#bastion - January 2021 | Slack Archive

29 messages

Discuss cloudposse/bastion

Oct 2020

January 2021

Feb 2021

Bill Clarkabout 5 years ago

I followed the docker-compose directions to build bastion and keep getting ssh permission denied (public key). I tested that key and it works with github. My SSH output is: compose ➤ ssh -v -i ~/.ssh/id_rsa slalombclark@localhost -p 1234 git:master*
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 1234.
debug1: Connection established.
debug1: identity file /home/wclark/.ssh/id_rsa type 0
debug1: identity file /home/wclark/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:1234 as 'slalombclark'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:w/R+luyZE7cMpit14QWtF1eB56G3/u1UmER0GQ1Yb6g
debug1: Host '[localhost]:1234' is known and matches the RSA host key.
debug1: Found key in /home/wclark/.ssh/known_hosts:11
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/wclark/.ssh/id_rsa RSA SHA256:mvcoDfIzCExUx6PLA6cWsUsRiXQNYpWK9S9tmQoQqoI explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/wclark/.ssh/id_rsa RSA SHA256:mvcoDfIzCExUx6PLA6cWsUsRiXQNYpWK9S9tmQoQqoI explicit agent
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
slalombclark@localhost: Permission denied (publickey).

Bill Clarkabout 5 years ago

#bastion #docker #security

Bill Clarkabout 5 years ago

the gak github-authorized-keys piece is a mystery to me...

Bill Clarkabout 5 years ago

ok a possible documentation interpretation problem. When I look at the github-authorized-keys project the GITHUB_TEAM=ssh / the bastion examples do not do into detail on that and so I would think I need to have a github team under my org and name it there. I have tried both to no avail...

Bill Clarkabout 5 years ago

The other odd thing is the Host key verification failing when I try to auth to the bastion docker. Why would it look at my home dir known_hosts file? I thought the docker image was using the github-authorized-keys api method. #bastion @Bill Clark confused...

Bill Clarkabout 5 years ago

I like the bastion and github-authorized-keys concepts. But no idea how to debug these

Erik Osterman (Cloud Posse)about 5 years ago

So a few things to look for:
• check the output of the container and see if there's any meaningful logs coming from github-authorized-keys
• check /etc/passwd on the container to see if the user was added
• check /home/ to see if the user directory was created and that the authorized_keys file is there

Bill Clarkabout 5 years ago

@Erik Osterman (Cloud Posse) Can you confirm what these should be set to?

***Are these settings in gak.env absolutely necessary and/or do they truly relate back to github? In my case I created an orgnaization on github called sl-dtc-cas***
GITHUB_API_TOKEN=****************
GITHUB_ORGANIZATION=sl-dtc-cas
GITHUB_TEAM=ssh
SYNC_USERS_GID=500
SYNC_USERS_GROUPS=sudo
SYNC_USERS_SHELL=/usr/bin/sudosh
SYNC_USERS_ROOT=/
SYNC_USERS_INTERVAL=60
ETCD_ENDPOINT=<http://etcd:2379>
ETCD_TTL=86400
ETCD_PREFIX=github-authorized-keys
LISTEN=:301
INTEGRATE_SSH=false
LOG_LEVEL=debug
LINUX_USER_ADD_TPL=adduser -D -s {shell} {username}
LINUX_USER_ADD_WITH_GID_TPL=adduser -D -s {shell} -u {gid} {username}
LINUX_USER_ADD_TO_GROUP_TPL=addgroup {group}
SSH_AUTHORIZED_KEYS_COMMAND_USER=root
SSH_RESTART_TPL=echo "sshd restart"

Bill Clarkabout 5 years ago

compose ➤ docker logs compose_gak_1 git:master*
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubAPIToken - 7cde4******************************62d52","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubOrganization - s********s","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubTeamName - ***","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubTeamID - *","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdEndpoints - [http://etcd:2379]","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdPrefix - github-authorized-keys","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdTTL - 24h0m0s seconds","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserGID - 500","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserGroups - [sudo]","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserShell - /usr/bin/sudosh","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Root - /","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Interval - 60 seconds","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: IntegrateWithSSH - false","time":"2021-01-12T22:03:55Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Listen - :301","time":"2021-01-12T22:03:55Z"}
{"level":"info","msg":"Run syncUsers job on start","time":"2021-01-12T22:03:55Z"}
{"job":"syncUsers","level":"error","msg":"No such team name or id could be found","subsystem":"jobs","time":"2021-01-12T22:03:55Z"}
{"level":"info","msg":"Start jobs scheduler","time":"2021-01-12T22:03:55Z"}
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /user/:name/authorized_keys --> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers)
[GIN-debug] Listening and serving HTTP on :301
{"job":"syncUsers","level":"error","msg":"No such team name or id could be found","subsystem":"jobs","time":"2021-01-12T22:04:55Z"}
{"job":"syncUsers","level":"error","msg":"No such team name or id could be found","subsystem":"jobs","time":"2021-01-12T22:05:56Z"}
{"job":"syncUsers","level":"error","msg":"No such team name or id could be found","subsystem":"jobs","time":"2021-01-12T22:06:57Z"}
{"job":"syncUsers","level":"error","msg":"No such team name or id could be found","subsystem":"jobs","time":"2021-01-12T22:07:58Z"}
[GIN] 2021/01/12 - 22:08:52 | 404 | 1.1µs | 172.22.0.1 | GET /
[GIN] 2021/01/12 - 22:08:52 | 404 | 600ns | 172.22.0.1 | GET /favicon.ico

Bill Clarkabout 5 years ago

Im starting to think that the username being cutoff is some display glitch or ls bug. The problem is that the authorized-keys file is not being placed in /home/slalombclark/

Bill Clarkabout 5 years ago

Only other issue I could identify was the files under ../compose/scripts those three scripts did not have execute permissions and the #! path to bash was wrong. It was set to /bin/bash and my host system has bash under /usr/bin/bash. So I changed those but still no improvement...

Bill Clarkabout 5 years ago

The compose_bastion_1 container exits and the compose_gak_1 container has these logs: scripts ➤ docker logs compose_gak_1 git:master*
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubAPIToken - 7cde4******************************62d52","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubOrganization - s********s","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubTeamName - *****","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubTeamID - *","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdEndpoints - [http://etcd:2379]","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdPrefix - github-authorized-keys","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdTTL - 24h0m0s seconds","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserGID - 500","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserGroups - [sudo]","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserShell - /usr/bin/sudosh","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Root - /","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Interval - 60 seconds","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: IntegrateWithSSH - false","time":"2021-01-12T23:15:14Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Listen - :301","time":"2021-01-12T23:15:14Z"}
{"level":"info","msg":"Run syncUsers job on start","time":"2021-01-12T23:15:14Z"}
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [adduser -D -s /usr/bin/sudosh -u 500 slalombclark]","time":"2021-01-12T23:15:15Z"}
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [addgroup sudo]","time":"2021-01-12T23:15:15Z"}
Created user slalombclark
Added user slalombclark to group sudo
{"level":"info","msg":"Start jobs scheduler","time":"2021-01-12T23:15:15Z"}
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /user/:name/authorized_keys --> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers)
[GIN-debug] Listening and serving HTTP on :301

Bill Clarkabout 5 years ago

I fixed the compose_bastion_1 issues. Turns out the bash path need to stay what it was. No errors there now. Now to determine why the authorized_keys file does not get put in my /home dir...

Bill Clarkabout 5 years ago

{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [adduser -D -s /usr/bin/sudosh -u 500 slalombclark]","time":"2021-01-12T23:28:35Z"}
Created user slalombclark
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [addgroup sudo]","time":"2021-01-12T23:28:35Z"}
Added user slalombclark to group sudo
{"level":"info","msg":"Start jobs scheduler","time":"2021-01-12T23:28:35Z"}
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /user/:name/authorized_keys --> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers)
[GIN-debug] Listening and serving HTTP on :301
{"job":"syncUsers","level":"debug","msg":"User slalombclark exists - skip creation","subsystem":"jobs","time":"2021-01-12T23:29:36Z"}

Bill Clarkabout 5 years ago

OK. interesting development. I did create group called ssh in my github and I add another email/user to the group. I noticed in the logs now it only creates one user and interestingly enough even though the env variable in gak.env reads SYNC_USERS_GID=500. The errro I can see states adduser: uid '500' in use What is going on? Is there some sort of UID/GID mixup happening?

Bill Clarkabout 5 years ago(edited)

{"level":"info","msg":"Run syncUsers job on start","time":"2021-01-13T01:02:49Z"}
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [adduser -D -s /usr/bin/bash -u 500 hellrotbill]","time":"2021-01-13T01:02:50Z"}
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [addgroup sudo]","time":"2021-01-13T01:02:50Z"}
Created user hellrotbill
Added user hellrotbill to group sudo
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [adduser -D -s /usr/bin/bash -u 500 slalombclark]","time":"2021-01-13T01:02:50Z"}
adduser: uid '500' in use <------------------------------------------------

{"job":"syncUsers","level":"error","msg":"exit status 1","subsystem":"jobs","time":"2021-01-13T01:02:50Z"}
{"level":"info","msg":"Start jobs scheduler","time":"2021-01-13T01:02:50Z"}
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /user/:name/authorized_keys --> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers)
[GIN-debug] Listening and serving HTTP on :301
=============================================================
wclark@DESKTOP-EHDUNET:~/Projects/bastion/examples/compose$ cat gak.env
GITHUB_API_TOKEN=*****************************
GITHUB_ORGANIZATION=sl-dtc-cas
GITHUB_TEAM=ssh
SYNC_USERS_GID=500 <------------------------------
SYNC_USERS_GROUPS=sudo
SYNC_USERS_SHELL=/usr/bin/bash
SYNC_USERS_ROOT=/
SYNC_USERS_INTERVAL=60
ETCD_ENDPOINT=http://etcd:2379
ETCD_TTL=86400
ETCD_PREFIX=github-authorized-keys
LISTEN=:301
INTEGRATE_SSH=false
LOG_LEVEL=debug
LINUX_USER_ADD_TPL=adduser -D -s {shell} {username}
LINUX_USER_ADD_WITH_GID_TPL=adduser -D -s {shell} -u {gid} {username}
LINUX_USER_ADD_TO_GROUP_TPL=addgroup {group}
SSH_AUTHORIZED_KEYS_COMMAND_USER=root
SSH_RESTART_TPL=echo "sshd restart"

Bill Clarkabout 5 years ago

There are numerous problems with the gak.env file. I looked at the settings over github-authorized-keys and the etcd_endpoint port numbers are transposed. I also stripped out the bad flag of -g in the LINUX_USER_ADD_WITH_GID_TPL. Still there are errors and now it wont create the users in /etc/passwd /etc/group. But it's also troublesome that the there are errors with findin /etch/ssh/shd_config file being found. I need more understanding how these environment variables are passed around and the dependencies...

Bill Clarkabout 5 years ago

Here is where I left things. I will post the entries in gak.env and bastion.env and then the logs of each container. #bastion

Bill Clarkabout 5 years ago

wclark@DESKTOP-EHDUNET:~/Projects/bastion/examples/compose$ cat gak.env
GITHUB_API_TOKEN=7cd***********d52
GITHUB_ORGANIZATION=sl-dtc-cas
GITHUB_TEAM=ssh
SYNC_USERS_GID=500
SYNC_USERS_GROUPS=sudo
SYNC_USERS_SHELL=/bin/bash
SYNC_USERS_ROOT=/host
SYNC_USERS_INTERVAL=300
ETCD_ENDPOINT=http://localhost:2739
ETCD_TTL=86400
ETCD_PREFIX=github-authorized-keys
LISTEN=:301
INTEGRATE_SSH=true
LOG_LEVEL=debug
LINUX_USER_ADD_TPL=adduser -D -s {shell} {username}
LINUX_USER_ADD_WITH_GID_TPL=adduser -D -s {shell} {username}
LINUX_USER_ADD_TO_GROUP_TPL=addgroup -g {gid} {group}
SSH_AUTHORIZED_KEYS_COMMAND_USER=root
SSH_RESTART_TPL=echo "sshd restart"
wclark@DESKTOP-EHDUNET:~/Projects/bastion/examples/compose$ cat bastion.env
API_URL=http://gak:301/user/%s/authorized_keys
MFA_PROVIDER=google-authenticator
SLACK_ENABLED=true
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/T01J4J3QE3X/B01J4KK8*************
SSH_AUTHORIZED_KEYS_COMMAND=/usr/bin/github-authorized-keys
SSH_AUTHORIZED_KEYS_COMMAND_USER=root
LOGLEVEL=DEBUG

Bill Clarkabout 5 years ago

wclark@DESKTOP-EHDUNET:~/Projects/bastion/examples/compose$ docker logs compose_etcd_1
2021-01-13 02:15:32.819816 I | etcdmain: etcd Version: 2.3.7
2021-01-13 02:15:32.819876 I | etcdmain: Git SHA: fd17c91
2021-01-13 02:15:32.819886 I | etcdmain: Go Version: go1.6.2
2021-01-13 02:15:32.819889 I | etcdmain: Go OS/Arch: linux/amd64
2021-01-13 02:15:32.819893 I | etcdmain: setting maximum number of CPUs to 8, total number of available CPUs is 8
2021-01-13 02:15:32.819896 W | etcdmain: no data-dir provided, using default data-dir ./default.etcd
2021-01-13 02:15:32.820493 I | etcdmain: listening for peers on http://localhost:2380
2021-01-13 02:15:32.820590 I | etcdmain: listening for peers on http://localhost:7001
2021-01-13 02:15:32.820670 I | etcdmain: listening for client requests on http://0.0.0.0:2379
2021-01-13 02:15:32.820727 I | etcdmain: listening for client requests on http://0.0.0.0:4001
2021-01-13 02:15:32.821258 I | etcdserver: name = default
2021-01-13 02:15:32.821282 I | etcdserver: data dir = default.etcd
2021-01-13 02:15:32.821287 I | etcdserver: member dir = default.etcd/member
2021-01-13 02:15:32.821290 I | etcdserver: heartbeat = 100ms
2021-01-13 02:15:32.821293 I | etcdserver: election = 1000ms
2021-01-13 02:15:32.821296 I | etcdserver: snapshot count = 10000
2021-01-13 02:15:32.821302 I | etcdserver: advertise client URLs = http://0.0.0.0:2379,http://0.0.0.0:4001
2021-01-13 02:15:32.821306 I | etcdserver: initial advertise peer URLs = http://localhost:2380,http://localhost:7001
2021-01-13 02:15:32.821318 I | etcdserver: initial cluster = default=http://localhost:2380,default=http://localhost:7001
2021-01-13 02:15:32.823548 I | etcdserver: starting member ce2a822cea30bfca in cluster 7e27652122e8b2ae
2021-01-13 02:15:32.823594 I | raft: ce2a822cea30bfca became follower at term 0
2021-01-13 02:15:32.823602 I | raft: newRaft ce2a822cea30bfca [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0]
2021-01-13 02:15:32.823606 I | raft: ce2a822cea30bfca became follower at term 1
2021-01-13 02:15:32.824099 I | etcdserver: starting server... [version: 2.3.7, cluster version: to_be_decided]
2021-01-13 02:15:32.824971 N | etcdserver: added local member ce2a822cea30bfca [http://localhost:2380 http://localhost:7001] to cluster 7e27652122e8b2ae
2021-01-13 02:15:33.224279 I | raft: ce2a822cea30bfca is starting a new election at term 1
2021-01-13 02:15:33.224381 I | raft: ce2a822cea30bfca became candidate at term 2
2021-01-13 02:15:33.224387 I | raft: ce2a822cea30bfca received vote from ce2a822cea30bfca at term 2
2021-01-13 02:15:33.224395 I | raft: ce2a822cea30bfca became leader at term 2
2021-01-13 02:15:33.224400 I | raft: raft.node: ce2a822cea30bfca elected leader ce2a822cea30bfca at term 2
2021-01-13 02:15:33.224904 I | etcdserver: published {Name:default ClientURLs:[http://0.0.0.0:2379 http://0.0.0.0:4001]} to cluster 7e27652122e8b2ae
2021-01-13 02:15:33.224983 I | etcdserver: setting up the initial cluster version to 2.3
2021-01-13 02:15:33.226985 N | etcdserver: set the initial cluster version to 2.3

Bill Clarkabout 5 years ago

Initializing duo
Initializing enforcer
- Enabling Enforcer
- Enabling Clean Home
Initializing google-authenticator
- Enabling Google Authenticator MFA
Initializing hostname
Initializing rate-limit
- Enabling Rate Limits
- Users will be locked for 300s after 5 failed logins
- Fail delay of 3000000 micro-seconds
Initializing secure-proc
- Locking down /proc
Initializing slack
- Enabling Slack Notifications
Initializing ssh-api-url
- Setting SSH Authorized Keys API URL
Initializing ssh-audit
- Enabling SSH Audit Logs
Initializing ssh-authorized-keys-command
- Enabling SSH Authorized Keys Command
Initializing ssh-host-key
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
SHA256:VrbNLba/MRTcZPZ5sfOni0EsKOMR/oWrvvGDvRWu+68 root@7b7aa10469fd
The key's randomart image is:
+---[RSA 2048]----+
| .+|
| . ==|
| . o o++|
| . . = = . .+|
| = S = B o o|
| . * + = + ..|
| ooo o o + |
| .+oo + + |
| .+.==Eoo +. |
+----[SHA256]-----+
Initializing ssh-log-level
- Setting SSH LogLevel to DEBUG
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.

Bill Clarkabout 5 years ago

wclark@DESKTOP-EHDUNET:~/Projects/bastion/examples/compose$ docker logs compose_gak_1
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubAPIToken - 7cde4******************************62d52","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubOrganization - s********s","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubTeamName - ***","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: GithubTeamID - *","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdEndpoints - [http://localhost:2739]","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdPrefix - github-authorized-keys","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: EtcdTTL - 24h0m0s seconds","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserGID - 500","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserGroups - [sudo]","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: UserShell - /bin/bash","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Root - /host","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Interval - 300 seconds","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: IntegrateWithSSH - true","time":"2021-01-13T02:15:35Z"}
{"class":"RootCmd","level":"info","method":"RunE","msg":"Config: Listen - :301","time":"2021-01-13T02:15:35Z"}
{"level":"info","msg":"Run syncUsers job on start","time":"2021-01-13T02:15:35Z"}
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [adduser -D -s /bin/bash hellrotbill]","time":"2021-01-13T02:15:35Z"}
{"job":"syncUsers","level":"error","msg":"fork/exec /usr/sbin/adduser: no such file or directory","subsystem":"jobs","time":"2021-01-13T02:15:35Z"}

{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [adduser -D -s /bin/bash slalombclark]","time":"2021-01-13T02:15:35Z"}

{"job":"syncUsers","level":"error","msg":"fork/exec /usr/sbin/adduser: no such file or directory","subsystem":"jobs","time":"2021-01-13T02:15:35Z"}
{"level":"info","msg":"Run ssh integration job on start","time":"2021-01-13T02:15:35Z"}
{"job":"sshIntegrate","level":"info","msg":"Ensure file /usr/bin/github-authorized-keys","subsystem":"jobs","time":"2021-01-13T02:15:35Z"}
{"class":"Linux","level":"debug","method":"FileEnsure","msg":"File /usr/bin/github-authorized-keys not found","time":"2021-01-13T02:15:35Z"}
{"class":"Linux","level":"debug","method":"FileEnsure","msg":"Can not read file /usr/bin/github-authorized-keys","time":"2021-01-13T02:15:35Z"}
{"job":"sshIntegrate","level":"info","msg":"Ensure exec mode for file /usr/bin/github-authorized-keys","subsystem":"jobs","time":"2021-01-13T02:15:35Z"}
{"job":"sshIntegrate","level":"info","msg":"Ensure AuthorizedKeysCommand line in sshd_config","subsystem":"jobs","time":"2021-01-13T02:15:35Z"}
{"class":"Linux","level":"debug","method":"FileEnsureLineMatch","msg":"File /etc/ssh/sshd_config not fould","time":"2021-01-13T02:15:35Z"}
{"job":"sshIntegrate","level":"info","msg":"Ensure AuthorizedKeysCommandUser line in sshd_config","subsystem":"jobs","time":"2021-01-13T02:15:35Z"}
{"class":"Linux","level":"debug","method":"FileEnsureLineMatch","msg":"File /etc/ssh/sshd_config not fould","time":"2021-01-13T02:15:35Z"}
{"job":"sshIntegrate","level":"info","msg":"Restart ssh","subsystem":"jobs","time":"2021-01-13T02:15:35Z"}
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [echo \"sshd restart\"]","time":"2021-01-13T02:15:35Z"}
{"job":"sshIntegrate","level":"info","msg":"Output: ","subsystem":"jobs","time":"2021-01-13T02:15:35Z"}
{"job":"sshIntegrate","level":"error","msg":"Error: fork/exec /bin/echo: no such file or directory","subsystem":"jobs","time":"2021-01-13T02:15:35Z"}
{"level":"info","msg":"Start jobs scheduler","time":"2021-01-13T02:15:35Z"}
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
- using env: export GIN_MODE=release
- using code: gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET /user/:name/authorized_keys --> github.com/cloudposse/github-authorized-keys/server.Run.func1 (3 handlers)
[GIN-debug] Listening and serving HTTP on :301
[GIN] 2021/01/13 - 02:17:16 | 404 | 800ns | 192.168.112.1 | GET /
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [adduser -D -s /bin/bash hellrotbill]","time":"2021-01-13T02:20:36Z"}

{"job":"syncUsers","level":"error","msg":"fork/exec /usr/sbin/adduser: no such file or directory","subsystem":"jobs","time":"2021-01-13T02:20:36Z"}
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [adduser -D -s /bin/bash slalombclark]","time":"2021-01-13T02:20:36Z"}

{"job":"syncUsers","level":"error","msg":"fork/exec /usr/sbin/adduser: no such file or directory","subsystem":"jobs","time":"2021-01-13T02:20:36Z"}
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [adduser -D -s /bin/bash hellrotbill]","time":"2021-01-13T02:25:36Z"}

{"job":"syncUsers","level":"error","msg":"fork/exec /usr/sbin/adduser: no such file or directory","subsystem":"jobs","time":"2021-01-13T02:25:36Z"}
{"class":"Linux","level":"debug","method":"TemplateCommand","msg":"Command: [adduser -D -s /bin/bash slalombclark]","time":"2021-01-13T02:25:36Z"}
{"job":"syncUsers","level":"error","msg":"fork/exec /usr/sbin/adduser: no such file or directory","subsystem":"jobs","time":"2021-01-13T02:25:36Z"}

Bill Clarkabout 5 years ago

Thinking I have been doing this all wrong. Perhaps I should be doing everything from build-harness first?

Erik Osterman (Cloud Posse)about 5 years ago

Hey @Bill Clark - so sorry that you're struggling through this. We're not actively using this project as we moved to Teleport https://github.com/gravitational/teleport

Erik Osterman (Cloud Posse)about 5 years ago

The docker composition was provided by someone else in the community.

Erik Osterman (Cloud Posse)about 5 years ago(edited)

 {"job":"syncUsers","level":"error","msg":"fork/exec /usr/sbin/adduser: no such file or directory","subsystem":"jobs","time":"2021-01-13T02:25:36Z"}

this indicates that the configuration does not match the linux distro

Erik Osterman (Cloud Posse)about 5 years ago

what makes it hard (and why there are so many environment variables) is that every linux distro seemingly has a different adduser commadn that takes different arguments in different orders.

Erik Osterman (Cloud Posse)about 5 years ago

Modify the command templates relative to the linux distro: https://github.com/cloudposse/github-authorized-keys#command-templates

Bill Clarkabout 5 years ago

Agreed. I struggled with changing methods years ago when I deployed a fanout dirxml driver for Novell Idm. Teleport I will have to check it out.

October 2020 Browse by date February 2021