dnutan
(Marc)
February 28, 2020, 11:14pm
3
Issue happened on two different virtual machines. yum history undo or nethserver-cockpit downgrade solved the issue.
Tried again one of the machines restoring from an older snapshot and couldn’t reproduce the problem.
Tried once more (all up to date) and this time an error messages popped up after disabling both checkboxes (root login, password auth):
echo ‘{“name”:“sshd”,“props”:{“PasswordAuthentication”:“0”,“PermitRootLogin”:“0”,“TCPPort”:“2222”},“type”:“service”}’ | /usr/bin/sudo /usr/libexec/nethserver/api/system-openssh/update | jq
Type of argument to keys on reference must be unblessed hashref or arrayref at /usr/libexec/nethserver/api/system-openssh/update line 42.
After this, cannot save SSH settings from cockpit but works from nethgui.
Installed nethserver packages
[root@server ~]# rpm -qa nethserver-\*|sort
nethserver-backup-config-2.4.1-1.ns7.noarch
nethserver-backup-data-1.7.1-1.ns7.noarch
nethserver-base-3.7.5-1.ns7.noarch
nethserver-cockpit-1.4.5-1.ns7.noarch
nethserver-cockpit-lib-1.4.5-1.ns7.noarch
nethserver-collectd-3.1.0-1.ns7.noarch
nethserver-dc-1.8.0-1.ns7.x86_64
nethserver-diagtools-1.0.3-1.ns7.noarch
nethserver-dnsmasq-1.7.0-1.ns7.noarch
nethserver-duc-1.7.0-1.ns7.noarch
nethserver-firewall-base-3.8.8-1.ns7.noarch
nethserver-hosts-1.2.2-1.ns7.noarch
nethserver-httpd-3.7.6-1.ns7.noarch
nethserver-httpd-admin-2.4.0-1.ns7.noarch
nethserver-lang-cockpit-1.4.4-2.ns7.noarch
nethserver-lang-en-1.4.4-2.ns7.noarch
nethserver-letsencrypt-1.1.6-1.ns7.noarch
nethserver-lib-2.2.11-1.ns7.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-mail-smarthost-2.12.0-1.ns7.noarch
nethserver-mysql-1.1.4-1.ns7.noarch
nethserver-nethforge-release-7-3.ns7.noarch
nethserver-nextcloud-1.9.0-1.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch
nethserver-openssh-1.4.1-1.ns7.noarch
nethserver-phonehome-1.4.0-1.ns7.noarch
nethserver-php-1.2.1-1.ns7.noarch
nethserver-release-7-16.ns7.noarch
nethserver-rh-php72-php-fpm-1.1.1-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-sssd-1.6.0-1.ns7.noarch
nethserver-subscription-3.5.3-1.ns7.noarch
nethserver-subscription-inventory-3.5.3-1.ns7.x86_64
nethserver-subscription-ui-3.5.3-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
1 Like
I will try to reproduce it tomorrow.
1 Like
stephdl
(Stéphane de Labrusse)
February 29, 2020, 9:35am
5
please what is the output
config show sshd
config show sssd
I cannot reproduce
we have implemented a new prop under sssd
config setprop sssd ShellOverrideStatus enabled #### default disabled
signal-event nethserver-sssd-save
the $sshd{AllowGroups} could be tested also
stephdl
(Stéphane de Labrusse)
February 29, 2020, 9:50am
6
ok I can reproduce
echo '{"name":"sshd","props":{"PasswordAuthentication":"0","PermitRootLogin":"0","TCPPort":"2222"},"type":"service"}' | /usr/bin/sudo /usr/libexec/nethserver/api/system-openssh/update | jq
Type of argument to keys on reference must be unblessed hashref or arrayref at /usr/libexec/nethserver/api/system-openssh/update line 42.
but this is not what the UI output normally in the web console
echo '{"name":"sshd","props":{"PasswordAuthentication":"0","PermitRootLogin":"0","TCPPort":"23","AllowGroups":{},"AllowEveryone":"none"},"type":"service"}' | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-openssh/update | jq
I suspect that cockpit has not been restarted and you still have the old UI in the browser cache
1 Like
davidep
(Davide Principi)
Split this topic
February 29, 2020, 12:09pm
7
2 posts were split to a new topic: Why cockpit is not restarted
dnutan
(Marc)
February 29, 2020, 10:51am
8
[root@server ~]# config show sshd
sshd=service
AllowEveryone=
AllowGroups=
LoginGraceTime=2m
MaxAuthTries=6
PasswordAuthentication=0
PermitRootLogin=0
Protocol=2
SubsystemSftp=yes
TCPPort=2222
UsePAM=yes
access=green,red
status=enabled
[root@server ~]# config show sssd
sssd=service
AdDns=10.0.0.2
BindDN=ldapservice@ad.domain.tld
BindPassword=*************
DiscoverDcType=ldapuri
LdapURI=ldaps://nsdc-server.ad.domain.tld
Provider=ad
Realm=ad.domain.tld
ShellOverrideStatus=disabled
Workgroup=DOMAIN
status=enabled
Notice from cockpit values are set to 0, fron nethgui are blank when disabled. But prior to this update I think it was the same and working:
PasswordAuthentication=0
PermitRootLogin=0
The error just showed one time, son I don’t know if it should be different now.
Tried with different browsers, incognito/private window and clearing cache.
Same after rebooting server, signal-event nethserver-cockpit-update
or systemctl restart cockpit.service
There was something related to cockpit restart and certficates. Don’t know if it has anything to do with this:
Meanwhile I filed the bug report:
My solution proposal is
remove the restart of cockpit-ws, to avoid the session cut off
display a warning, trying to explain that to prevent disconnection the new certificate is applied to cockpit itself 90 seconds after all sessions are closed.
stephdl
(Stéphane de Labrusse)
February 29, 2020, 11:15am
9
Could you update again and check what is now the validation/update output in the console, the code does right, it is the UI which doesnt output what the API expects
dnutan
(Marc)
February 29, 2020, 11:20am
10
Update what?
Info message on browser console (no error):
API exec: system-openssh/validate
$ echo '{"name":"sshd","props":{"PasswordAuthentication":"0","PermitRootLogin":"yes","TCPPort":"2222","AllowGroups":{},"AllowEveryone":""},"type":"service"}' | /usr/bin/sudo /usr/libexec/nethserver/api/system-openssh/validate | jq
Using that command on terminal it gives:
[root@server ~]# echo '{"name":"sshd","props":{"PasswordAuthentication":"0","PermitRootLogin":"yes","TCPPort":"2222","AllowGroups":{},"AllowEveryone":""},"type":"service"}' | /usr/bin/sudo /usr/libexec/nethserver/api/system-openssh/validate | jq
{
"type": "NotValid",
"message": "validation_failed",
"attributes": [
{
"parameter": "AllowEveryone",
"value": "",
"error": "valid_memberOf_none, sftp, sftp+ssh"
}
]
}
stephdl
(Stéphane de Labrusse)
February 29, 2020, 11:47am
11
Does this create the error message in the terminal, it should not
The update occurs after the validation innthe web console o fyour browser
davidep
(Davide Principi)
February 29, 2020, 12:11pm
12
I bet it is a regression introduced by the last update. @dnutan , can we say to use Nethgui to workaround the issue?
dnutan
(Marc)
February 29, 2020, 12:38pm
13
Yes, from nethgui it works as expected.
1 Like
stephdl
(Stéphane de Labrusse)
February 29, 2020, 5:27pm
14
You showed us the validation, could you show us the update
Thank in advance
stephdl
(Stéphane de Labrusse)
February 29, 2020, 5:49pm
15
stephdl:
Does this create the error message in the terminal, it should not
The update occurs after the validation innthe web console o fyour browser
of course you have a validation error, the AllowEveryone could not accept an empty value
I am short of idea and I cannot reproduce …
stephdl
(Stéphane de Labrusse)
February 29, 2020, 6:05pm
17
dnutan:
echo ‘{“name”:“sshd”,“props”:{“PasswordAuthentication”:“0”,“PermitRootLogin”:“0”,“TCPPort”:“2222”},“type”:“service”}’ | /usr/bin/sudo /usr/libexec/nethserver/api/system-openssh/update | jq
Type of argument to keys on reference must be unblessed hashref or arrayref at /usr/libexec/nethserver/api/system-openssh/update line 42.
lookat this @davidep , it looks that the UI used the old API code, the new one is
echo '{"name":"sshd","props":{"PasswordAuthentication":"yes","PermitRootLogin":"yes","TCPPort":"23","AllowGroups":{},"AllowEveryone":"none"},"type":"service"}' | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-openssh/update | jq
Why the UI tried to communicate with the old API and not the new one
davidep
(Davide Principi)
February 29, 2020, 6:08pm
18
Because the js code loaded by the browser wasn’t updated? Does the problem disappear after a full page reload (Ctrl+r or Ctrl+f5)?
1 Like
dnutan
(Marc)
February 29, 2020, 7:24pm
19
No, same problem after page reload and with another browser.
1 Like
dnutan
(Marc)
February 29, 2020, 7:25pm
20
Sorry, I still don’t get it about the update. Nothing else on console after the API call.
1 Like
dnutan
(Marc)
February 29, 2020, 8:11pm
21
After manually setting config setprop sshd AllowEveryone none
it passes the validate action an it works.
API exec: system-openssh/validate$ echo '{"name":"sshd","props":{"PasswordAuthentication":"yes","PermitRootLogin":"yes","TCPPort":"2222","AllowGroups":{},"AllowEveryone":"none"},"type":"service"}' | /usr/bin/sudo /usr/libexec/nethserver/api/system-openssh/validate | jq
nethserver.js:41 API exec: system-openssh/update$ echo '{"name":"sshd","props":{"PasswordAuthentication":"yes","PermitRootLogin":"yes","TCPPort":"2222","AllowGroups":{},"AllowEveryone":"none"},"type":"service"}' | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/system-openssh/update | jq
1 Like
davidep
(Davide Principi)
February 29, 2020, 9:21pm
22
If so the fix is just defining a default value for the prop… What do you think @stephdl ?