Add Docker for SSH + 2FA + X11

Author: kinow

autosubmit/platforms/paramiko_platform.py

@@ -105,12 +105,7 @@ def __init__(self, expid: str, name: str, config: dict, auth_password: Optional[
         self._wrapper = None
         self.remote_log_dir = ""
         # self.get_job_energy_cmd = ""
-        display = os.getenv('DISPLAY', "localhost:0")
-        try:
-            self.local_x11_display = xlib_connect.get_display(display)
-        except Exception as e:
-            Log.warning(f"X11 display not found: {e}")
-            self.local_x11_display = None
+        self._init_local_x11_display()
 
     @property
     def header(self):
@@ -313,14 +308,7 @@ def connect(
         :param log_recovery_process: Specifies if the call is made from the log retrieval process.
         """
         try:
-            display = os.getenv('DISPLAY')
-            if display is None:
-                display = "localhost:0"
-            try:
-                self.local_x11_display = xlib_connect.get_display(display)
-            except Exception as e:
-                Log.warning(f"X11 display not found: {e}")
-                self.local_x11_display = None
+            self._init_local_x11_display()
             self._ssh = _create_ssh_client()
             self._ssh_config = paramiko.SSHConfig()
             if as_conf:
@@ -1044,7 +1032,9 @@ def x11_status_checker(self, session, session_fileno):
                             counterpart.close()
                             del self.channels[fd]
 
-    def exec_command(self, command, bufsize=-1, timeout=30, get_pty=False, retries=3, x11=False):
+    def exec_command(
+            self, command, bufsize=-1, timeout=30, get_pty=False, retries=3, x11=False
+    ) -> Union[tuple[paramiko.Channel, paramiko.Channel, paramiko.Channel], tuple[bool, bool, bool]]:
         """
         Execute a command on the SSH server.  A new `.Channel` is opened and
         the requested command is execed.  The command's input and output
@@ -1067,16 +1057,11 @@ def exec_command(self, command, bufsize=-1, timeout=30, get_pty=False, retries=3
         while retries > 0:
             try:
                 if x11:
-                    display = os.getenv('DISPLAY')
-                    if display is None or not display:
-                        display = "localhost:0"
-                    try:
-                        self.local_x11_display = xlib_connect.get_display(display)
-                    except Exception as e:
-                        Log.warning(f"X11 display not found: {e}")
-                        self.local_x11_display = None
+                    self._init_local_x11_display()
                     chan = self.transport.open_session()
-                    chan.request_x11(single_connection=False, handler=self.x11_handler)
+                    if not chan.request_x11(single_connection=False, handler=self.x11_handler):
+                        # FIXME: test this!
+                        raise AutosubmitCritical(f"Remote platform does not support X11!")
                 else:
                     chan = self.transport.open_session()
                 if x11:
@@ -1085,12 +1070,11 @@ def exec_command(self, command, bufsize=-1, timeout=30, get_pty=False, retries=3
                         if timeout_command == 0:
                             timeout_command = "infinity"
                         command = f'{command} ; sleep {timeout_command} 2>/dev/null'
-                    # command = f'export display {command}'
                     Log.info(command)
                     try:
                         chan.exec_command(command)
-                    except BaseException as e:
-                        raise AutosubmitCritical(f"Failed to execute command: {e}")
+                    except Exception as e:
+                        raise AutosubmitCritical(f"Failed to execute command '{command}': {e}")
                     chan_fileno = chan.fileno()
                     self.poller.register(chan_fileno, select.POLLIN)
                     self.x11_status_checker(chan, chan_fileno)
@@ -1552,6 +1536,21 @@ def read_file(self, src: str, max_size: int = None) -> Union[bytes, None]:
             Log.debug(f"Error reading file {src}")
             return None
 
+    def _init_local_x11_display(self) -> None:
+        """Initialize the X11 display on this platform."""
+        display = os.getenv('DISPLAY', 'localhost:0')
+        try:
+            self.local_x11_display = xlib_connect.get_display(display)
+        except Exception as e:
+            Log.warning(f"X11 display not found: {e}")
+            self.local_x11_display = None
+
+    def _init_poller(self):
+        if sys.platform != "linux":
+            self.poller = select.kqueue()
+        else:
+            self.poller = select.poll()
+
 
 class ParamikoPlatformException(Exception):
     """

docker/ssh/linuxserverio-ssh-with-2fa-x11/Dockerfile

@@ -0,0 +1,14 @@
+FROM ghcr.io/linuxserver/openssh-server:latest
+
+RUN \
+  echo "**** install runtime packages ****" && \
+  apk add --no-cache --upgrade \
+    google-authenticator \
+    xauth \
+    xclock \
+    xorg-server && \
+  rm -rf \
+    /tmp/* \
+    $HOME/.cache
+
+ADD rootfs/ /

docker/ssh/linuxserverio-ssh-with-2fa-x11/README.md

@@ -0,0 +1,104 @@
+# linuxserverio-ssh-2fa-x11
+
+This is a container based on the [SSH image of LinuxServer.io](https://docs.linuxserver.io/images/docker-openssh-server/).
+This image is already used in other tests of Autosubmit, and was tested on EDITO as well.
+
+Here, we use that image as base image, and install and configure two-factor authentication
+with Google Authenticator. The image uses a test key for Google Authenticator, and a list
+of five backup codes. For testing, we only use the backup codes, as the container is
+destroyed after every test (i.e. you can connect up to five times, but normally a
+test will require just one connection).
+
+The container also contains the required tools and configuration to support X11 forwarding,
+which is used in other tests where Autosubmit configures the Python Paramiko SSH Library
+to do X11 forwarding.
+
+The idea of this container is a box to be used in tests to prevent regressions with
+users that use platforms with 2FA enabled, and users that rely on X11 for their
+workflows.
+
+> NOTE: Use this only in integration tests.
+
+The container with just SSH and Google Authenticator occupies 38.5 MB.
+When the X11 libraries are added (`xorg-server`, `xauth`, and `xclock` for testing)
+it grows to 395 MB. So be aware of that when running these locally.
+
+> TODO: Maybe we can find a smaller or test X11 server?
+
+## Building
+
+To build the container (note the `--load`, needed when using `buildx`, remove it if not):
+
+```bash
+$ docker build --load . -t autosubmit/linuxserverio-ssh-2fa-x11:latest
+```
+
+## Running
+
+By default, the container will listen on port 22, it will have X11 installed
+and configured, but 2FA will not be enabled.
+
+To run the container, you can use the same arguments as the LinuxServer.io
+image, plus the `MFA=<bool>` flag to control whether 2FA is enabled or not:
+
+```bash
+$ docker run \
+  --rm \
+  --name ssh \
+  -p1234:22 \
+  --env MFA=false \
+  --env TZ=Etc/UTC \
+  --env SUDO_ACCESS=false \
+  --env USER_NAME=as_user \
+  --env USER_PASSWORD=password \
+  --env PUID=1000 \
+  --env PGID=1000 \
+  --env UMASK=000 \
+  --env PASSWORD_ACCESS=true \
+  autosubmit/linuxserverio-ssh-2fa-x11:latest
+```
+
+To connect via SSH, you will need to run the following (note: this can be
+automated in a Pytest fixture!):
+
+```bash
+$ docker exec -ti ssh /bin/bash
+root@c55bcd13ae8f:/# mkdir /root/.ssh
+root@c55bcd13ae8f:/# echo "ssh-rsa AAAAB3...." > /root/.ssh/authorized_keys
+root@c55bcd13ae8f:/# 
+exit
+$ ssh -X root@localhost -p 1234
+```
+
+At this point, you should be connected, and you should be able to run the
+`xclock` program in the SSH server to verify that X11 forwarding is working.
+
+To run it with 2FA, you must specify the environment variable `MFA=true`
+when running the container:
+
+```bash
+$ docker run \
+  ... \
+  --env MFA=true \
+  ... \
+  autosubmit/linuxserverio-ssh-2fa-x11:latest
+```
+
+Repeat the previous steps for the SSH key, then try to connect via SSH.
+
+When challenged for the SSH 2FA code, you can use the first of the list of
+backup codes, `55192054`. Remember that that code is a one-time use.
+
+The current secret for Google Authenticator is `X5C4VLHDCECGFHPP3PHDCS7KAE`,
+and the backup codes available are:
+
+- 55192054
+- 18998816
+- 51868999
+- 99315827
+- 42932878
+
+If you rebuild the image, just `docker login` and `docker push`, taking
+care to use the correct image, and testing it as well.
+
+Happy testing!

docker/ssh/linuxserverio-ssh-with-2fa-x11/rootfs/etc/s6-overlay/s6-rc.d/init-openssh-mfa-config/dependencies.d/init-openssh-server-config

@@ -0,0 +1,20 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+USER_NAME=${USER_NAME:-linuxserver.io}
+HOME_DIR=$(getent passwd "${USER_NAME}" | cut -d: -f6)
+
+if [[ "$MFA" == "true" ]]; then
+  echo "Enabling SSH MFA"
+  # sshd
+  sed -i 's/#UsePAM no/UsePAM yes/' /config/sshd/sshd_config
+  sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /config/sshd/sshd_config
+  echo "AuthenticationMethods password keyboard-interactive" >> /config/sshd/sshd_config
+  echo "ChallengeResponseAuthentication yes" >> /config/sshd/sshd_config
+  # google authenticator
+  echo -e 'X5C4VLHDCECGFHPP3PHDCS7KAE\n" TOTP_AUTH\n55192054\n18998816\n51868999\n99315827\n42932878' > "${HOME_DIR}/.google_authenticator"
+  chmod 0600 "${HOME_DIR}/.google_authenticator"
+  chown "${USER_NAME}": "${HOME_DIR}/.google_authenticator"
+else
+  echo "SSH MFA is disabled"
+fi

docker/ssh/linuxserverio-ssh-with-2fa-x11/rootfs/etc/s6-overlay/s6-rc.d/init-openssh-mfa-config/run

@@ -0,0 +1 @@
+oneshot

docker/ssh/linuxserverio-ssh-with-2fa-x11/rootfs/etc/s6-overlay/s6-rc.d/init-openssh-mfa-config/type

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-openssh-mfa-config/run

docker/ssh/linuxserverio-ssh-with-2fa-x11/rootfs/etc/s6-overlay/s6-rc.d/init-openssh-mfa-config/up

@@ -0,0 +1,9 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+echo "Enabling X11 in SSH server"
+
+sed -i 's/X11Forwarding no/X11Forwarding yes/' /config/sshd/sshd_config
+sed -i 's/#X11DisplayOffset 10/X11DisplayOffset 10/' /config/sshd/sshd_config
+sed -i 's/#X11UseLocalhost yes/X11UseLocalhost yes/' /config/sshd/sshd_config
+

docker/ssh/linuxserverio-ssh-with-2fa-x11/rootfs/etc/s6-overlay/s6-rc.d/init-openssh-x11-config/dependencies.d/init-openssh-mfa-config

@@ -0,0 +1 @@
+oneshot