ogra has joined IRC (ogra!~ogra@216.113.24.68)
13:02ogra is now known as Guest43551
13:03Guest43551 has left IRC (Guest43551!~ogra@216.113.24.68)
13:05ogra has joined IRC (ogra!~ogra@ubuntu/member/ogra)
13:10stellasolitaria has left IRC (stellasolitaria!~jhonny5@159.213.93.166, Ping timeout: 248 seconds)
13:27mgariepy has left IRC (mgariepy!~mgariepy@ubuntu/member/mgariepy, Remote host closed the connection)
13:29mgariepy has joined IRC (mgariepy!~mgariepy@ubuntu/member/mgariepy)
14:17ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)
14:17kjackal has left IRC (kjackal!~quassel@2a02:587:3105:3300:d0a7:2240:510:3d60, Remote host closed the connection)
15:06kjackal has joined IRC (kjackal!~quassel@2a02:587:3105:3300:d0a7:2240:510:3d60)
15:14vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)
15:23
<alkisg>
vagrantc: heya, if an ltsp user opens a terminal and runs `su - another-user`, and he knows the password, do we want to mount /home/another-user via sshfs etc, or prohibit that? I'd go with allow...
15:25
<vagrantc>
in the vein of "a user shouldn't notice any difference when running ltsp as on a regular desktop" it makes sense
15:25
<alkisg>
Nice, doing so :)
15:25
<vagrantc>
shadow is still just on the server in this case?
15:26
<alkisg>
Yes
15:26* vagrantc gets a little nervous with propegation of groups like sudo
15:26
<alkisg>
Btw I'll disconnect sshfs from pam close events, when/if no user instance is logged in
15:26
<vagrantc>
nice!
15:27
<alkisg>
By putting pam_unix above pam_ssh, local or remote users are allowed to login; tested from su -, login, lightdm, and gdm
15:28
<vagrantc>
nice
15:28
<alkisg>
*I mean pam_exec ltsp_ssh etc there, of course
15:33
Btw, if root does `su - user`, there's no authentication, so sshfs won't mount etc
15:33
We'll just document that part
15:33
<vagrantc>
oh, that's odd
15:34
<alkisg>
It's perfect for us, as we don't have a password there for sshfs anyway
15:34
We don't lose any functionality that we wouldn't be able to have anyway
15:34
<vagrantc>
su -c 'su - user' - user
15:34
or something like that :)
15:35
<alkisg>
Or sudo
15:35
Or login user
15:35
<vagrantc>
sudo works, just not su?
15:35
<alkisg>
*sudo from root to user again doesn't asks for pass
15:35
Anything that doesn't ask for a pass, won't call us; but even if it did, we wouldn't have a pass, so we wouldn't be able to mount sshfs
15:36
<vagrantc>
right
15:36
<alkisg>
OK, biking time, later! :)
15:36* vagrantc waves
16:03
<quinox>
a keyfile also falls in that category
16:03
<vagrantc>
does it allow you to re-use the key?
16:04
<quinox>
your code isn't even triggered
16:05
at least in the normal setup, perhaps you can put your own stuff waaaay up high in the chain
16:08
yeah no it's openssh which doesn't even trigger PAM, but apparently there's an option `AuthenticationMethods` that you can set it `/etc/ssh/sshd_config` to still trigger PAM
16:09
https://www.privacyidea.org/ssh-keys-and-otp-really-strong-two-factor-authentication/
16:09
I ran into that when I rolled out 2FA - keyfiles bypassed it cleanly
16:10
no idea how to deal with that in your PAM module though, how to know that openssh already accepted the keyfile
16:11
<vagrantc>
documentation is how
16:14statler has left IRC (statler!~Georg@gwrz3.lohn24.de, Remote host closed the connection)
16:17
<quinox>
https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04 looks like a better explanation
16:23ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)
16:24
<quinox>
PAM is fun to play with, real flexible
16:26mgariepy_ has left IRC (mgariepy_!~mgariepy@styx-204.ccs.usherbrooke.ca, Quit: Leaving)
16:28jgee has left IRC (jgee!~jgee@190.159.118.121, Quit: Ping timeout (120 seconds))
16:28jgee has joined IRC (jgee!~jgee@190.159.118.121)
16:30quentinb has joined IRC (quentinb!66a55e06@gateway/web/freenode/ip.102.165.94.6)
16:37quentinb has left IRC (quentinb!66a55e06@gateway/web/freenode/ip.102.165.94.6, Ping timeout: 256 seconds)
17:04
<||cw>
as long as you don't keep your ssh key on the same device as your token generator...
17:35
<alkisg>
Meh. user@client:/tmp$ sshfs user@server: /home/user ==> fails because ssh wants to generate ~/.ssh at the same time when sshfs tries to mount it
17:36josefig has left IRC (josefig!~josefig@unaffiliated/josefig, Quit: Ping timeout (120 seconds))
17:36
<alkisg>
It doesn't even respect HOME=/tmp/ltsp; it just reads the home dir from /etc/passwd
17:36josefig has joined IRC (josefig!~josefig@unaffiliated/josefig)
17:36* alkisg smells a bad hack brewing there...
17:49
<alkisg>
ssh/session.c => /* Change current directory to the user's home directory. */ if (chdir(pw->pw_dir) < 0) { ==> Meh
17:50
We'll need either a bad hack with temporary changing the home dir in passwd, or to run the mount command as root, and lose the ability to run things via the same socket
17:52
...maybe mount --move will work too
18:52
<||cw>
if the server's signature is in the global known hosts does it still generate .ssh?
18:53
<alkisg>
Yes
18:53
The problem isn't .ssh though, it's the "cd to home dir"
18:53
So the home dir is in use, and can't be used as a moutn point
18:53
mount --move doesn't work
18:53
So at this point, and until/if ssh accepts this to be a bug, patching /etc/passwd is the only workaround I found
18:54
<||cw>
oh, sshfs calls an openssh function that does a chdir... I see. that seems like a poor design on ssh's part
18:54
<vagrantc>
even if it's considered a bug ... would take a while to get new versions out in the world...
18:54
<||cw>
yeah. a long while
18:55
unless there some way to use that behavior as an exploit....
18:55
<vagrantc>
heh
18:56
<alkisg>
I'm ok with hackish workarounds for a couple of years
18:58
<vagrantc>
isn't there a way to get sshfs to mount on top of a directory in use?
18:59
<||cw>
nonempty is the standard option for that
19:00
<vagrantc>
or use pam_chroot to chroot into the "new" mount
19:01
libpam-chroot probably isn't widely installed...
19:23* alkisg thinks he'll just run the sshfs command as root, and lose the ability to spawn commands on the server... or, do a second socket reusing the password, if needed
19:23
<vagrantc>
the second socket seems like the best bet
19:24
<alkisg>
We're not supporting remoteapps yet anyway... maybe I'll just postpone it until (if) we ever do
19:24
<vagrantc>
true
19:24adrianor1 has joined IRC (adrianor1!~adrianorg@177.134.58.176)
19:24
<alkisg>
E.g. "invoke remote password program" => not sure how that would work on wayland
19:27adrianorg has left IRC (adrianorg!~adrianorg@177.18.50.202, Ping timeout: 248 seconds)
19:28
<alkisg>
Hmm maybe it's not the chdir part but this: https://askubuntu.com/questions/292312/cannot-sshfs-mount-user-home-directory
19:31
<vagrantc>
that looks like a promising answer ...
19:32
<alkisg>
Unless my test was wrong, that DID it :)
19:32
<vagrantc>
just disabling all the things that check in ~/.ssh ?
19:32
<alkisg>
Yes; I'll try to finetune it, as we're using global known_hosts anyway
19:33
<||cw>
-F /dev/null ?
19:36
<alkisg>
That's the minimal I could get: sshfs ltsp@10.161.254.11: ~/ -o nonempty -F /dev/null -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o IdentityFile=/dev/null
19:39
<vagrantc>
actually, do you even need nonempty?
19:39
or does /etc/skel populate the homedir with cruft?
19:42
<alkisg>
vagrantc: in case there's a local home dir already present, and we want to mask it
19:43
or, in case left over processes did leave junk there :D
19:43
like they currently do with ltsp5 :P
19:44* vagrantc nods
19:44
<alkisg>
It works without nonempty though
19:45
Yey, yet another blocker bypassed :)
19:45
Again no known blockers ahead, until the next one is discovered :P
19:50
Eh and since we'll use UserKnownHostsFile, there's no need to touch the global one, we can use UserKnownHostsFile=/run/ltsp/...
20:01
smallest: sshfs ltsp@server: ~/ -F /dev/null -o UserKnownHostsFile=/dev/null -o IdentityFile=/dev/null
20:10
<vagrantc>
isn't UserKnownHostsFile user-editable, though?
20:11
can pass GlobalKnownHosts instead
20:11
if you don't want to touch /etc/ssh/ssh_known_hosts
20:14
er, GlobalKnownHostsFile
20:15
alkisg: at any rate, thumbs up yet again for working through another surprise :)
20:23vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Quit: leaving)
20:25woernie has left IRC (woernie!~werner@p5B29636A.dip0.t-ipconnect.de, Remote host closed the connection)
20:27kjackal has left IRC (kjackal!~quassel@2a02:587:3105:3300:d0a7:2240:510:3d60, Ping timeout: 258 seconds)
20:34ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)
20:39Faith has left IRC (Faith!~Paty_@unaffiliated/faith, Quit: Leaving)
21:18ogra has left IRC (ogra!~ogra@ubuntu/member/ogra, Ping timeout: 248 seconds)
23:57vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)