Project

General

Profile

Scénario #31712

Les scripts utilisants SSH doivent exclure l’usage de l’agent

Added by Daniel Dehennin 10 months ago. Updated about 1 month ago.

Status:
Terminé (Sprint)
Priority:
Normal
Assigned To:
Category:
-
Start date:
04/06/2021
Due date:
10/15/2021
% Done:

100%

Estimated time:
0.00 h
Story points:
2.0
Remaining (hours):
0.00 hour
Velocity based estimate:
1 days
Release:
Release relationship:
Auto

Description

Si un utilisateur se connecte à un serveur Scribe ou Amonecole avec le transfert d’agent actif, le reconfigure plante car les connexions SSH dans les conteneurs (addc et autres) ne peuvent se faire.

Il faudrait que les appels de la commande SSH se fasse :

- avec l’option -o IdentitiesOnly=yes pour n’utiliser que les fichiers /root/.ssh/id_*
- réinitialiser la variable SSH_AUTH_SOCK pour les appels à la commande SSH

Ce qui donnerait :

SSH_AUTH_SOCK= ssh -q -o IdentitiesOnly=yes -o LogLevel=ERROR -o StrictHostKeyChecking=no

À faire

  • Scribe >= 2.7.2 / AmonEcole 2.8.1
  • Modifier tous les appels ssh qui le nécessitent

Subtasks

Tâche #32040: Établir la liste de tous les projets EOLE devant être modifiéFerméEmmanuel GARETTE

Tâche #33199: Configurer ssh correctementFerméEmmanuel GARETTE


Related issues

Related to Distribution EOLE - Tâche #32585: Scribe : reconfigure plante sur postservice/40-password_management Fermé 05/31/2021
Related to Distribution EOLE - Tâche #33236: Valider le scénario Les scripts utilisants SSH doivent exclure l’usage de l’agent Fermé 10/04/2021

History

#1 Updated by Daniel Dehennin 10 months ago

  • Description updated (diff)

#2 Updated by Joël Cuissinat 9 months ago

  • Parent task changed from #31587 to #31903

#3 Updated by Gilles Grandgérard 8 months ago

  • Parent task deleted (#31903)

#4 Updated by Gilles Grandgérard 8 months ago

  • Tracker changed from Tâche to Scénario
  • Due date set to 04/06/2021

#5 Updated by Gilles Grandgérard 8 months ago

  • Due date deleted (04/06/2021)
  • Target version deleted (sprint 2021 11-13 Equipe MENSR)
  • Start date deleted (04/06/2021)

#6 Updated by Daniel Dehennin 6 months ago

  • Related to Tâche #32585: Scribe : reconfigure plante sur postservice/40-password_management added

#7 Updated by Joël Cuissinat 3 months ago

  • Subject changed from Les scriptes utilisants SSH doivent exclure l’usage de l’agent to Les scripts utilisants SSH doivent exclure l’usage de l’agent
  • Due date set to 10/22/2021
  • Target version set to Prestation Cadoles MEN 2021 39-41
  • Start date set to 09/27/2021
  • Release set to EOLE 2.8.0.1
  • Story points set to 2.0

#8 Updated by Joël Cuissinat 3 months ago

  • Release changed from EOLE 2.8.0.1 to EOLE 2.7.2

#9 Updated by Joël Cuissinat 3 months ago

  • Description updated (diff)

#10 Updated by Matthieu Lamalle 2 months ago

  • Assigned To set to Emmanuel GARETTE

#11 Updated by Gilles Grandgérard 2 months ago

Vu en visio :

- modifier le template /etc/ssh/ssh_config (conf client maitre) eole-common
- creer un template /etc/ssh/ssh_config.d/seth.conf eole-ad-dc
- creer un template /etc/ssh/ssh_config.d/hapy.conf conf-hapy (?)

#12 Updated by Emmanuel GARETTE about 2 months ago

  • Status changed from Nouveau to Résolu

#13 Updated by Daniel Dehennin about 1 month ago

  • Related to Tâche #33236: Valider le scénario Les scripts utilisants SSH doivent exclure l’usage de l’agent added

#14 Updated by Daniel Dehennin about 1 month ago

  • Status changed from Résolu to En cours

Le fichier /etc/ssh/ssh_config contient :

  • Sur un aca.amonecole-2.8.1-instance-default
    Host web
        Hostname 192.0.2.51
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host mail
        Hostname 192.0.2.51
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host dhcp
        Hostname 192.0.2.52
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host domaine
        Hostname 192.0.2.56
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host fichier
        Hostname 192.0.2.52
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host dns
        Hostname 192.0.2.56
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host mysql
        Hostname 192.0.2.50
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host postgresql
        Hostname 192.0.2.50
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host proxy
        Hostname 192.0.2.53
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host ftp
        Hostname 192.0.2.52
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host annuaire
        Hostname 192.0.2.56
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host reseau
        Hostname 192.0.2.51
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host jabber
        Hostname 192.0.2.51
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host internet
        Hostname 192.0.2.53
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host bdd
        Hostname 192.0.2.50
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host partage
        Hostname 192.0.2.52
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host addc
        Hostname 192.0.2.56
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
  • Sur un aca.scribe-2.7.2-instance-default et aca.scribe-2.8.0-instance-default
    Host annuaire
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host mail
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host dhcp
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host fichier
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host web
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host mysql
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host ftp
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host bdd
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host reseau
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host partage
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host addc
        Hostname 192.0.2.2
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
  • Sur aca.scribe-2.8.1-instance-default
    Host addc
        Hostname 192.0.2.2
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
  • Sur un aca.dc1-2.7.2-instance-default et aca.dc1-2.8.0-instance-default
    Host mail
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
    Host dhcp
        Hostname 127.0.0.1
        IdentitiesOnly yes
        LogLevel ERROR
        StrictHostKeyChecking no
    
  • Sur un aca.dc1-2.8.1-instance-default, il n’y a aucune indication pour des conteneurs (#31004)

J’ai tester en me connectant avec l’agent sur les VMS (ssh -A) et en me connectant en ssh dans les conteneurs, cela fonctionne sans soucis.

En revanche, la commande Query-Auto ne fonctionne pas :-/

root@amonecole:~# Query-Auto
Mise à jour le mardi 26 octobre 2021 11:05:42
Exécution des scripts /usr/share/eole/majauto_pre
run-parts: executing /usr/share/eole/majauto_pre/mitm
*** amonecole 2.8.1 (00000003) ***

Action check pour le conteneur reseau                                                                                                                                                 
Maj-Auto - Exécution de apt-eole -o --container current --log-level info check pour le conteneur reseau impossible

#15 Updated by Daniel Dehennin about 1 month ago

  • Status changed from En cours to Terminé (Sprint)

Also available in: Atom PDF