Shell app - direct shell instead of SSH?

[cwaldbieser]

For the shell app, my understanding of the architecture is that the OOD software creates a web-based terminal emulator and hooks that up to an ssh process that runs as the logged in user.

Is it possible to have the software invoke some kind of shell (e.g. bash) instead of ssh and wire it up to the terminal emulator?
The reason I ask is because the ssh process will ask a user to authenticate. If you use key-based or cert-based authentication, the ssh process running on a remote host will have no way to access the user's private key, and thus passwordless authentication becomes rather problematic.

I recognize that direct shell wouldn't necessarily make sense if your OOD service is running on some dedicated node that a user has no business having a shell on, but if you run the service on say the login node, this would be a convenient way to use the terminal from the web app.

I'm not sure if this is something that can currently be configured, e.g. with ODD_SSH_WRAPPER, or if this would be a new feature request.

[johrstrom]

I'm not sure if this is something that can currently be configured, e.g. with ODD_SSH_WRAPPER, or if this would be a new feature request.

I can be done with ODD_SSH_WRAPPER. I use this sometimes, and would have to look it up to be sure, but I'm fairly sure it's just the wrapper I use is just this:

#!/bin/bash

/bin/bash

[johrstrom]

By the way, it's worth noting that we (OSC) use HostBasedAuthentication on our systems to allow folks to ssh here and there seamlessly.

[cwaldbieser]

Doesn't HostBasedAuthentication allow a user on host A to impersonate a user on host B? E.g. if I am logged in as [email protected] and I ssh [email protected], won't that succeed?

[johrstrom]

No, if you try to login as a different user, it'll prompt for the password. Even if the user doesn't exist (like thisusercantreallyexist)

[cwaldbieser]

Thanks. The following article from 2014 explains how spoofing is prevented.
tl;dr - The host key is used by the ssh client to sign the assertion sent to the sshd server. Only root can read the host key. The trusted ssh client is allowed to use a helper program that can elevate permissions to read the host key. The trusted ssh client asserts the effective user name.

[cwaldbieser]

I tried setting ODD_SSH_WRAPPER to a script like mentioned above, and this works as expected.
However, if I let the terminal prompt be idle for about a minute, I get a message:

"Your connection to the remote server has been terminated."
Any idea what could be causing the connection to drop? If I run something like htop, the shell will stay active. It's only if I leave it idle that I get this message.

I tried setting passenger_pool_idle_time, but I think the default was 5 minutes, and that didn't seem to work.

[johrstrom]

This configuration works for 3.0.9 and up, if you're on a version lower than that then that's just the behavior of idle connections.

https://osc.github.io/ood-documentation/latest/customizations.html#enable-and-configure-shell-ping-pong

[cwaldbieser]

We are on a higher version. I first has used the Apache httpd setting from this post, and those increased the timeout to 5 minutes and 30 seconds (330s), so something else was still limiting the idle time. I tried the ping pong configuration, but that did not extend the idle time past that limit.

[cwaldbieser]

I think the issue was I had to force kill my PUN.