bastillion-io / bastillion Goto Github PK

I am trying to login to systems via SSH from Keybox. I have one working and the rest are being problematic, yet I can't pinpoint the difference between them.

When creating a Composite SSH Terminal Session I am asked for the password which I enter correctly.
Keybox responds with an error "Error: No such file" followed by "No sessions could be created"

I can ssh from the console of my Keybox machine to the target SSH system using the same ssh username and password with no problems.

Looking at the /var/log/secure on the target system, I find the following lines after the login attempt.

May 27 13:25:09 www sshd[23555]: Accepted password for ausip from 10.110.110.30 port 44494 ssh2
May 27 13:25:10 www sshd[23555]: pam_unix(sshd:session): session opened for user ausip by (uid=0)
May 27 13:25:10 www sshd[23559]: subsystem request for sftp

Any ideas what i am doing wrong?

Thanks
Paul

I have set up AD LDAP authentication for KeyBox, and it works for authentication. The problem is that the "Settings" area is not linked anywhere in the UI when I log in with an AD/LDAP user. When I create a "Basic" user and give them full access, the option is displayed.

In the ssh terminal if I press "Delete" on keyboard when cursor in the middle of the input text then nothing happened.
I expect that character next to cursor should be deleted :)

Hi,

Please verify that you fixed issue about Delete button before closing.
I'm submitting the third one about the same.

Delete button in a terminal print a new character instead of erasing.

There is one issue related to space character. Pressing space is deleting character on the left of first user inserted space.

How to reproduce:

Let character '|' denotes current cursor position.

yharsh@github>Hi my name is harsh|
yharsh@github>Hi my na |me is harsh -----> First space is inserted between characters 'a' and 'm' of word "name"
Now position the cursor to the left of this space and press space. Say I position cursor next to 'n' and press space button. Now it will delete characters 'a' and ' ', 'm', 'e' and so on on consecutive press.
yharsh@github>Hi my n|a me is harsh ------> Cursor is next to 'n'.
Press space button
yharsh@github>Hi my n | me is harsh -------> Space character has overwritten character 'a'.
Press space button
yharsh@github>Hi my n |me is harsh -------> Space character has overwritten character ' '.
Press space button
yharsh@github>Hi my n e is harsh -------> Space character has overwritten character 'm'.

Any help/fix in this regards is much appreciated.

Thanks
Harsh Yadav

hi~~
java.lang.NullPointerException
at com.keybox.manage.util.SSHUtil.authAndAddPubKey(SSHUtil.java:260)
.i`ve read the readme.md at the first time and i follow the documment to change my config..after i 'addSystem' ,this exception occured.
actually i dont know much about how the program work. so can you please show more details about how to addSystem...(can the keystore be empty?if not ,how does it generate? how to fill the path of the Authorized Keys ?)
By the way, my environment is jdk1.6. ,and the javax.websocket-api.jar has been added to the demo
any response will be greatly appreciated...

Please make the password policy configurable. e.g. set what character types are have to be included, minimum length, forbidden words or parts (name, word list) ...

just for the background story. we moving away from complex passwords to easy to remember and even more secure ones.

https://xkcd.com/936/

If no authorized_keys file on the system, Keybox creates the authorized_keys file with wrong privileges in some distributions when a user is used without root privileges (if the password is used to access from keybox) .

$ ls -lt .ssh/authorized_keys
-rw-rw-r-- 1 caca caca 3610 18. Mai 15:51 .ssh/authorized_keys

SSH Logs (/var/log/secure)
May 18 15:57:54 popoch sshd[18943]: Authentication refused: bad ownership or modes for file /home/caca/.ssh/authorized_keys

The file permissions should be 600 (-rw-------). Keybox should force the use of the correct permissions

Can SSL/TLS be disabled? Because my nginx already terminates SSL.

First, I am new to KeyBox, so I may not be doing everything perfect just yet.

For my install I have started it using a custom key pair, which works fine. This key is present on existing systems and I am able to create the initial connections as expected.

Since password authentication is disabled on my systems it seems I am required to leverage the custom key pair I started KeyBox with for every system account I want to be able to connect to. Is there a way to provide a secondary key pair to enable this first connection?

For instance, when I setup the system it would be nice if I could also provide the appropriate keys to enable the initial connection to the host for the account being used. This assumes the public key is already on the host within the users authorized_keys file, but I can handle that in my automation.

I can't find out how to full-screen a ssh console.

Is it possible to start Keybox as a service, or automatically on startup?

I would like to have it start automatically, but still have access to the console. I tried the /etc/rc.d/rc.local file, but due to Jetty's active state, I never got to the console login state.

Thanks in advance.
Paul

would it be possible to remove all the configuration (system, profile, users), or make it optional?

so, when I go to the website, it asks me the host, port, user and password, and it just connects to.

Hello,

This project looks very promising.

It would be almost perfect if it was possible to export logs to file (or an external DB), to be processed in another context (SIEM, Splunk, Logstash, etc.). Or even to write them directly to file.

Is that something planned ? Possible?

Thanks !

Regards,

Would be nice to automatically handle "" in path names. Or at least a note that users shall use either "" or "/"

Thanks!

Hello,

Where would I find the password for the private key generated by keybox?

Is it in the database?

I need to be able to note it down in case of emergencies.

Thanks
John

I cannot find a way to assign user to a profile (or maybe I just blind).

Hey,

nice piece of software. Just asking if you planning integration with Yubi key for OTP instead od Authenticator.

brgds
kramer

I'd like to move my Keybox installation from my Mac to a dedicated Linux server.

I was hoping to just tar up the folder and run it on the new server, but sadly that is erroring.

I can get keybox to run fine on the new server, and it runs without errors on my mac, I just can't seem to get my tar'ed version running.

What is the simplest process to move my existing data from one setup to another?

Hi! I hope this is the correct format for a question? Is there any way to change the font used? Eg. Lucida Console (As used in Putty?)

T

We are using v1.08.54 and was wondering what the upgrade process to 2.0 is?

I've tried just dumping the 2.0 download on top of our current install but that didn't work (I didn't really expect it too, so of course backed it up first!)

Hi,

I use your app with the jetty package.
I add a context path in jetty/contexts/webapp.xml :
/term/

This is for a reverse proxy purpose.

It's working unless for 2 points for now :
In the terminal page, if exit, it's failing because it's sending me back to /manage/ instead of /term/manage/
Same in the terminal page for upload link

Is this set by some settings I failed to get or is it inside your app ?

Occasionally, when opening multiple terminals at the same time, instead of opening terminals to host 1, 2 and 3, there are 3 windows opened up, with the titles as expected (host 1, host2, host 3), but the terminals are actually all connected to host 1, as confirmed by the bash prompt and running hostname -i.

This problem is intermittent, so presumably some sort of timing issue.

Any idea what could be causing it? There were no errors in the output.

After my initial setup leveraging a custom key pair, I have been able to create new user keys within the application and have them propagated to the appropriate systems.

However, if I remove the custom key (used to start KeyBox) from the system/account’s authorized_key file the user is not able to connect the system. The secondary keys I created within the application for the user continues to exist in the system account authorized_key file, but the user is unable to connect from the UI. Is this intended functionality or do I potentially have something setup incorrectly?

It would be really handy to have the ability to turn on agent fowarding in keybox. Sometimes there's a need to ssh to a server, and from that server ssh to a third server. Use case: Customer server, which needs to rsync or scp tarballs from a support server.
With agent forwarding the intermediary server doesn't need to have any private keys on it.

It just occurred to me that if keybox ultimately invokes the system openssh, the agent forwarding option could be set in the ssh config. Then I'd just need to add keybox's key to the keybox user's agent and I'd be all set.

If you attempt to add a public key as full access user and fail with it (forgot to add the key name) the listbox for the profiles get's emptied making it impossible to select a profile other than All Systems.

I just installed KeyBox (FirstTime)

When start adding systems with root user and I have given correct root password. KeyBox throws "Error: Auth cancel"

Please suggest me

• Shanmu

Congratulations on this great work!

could this project reuse the user interface of google secure shell app?
(resizeable windows, multiple windows...)
https://chrome.google.com/webstore/detail/secure-shell/pnhechapfaindjhompbnflcldabbghjo

I was thinking an awesome feature add would be some way to "duplicate" a session from within the composite terms screen.
Basically the "Duplicate Session" functionality from putty.
Either a button at the top of each shell window, or a drag and drop area like the disconnect option.
When that button is pressed or a shell is is dragged to that area, another shell to the same machine with the same credentials should be created as a new shell window. Having the ability to have multiple sessions open to the same machine is super useful when doing things like comparing configurations or maybe running an app in one and modifying files in another during development.

I would love to use KeyBox to distribute SSH keys to our servers.

However I don't like the fact that they still have to send their keys to the admins (me), then i'm going to assign it in KeyBox and then distribute to the servers.

Why not just let the admins assign the users to specific roles/servers, then let them upload their own key in their KeyBox account.

At the moment the (non-admin) KeyBox account is just to use web sessions, right?

Not sure if I am missing something, please let me know :)

I guess because the browser triggers the (soft) keyboard when focus goes to Form elements like input, textarea.
However, when the control is inside the terminal element, the keyboard isn't triggered.

This maybe a term.js limitation.
Also, I'm still trying to figure out how to send Ctrl+[key] combinations.

If you've installed using the tarball that bundles jetty, there doesn't appear to be any way to tell what version of keybox is running (for determining what needs to be done to upgrade to a new version, for example.)

If you are building from source, the pom file is available. But that doesn't exist in the bundle archive.

Feature Request: Would it be possible to add external authentication for user accounts e.g. ldap/AD so they can use the same combination as used elsewhere but the KeyBox specific stuff such as profiles and systems can remain in KeyBox?

I've recognized that the German Keyboard Layout is not properly supported. Most keys work but not the keys that require German users to press AltGr + the Key: like: [,],@~} . I'm sure other keyboard layouts are effected too. But who is brave enough to try a french keyboard :-)

Any idea how this could be solved? Thank your Sean.

my keybox version 2.76.00 is running with a keybox.mv.db file, now I can't upgrade it to latest version w/ keybox-upgrade tool.

Output of keybox-upgrade-2_80.jar:
Upgrade failed
org.h2.jdbc.JdbcSQLException: Table "USERS" not found; SQL statement:
alter table users add auth_type varchar not null default 'BASIC' [42102-174]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:332)
at org.h2.message.DbException.get(DbException.java:172)
at org.h2.message.DbException.get(DbException.java:149)
at org.h2.command.Parser.readTableOrView(Parser.java:4900)
at org.h2.command.Parser.readTableOrView(Parser.java:4878)
at org.h2.command.Parser.parseAlterTable(Parser.java:4951)
at org.h2.command.Parser.parseAlter(Parser.java:4412)
at org.h2.command.Parser.parsePrepared(Parser.java:316)
at org.h2.command.Parser.parse(Parser.java:289)
at org.h2.command.Parser.parse(Parser.java:261)
at org.h2.command.Parser.prepareCommand(Parser.java:226)
at org.h2.engine.Session.prepareLocal(Session.java:437)
at org.h2.engine.Session.prepareCommand(Session.java:380)
at org.h2.jdbc.JdbcConnection.prepareCommand(JdbcConnection.java:1138)
at org.h2.jdbc.JdbcStatement.executeInternal(JdbcStatement.java:168)
at org.h2.jdbc.JdbcStatement.execute(JdbcStatement.java:156)
at Upgrade.main(Upgrade.java:33)

Output of keybox-upgrade-2_82.jar:
Upgrade failed
org.h2.jdbc.JdbcSQLException: Table "TERMINAL_LOG" not found; SQL statement:
alter table terminal_log add instance_id INTEGER [42102-174]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:332)
at org.h2.message.DbException.get(DbException.java:172)
at org.h2.message.DbException.get(DbException.java:149)
at org.h2.command.Parser.readTableOrView(Parser.java:4900)
at org.h2.command.Parser.readTableOrView(Parser.java:4878)
at org.h2.command.Parser.parseAlterTable(Parser.java:4951)
at org.h2.command.Parser.parseAlter(Parser.java:4412)
at org.h2.command.Parser.parsePrepared(Parser.java:316)
at org.h2.command.Parser.parse(Parser.java:289)
at org.h2.command.Parser.parse(Parser.java:261)
at org.h2.command.Parser.prepareCommand(Parser.java:226)
at org.h2.engine.Session.prepareLocal(Session.java:437)
at org.h2.engine.Session.prepareCommand(Session.java:380)
at org.h2.jdbc.JdbcConnection.prepareCommand(JdbcConnection.java:1138)
at org.h2.jdbc.JdbcStatement.executeInternal(JdbcStatement.java:168)
at org.h2.jdbc.JdbcStatement.execute(JdbcStatement.java:156)
at Upgrade.main(Upgrade.java:33)

Hi,

When I'm in a terminal window and press Home or End, I'd expect to move to the start or end of the line, but instead I get a character "$" or "#" output - is it possible to have the Home and End keys work as a local terminal?

Page up and down also do something similar.

I've tried this using 2.82, and Firefox 31.6

Like duplicate session except have the option to connect to any of the user's assigned hosts. see #62 (comment)

For training and support purposes, it would be ideal for 2 (or more) users to share a single shell session using KeyBox. I have often started on a similar project to implement said functionality, but never quite had the time to really get it done. Perhaps I could assist in developing that functionality for KeyBox?

Any plans to for this? I tend not to allow password access to systems, so authentication by RSA key pair would be a great feature

Hello,

This is almost exactly what we are looking for. Is it possible to have new 'unprivileged' user accounts created on the systems?

Cannot change size of created ssh terminal.

In some cases the keybox key is NOT the key we've used during provisioning. So I'd like to see an option to open the first time connection via username/password if no key has been applied to a host by keybox before.

I'd not offer this function for users at all. Keys are preferred. But it would help to set up the hosts for keybox use.

From a discussion with skavenagh:
"When you add a host it should prompt your for username and password if the key is not set. And you should be able to set a custom key for keybox to use by doing."

So I leave this open for discussion. - Thanks for additional ideas.

Right now, it's possible to either keep key management enabled, or disable it completely.

It would be nice to have more granularity over the key management system, either by allowing a per-server configuration, or a profile-wide option.

Now "Delete" button behaves like "Backspace": it erases character before cursor (left) instead of after (right).

Hello!

I've stumbled over your great tool which seems to perfectly fit my needs for a possible project.

It would be great if there would be an API to create users from another location and trigger actions like deploying keys. Will there be a chance to see an API implemented in the near future?

Keep up the good work!

Best regards

Hi,
I notice you've stared some work on LDAP support in the upcoming 2.80 release.
I had a requirement for this recently, and implemented a quick and crude crowbar to put LDAP support into KeyBox in a fork here:
https://github.com/peterbroadhurst/KeyBox
I'll be pleased to throw away my patched version in favour of 2.80 when it arrives, but I did want to pass on a couple of things about what I did in case it helps:

• I chose instead of putting in an LDAP specific auth mechanism, to put in a JAAS auth mechanism and then simply configure the JAAS plugin provided in my JVM. This felt like the most extensible option, as other JAAS plugins (including custom) could be put in. The plugin in my case is com.ibm.security.auth.module.LdapLoginModule, but there's a LDAPLoginModule supplied with most/all flavours of JVM I believe.
• In my use case, I need to be able to specify multiple LDAP servers for redundancy. For the JAAS plugin of my JVM, I can just space seaprate the URIs. Hopefully that could be factored into the official KeyBox solution (wasn't clear from the draft readme on the 2.80 ).
• In my use case, I need to be able to specify which field fo the DN is substituted (UID, CN etc.). This is all catered for by the JAAS plugin, so hopefully it would also be in KeyBox (wasn't clear from the readme).

It would be nice to have dark backgrounds and light text. Or at least have that configurable according to taste. It also has a practical use. You could for instance have different colors depending on machines for production and development.

As far as I see, KeyBox does not save and check SSH fingerprints.
This would be a really nice addition.

Cannot select text in SSH Terminal using mouse (then copy it by Ctrl+C or popup menu).

When the keybox key is installed, it blows away any keys that are already on the target system as opposed to just adding the keybox key. Surprise!