SSH experiences / braindump #659
Description
So this issue is a bit of a mess but I needed a way to record some strange things I noticed while preparing materials for a xenon tutorial https://github.com/xenon-middleware/xenon-tutorial/tree/2b00c8d7625cf2966fdfe7c3e2aaeb6046fd7823. With the below items, we at least have concrete things to follow up on. From this collection, we should probably spawn new, singular issues.
-
ssh config options not used xenon-docker-image's Dockerfile because ssh(d) uses the first option it finds in a file even when there are repeated entries, and we
echooptions at the bottom. E.g. https://github.com/xenon-middleware/xenon-docker-images/blob/a87f1ef876055e19cedcccf4bae4012db2953258/slurm-ssh/Dockerfile#L10-L13. I'd prefer to copy a completessh_configfile from the Docker context anyway, that way it's easier to see what the options are. Example setup here https://github.com/xenon-middleware/xenon-tutorial/tree/ed69661cdc7125ea15863fa2360fb8fd23309d10/containers -
docker images for client side and server side, should be separate. e.g.
slurm-sshshould be server side since it is a parent to all slurm images, but then the Dockerfile also has https://github.com/xenon-middleware/xenon-docker-images/blob/a87f1ef876055e19cedcccf4bae4012db2953258/slurm-ssh/Dockerfile#L10-L13 -
ssh client docker image should have different configurations, for example
- with wrong permissions on directories, xenon should complain
- with and without a ~/.ssh directory
- with and without a ~/.ssh/config file
- with various options in ~/.ssh/config, such as
- hashKnownHosts
- strictHostKeyChecking
- with and without a
known_hostsfile - with a
known_hostsfile, with various types of entries in there
-
Xenon does not respect certain combinations of configuration parameters, specifically when inpuit argument
knownHostsisfalse(see Notes xenon-tutorial#122), so by settingknownHoststofalseI can disobey input parameterstricHostCheck -
my
sshunderstandsstrictHostKeyChecking=ask, xenon doesn't -
in xenon, the config state is not assembled correctly from system config, user config, command line config
-
in xenon, you can't ask xenon what it thinks the current config state is, like you can with
ssh -G xenon@localhostandsshd -T -
in xenon, there is no way to control fallback behavior. ssh first tries public-private key, then interactive, then username-password (or something) this makes it more difficult to know that something is not working, and more difficult what is going wrong if you realize that something is going wrong
-
rethink options in
SSHUtilxenon/src/main/java/nl/esciencecenter/xenon/adaptors/shared/ssh/SSHUtil.java
Lines 187 to 188 in c24fba2
useAgentForwardingis not used and only in the waystricHostChecktypo plus should bestrictHostKeyCheckingstricHostCheckoption is unused if I setuseKnownHostsfalseloadSSHConfigambiguous which SSHConfig you're talking about: system, user, commandline, or the combination of these
-
xenon-docker-images have multiple key pairs, would be better to have one per image, then you know how you got inside a container, or if it doesn't work, you know why (see https://github.com/xenon-middleware/xenon-docker-images/tree/07db6c0f12621e51bd109a5325fe08b1c0e9123f/slurm-ssh/.ssh)
-
docker images client side ssh has
authorized_keyslike https://github.com/xenon-middleware/xenon-docker-images/blob/a87f1ef876055e19cedcccf4bae4012db2953258/slurm-ssh/Dockerfile#L27, not sure that's needed if it is only client -
xenon docker images (
slurm:17image): not sure what the value ofPasswordAuthenticationis):from ``/etc/ssh/sshd_config`` # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value.and
#PasswordAuthentication noseems to suggest password authentication is disabled by default. Stands to reason, since it
is not as secure as keypairs. However, if I dosshd -T, I see
passwordauthentication yes. Not sure where that's coming from.