Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

configuring a 'permission' for SSH breaks SSH access #91

Closed
jtriley opened this issue Mar 14, 2012 · 0 comments
Closed

configuring a 'permission' for SSH breaks SSH access #91

jtriley opened this issue Mar 14, 2012 · 0 comments

Comments

@jtriley
Copy link
Owner

jtriley commented Mar 14, 2012

From the StarCluster mailing list:

http://mailman.mit.edu/pipermail/starcluster/2012-March/001115.html

I was using starcluster start to start an EBS AMI, and everything seemed to be working fine -- it would start up & I would be able to ssh into it with 'sshmaster'.

Then I wanted to add https to the security group permissions on startup, so I modified my '[cluster smallcluster]' config settings to include

PERMISSIONS = ssh, https

and then added

[permission ssh]
protocol=tcp
from_port=22
to_port=22

[permission https]
protocol=tcp
from_port=443
to_port=443

at the bottom of the config file.

This worked partially: https was now allowed. But ssh wasn't any more!

I can disable https and enable ssh on start by commenting out PERMISSIONS; or disable ssh and enable https by uncommenting PERMISSIONS.
zstone pushed a commit to zstone/StarCluster that referenced this issue Mar 19, 2012
@jtriley @zstone
cluster: fix bug when using custom SSH permissions
cad056d 
The cluster_group property applies all user-specified permissions when
creating or fetching the cluster's security group. If the user
customizes the SSH permissions StarCluster removes the public CIDR_IP
permission in order to accomodate stricter CIDR_IP settings (e.g.
limiting access to a single IP). This is needed because in general
all CIDR_IPs for a given security group rule are allowed access which
means if 0.0.0.0/0 is in the list then *all* users have access
regardless of other CIDR_IPs.

The previous logic would remove 0.0.0.0/0 from the CIDR_IP list if *any*
ssh rule was specified by the user. This is fine except when users dont
specify a custom CIDR_IP - in this case the code ends up removing the
SSH rule completely given that only a single CIDR_IP (0.0.0.0/0) exists
and it's blindly removed. Updated this logic to remove the public CIDR_IP
(0.0.0.0/0) from the SSH rule *only* if the custom SSH permission
explicitly specifies a CIDR_IP other than the public CIDR_IP. This
avoids ever removing the SSH rule entirely and prevents locking users
out of their cluster(s).

closes jtrileygh-91
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jtriley