[BlueOnyx:20330] Re: New Feature for 5207R/5208R/5209R: Shellinabox

Sun Dec 4 04:45:44 -05 2016

hello Michael

this shellinabox feature is cool! two questions:

•how can I open this shell in a separate window? right now, it's framed in fixed width window with large font which makes confusing carriage returns at the prompt line...

• I *could* access root from the admin login with `su -` as shown here:

login: admin
Password:
Last login: Tue Jun 14 16:19:19 from 93.37.188.72
[admin at legler.net ~] 10:26:00 33$
[admin at legler.net ~] 10:26:03 33$
[admin at legler.net ~] 10:26:03 33$ su -
Password: ler.net ~] 10:26:03 33$ su -
[root at legler.net ~] 10:26:20 486#
[root at legler.net ~] 10:26:29 486#
[root at legler.net ~] 10:26:42 486# ^C
mioot at legler.net ~] 10:26:42 486# whoa
root
[root at legler.net ~] 10:26:51 487#

Do I have a security issue?

Note the whoami line and its carriage return problem due to the narrow browser frame.

Thank you and best regards

Meaulnes Legler
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~ http://www.WaveWeb.ch ~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~  Zurich, Switzerland  ~
~  +41\0 44 260 16 60   ~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

On 25.11.16 00:37, Michael Stauber wrote:
> Hi all,
>
> The least used function on BlueOnyx is probably "Personal Profile" /
> "Programs" / "SSH". It used an ancient Java-Applet to allow SSH login to
> the server via the GUI.
>
> Even at best of times *this* was rather useless. Now with most modern
> browsers shunning Java it's pointless.
>
> So I just took the opportunity to replace this with something more
> modern that works in any browser without exotic plugins and allows you
> to directly access the Shell on a BlueOnyx via the GUI:
>
> Shellinabox
> ************
>
> https://github.com/shellinabox/shellinabox
>
> Conditions:
> ============
>
> - "Shellinabox" must be enabled under "Network Services" / "Shell".
> - User must be able to login to the GUI
> - User must have shell access enabled
> - User accesses "Programs" / "Console Login" from within the GUI.
>
> By default the service "shellinaboxd" is *not* enabled or running. So if
> you want to use that feature, you have to turn it on via the GUI first.
>
> Technical details:
> ==================
>
> Shellinabox runs a deamon named "shellinaboxd", which brings it's own
> webserver with it. In our implementation it binds to 127.0.0.1:4200 and
> is therefore not reachable via the outside world. Because we want to
> play it safe.
>
> Shellinabox can either route connections to SSHd, or the Console service
> to directly open a PTY terminal. We use the later and establish a direct
> terminal session. Because SSH might have been locked down via
> hosts.allow/hosts.deny or may have password authentication disabled and
> therefore would expect SSH keys. Hence direct console access is preferable.
>
> AdmServ has been reconfigured so that a certain URL will redirect
> traffic via mod_proxy to 127.0.0.1.4200 and therefore to Shellinabox.
> But only if the access was initiated via the GUI. Otherwise it'll
> redirect to a 403 error page.
>
> In our default implementation the daemon for "Shellinabox" is disabled.
> After all, this is a new daemon for a little used feature. Who wants it
> active on his own server can turn it on himself via the GUI on an as
> needed basis.
>
> When you access Shellinabox in the GUI via your browser, you get a login
> prompt at which you can login with a valid username and password if that
> user has shell access enabled.
>
> Direct login as "root" is not possible. Direct "su -" as "admin" to gain
> root access works on 5207R/5208R, but not on 5209R due to Systemd
> related issues. There you can "su root-<username>" to that of an
> existing System-Administrator with enabled "shell access" if need be.
> The GUI mentions this if you're trying to access it as "admin".
>
> Once on the shell, pretty much everything works as if in a real SSH or
> Terminal client. You can fire up "mc", "pico", "nano", can run "top" and
> all the function keys work and colors are as you'd expect them to be.
> The only thing that doesn't seem to work is the auto-completion of
> commands via the tabulator key. All things considered it's pretty neat
> and useful and needs no exotic browser plugins.
>
> It also helps us with support cases where people are unable to open SSH
> for this or that reason (typically: firewall issues). In which case we
> can then use the GUI to access the shell if need be and if the user
> provides us with GUI access of sufficient privileges in his support ticket.
>