Skip to content
This repository has been archived by the owner on Dec 16, 2019. It is now read-only.

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #232 from NBISweden/feature/pam
Browse files Browse the repository at this point in the history
Solving pam issues
dtitov authored Jan 10, 2018
2 parents 664e24f + 260f20d commit b2e32bb
Showing 11 changed files with 49 additions and 56 deletions.
5 changes: 3 additions & 2 deletions deployments/docker/ega.yml
Original file line number Diff line number Diff line change
@@ -54,7 +54,7 @@ services:
- private/swe1/db.env
- private/swe1/cega.env
ports:
- "${DOCKER_INBOX_swe1_PORT}:22"
- "${DOCKER_INBOX_swe1_PORT}:9000"
container_name: ega-inbox-swe1
image: nbisweden/ega-inbox
privileged: true
@@ -67,6 +67,7 @@ services:
- ${DATA}/swe1/logger.yml:/etc/ega/logger.yml:ro
- inbox_swe1:/ega/inbox
- ../..:/root/.local/lib/python3.6/site-packages:ro
- ~/_auth_ega:/root/auth

# Vault
vault-swe1:
@@ -226,7 +227,7 @@ services:
- private/fin1/db.env
- private/fin1/cega.env
ports:
- "${DOCKER_INBOX_fin1_PORT}:22"
- "${DOCKER_INBOX_fin1_PORT}:9000"
container_name: ega-inbox-fin1
image: nbisweden/ega-inbox
privileged: true
7 changes: 3 additions & 4 deletions deployments/docker/images/inbox/Dockerfile
Original file line number Diff line number Diff line change
@@ -26,15 +26,14 @@ RUN ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key && \
ldconfig -v && \
chown root:ega /ega/inbox && \
chmod 750 /ega/inbox && \
chmod g+s /ega/inbox && \
mv /etc/pam.d/sshd /etc/pam.d/sshd.bak
chmod g+s /ega/inbox

ARG checkout=dev
RUN pip3.6 install git+https://github.com/NBISweden/LocalEGA.git@${checkout}

COPY pam.ega /etc/pam.d/ega
COPY pam.sshd /etc/pam.d/sshd
COPY sshd_config /etc/ssh/sshd_config
COPY sshd_config /etc/ega/sshd_config
RUN cp /usr/sbin/sshd /usr/sbin/ega
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod 755 /usr/local/bin/entrypoint.sh
ENTRYPOINT ["entrypoint.sh"]
2 changes: 1 addition & 1 deletion deployments/docker/images/inbox/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -100,4 +100,4 @@ EOF
crond -s

echo "Starting the SFTP server"
exec /usr/sbin/sshd -D -e
exec /usr/sbin/ega -D -e -f /etc/ega/sshd_config
7 changes: 4 additions & 3 deletions deployments/docker/images/inbox/pam.ega
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#%PAM-1.0
auth sufficient /usr/local/lib/ega/pam_ega.so
account sufficient /usr/local/lib/ega/pam_ega.so
session sufficient /usr/local/lib/ega/pam_ega.so
auth requisite /usr/local/lib/ega/pam_ega.so
account requisite /usr/local/lib/ega/pam_ega.so
password required pam_deny.so
session requisite /usr/local/lib/ega/pam_ega.so
8 changes: 0 additions & 8 deletions deployments/docker/images/inbox/pam.sshd

This file was deleted.

20 changes: 8 additions & 12 deletions deployments/docker/images/inbox/sshd_config
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
Port 9000
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
# Authentication
UsePAM yes
AuthenticationMethods "publickey" "keyboard-interactive:pam"
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication yes
KerberosAuthentication no
@@ -15,8 +16,9 @@ GSSAPICleanupCredentials no
# Faster connection
UseDNS no
# Limited access
AllowGroups ega root
PermitRootLogin yes
DenyGroups *,!ega
DenyUsers root ega
PermitRootLogin no
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
@@ -25,13 +27,7 @@ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# ===========================
# Force sftp and chroot jail
# ===========================
Subsystem sftp internal-sftp
# Force sftp and chroot jail (for users in the ega group, but not ega)
MATCH GROUP ega USER *,!ega
Banner /ega/banner
AuthorizedKeysCommand /usr/local/bin/ega_ssh_keys.sh
AuthorizedKeysCommandUser ega
AuthenticationMethods "publickey" "keyboard-interactive:pam"
Banner /ega/banner
AuthorizedKeysCommand /usr/local/bin/ega_ssh_keys.sh
AuthorizedKeysCommandUser ega
3 changes: 3 additions & 0 deletions lega/fs.py
Original file line number Diff line number Diff line change
@@ -207,6 +207,9 @@ def main():
assert rootdir, "You did not specify the rootdir in the mount options"
assert user, "You did not specify the user in the mount options"

if not os.path.exists(rootdir):
sys.exit(1)

LOG.info(f'Mounting inbox for EGA User "{user}"')

# Creating the mountpoint if not existing.
4 changes: 2 additions & 2 deletions tests/src/test/java/se/nbis/lega/cucumber/Utils.java
Original file line number Diff line number Diff line change
@@ -156,7 +156,7 @@ public void removeUserInbox(String instance, String user) throws InterruptedExce
executeWithinContainer(findContainer(getProperty("images.name.inbox"), getProperty("container.prefix.inbox") + instance),
String.format("umount -l %s/%s", getProperty("inbox.fuse.folder.path"), user).split(" "));
executeWithinContainer(findContainer(getProperty("images.name.inbox"), getProperty("container.prefix.inbox") + instance),
String.format("rmdir %s/%s", getProperty("inbox.real.folder.path"), user).split(" "));
String.format("rm -rf %s/%s", getProperty("inbox.real.folder.path"), user).split(" "));
}

/**
@@ -168,7 +168,7 @@ public void removeUserInbox(String instance, String user) throws InterruptedExce
*/
public void removeUploadedFileFromInbox(String instance, String user, String fileName) throws InterruptedException {
executeWithinContainer(findContainer(getProperty("images.name.inbox"), getProperty("container.prefix.inbox") + instance),
String.format("rm -rf %s/%s/%s", getProperty("inbox.fuse.folder.path"), user, fileName).split(" "));
String.format("rm %s/%s/%s", getProperty("inbox.fuse.folder.path"), user, fileName).split(" "));
}

/**
Original file line number Diff line number Diff line change
@@ -4,6 +4,7 @@
import cucumber.api.java8.En;
import lombok.extern.slf4j.Slf4j;
import net.schmizz.sshj.SSHClient;
import net.schmizz.sshj.sftp.SFTPException;
import net.schmizz.sshj.transport.verification.PromiscuousVerifier;
import net.schmizz.sshj.userauth.UserAuthException;
import org.apache.commons.io.FileUtils;
@@ -149,7 +150,7 @@ private void connect(Context context) {
context.setSsh(ssh);
context.setSftp(ssh.newSFTPClient());
context.setAuthenticationFailed(false);
} catch (UserAuthException e) {
} catch (UserAuthException | SFTPException e) {
context.setAuthenticationFailed(true);
} catch (IOException e) {
log.error(e.getMessage(), e);
20 changes: 10 additions & 10 deletions tests/src/test/resources/cucumber/features/authentication.feature
Original file line number Diff line number Diff line change
@@ -39,16 +39,16 @@ Feature: Authentication
When I connect to the LocalEGA inbox via SFTP using private key
Then authentication fails

# Scenario: U.5 User exists in Central EGA and tries to connect to LocalEGA, but the inbox was not created for him
# Given I have an account at Central EGA
# And I want to work with instance "swe1"
# And I have correct private key
# And I connect to the LocalEGA inbox via SFTP using private key
# And I disconnect from the LocalEGA inbox
# And I am disconnected from the LocalEGA inbox
# And inbox is deleted for my user
# When I connect to the LocalEGA inbox via SFTP using private key
# Then authentication fails
Scenario: U.5 User exists in Central EGA and tries to connect to LocalEGA, but the inbox was not created for him
Given I have an account at Central EGA
And I want to work with instance "swe1"
And I have correct private key
And I connect to the LocalEGA inbox via SFTP using private key
And I disconnect from the LocalEGA inbox
And I am disconnected from the LocalEGA inbox
And inbox is deleted for my user
When I connect to the LocalEGA inbox via SFTP using private key
Then authentication fails

Scenario: U.6 User exists in Central EGA and uses correct private key for authentication for the correct instance, but database is down
Given I have an account at Central EGA
26 changes: 13 additions & 13 deletions tests/src/test/resources/cucumber/features/ingestion.feature
Original file line number Diff line number Diff line change
@@ -40,19 +40,19 @@ Feature: Ingestion
When I ingest file from the LocalEGA inbox using correct encrypted checksum
Then ingestion failed

# Scenario: F.3 User ingests file encrypted with OpenPGP, but inbox is not created
# Given I am a user of LocalEGA instances:
# | swe1 |
# And I have an account at Central EGA
# And I want to work with instance "swe1"
# And I have correct private key
# And I connect to the LocalEGA inbox via SFTP using private key
# And I have a file encrypted with OpenPGP using a "swe1" key
# And I upload encrypted file to the LocalEGA inbox via SFTP
# And I have CEGA MQ username and password
# And inbox is deleted for my user
# When I ingest file from the LocalEGA inbox using correct encrypted checksum
# Then ingestion failed
Scenario: F.3 User ingests file encrypted with OpenPGP, but inbox is not created
Given I am a user of LocalEGA instances:
| swe1 |
And I have an account at Central EGA
And I want to work with instance "swe1"
And I have correct private key
And I connect to the LocalEGA inbox via SFTP using private key
And I have a file encrypted with OpenPGP using a "swe1" key
And I upload encrypted file to the LocalEGA inbox via SFTP
And I have CEGA MQ username and password
And inbox is deleted for my user
When I ingest file from the LocalEGA inbox using correct encrypted checksum
Then ingestion failed

Scenario: F.4 User ingests file encrypted with OpenPGP, but file was not found in the inbox
Given I am a user of LocalEGA instances:

0 comments on commit b2e32bb

Please sign in to comment.