From: Roel Sergeant <rsergeant@gmail.com>
To: help-gnu-emacs@gnu.org
Subject: Re: SSH blocks account when running within emacs
Date: Wed, 21 Nov 2012 07:15:21 +0100 [thread overview]
Message-ID: <CAHktkOM0suv0Ji_jEZma5YY=D9R3rq4hF3ExfbubgHXGtuYYfw@mail.gmail.com> (raw)
In-Reply-To: <20121120212240.GA16931@hysteria.proulx.com>
[-- Attachment #1: Type: text/plain, Size: 4645 bytes --]
Thanks Bob,
On Tue, Nov 20, 2012 at 10:22 PM, Bob Proulx <bob@proulx.com> wrote:
> Roel Sergeant wrote:
> > I've have this weird issue with emacs. It seems since 3 days when I use
> ssh
> > (or cvs over ssh) from within an emacs shell it blocks... It even makes
> my
> > host appear on the black-list on the server (had to ask the admins of
> that
> > machine several times to allow connection from my host again).
>
> If the remote host is banning you then you are starting a connection
> and failing to complete it. This should not ever be a permanent ban.
> That is always bad because it allows a denial of service attack. The
> most popular project is http://www.fail2ban.org/ which by default bans
> an IP address for ten minutes and then enables it again. A temporary
> ban is the standard best practice to rate limit attacks while at the
> same time avoiding denial of service for valid users. If your remote
> admins are permanently blacklisting based upon failures you might
> remind them that doing it that way is a bad thing. But if they are
> enabling the IP again after a short delay then you simply must wait
> for the short delay to expire so that you are automatically enabled
> again.
OK, that makes sense and they do indeed block it only for a short time.
> > If I do the same thing outside of emacs it works fine (I did several
> > connections to the server and even updated my source tree), but the first
> > time I tried it again from within emacs it blocks me again.
> >
> > I already deleted/moved/cleaned my .emacs.d directory and .emacs. I also
> > removed the private keys from .ssh and removed the known_hosts, but none
> of
> > these seems to solve this problem.
> >
> > Anything I can check that is emacs related? I'm using version 24.2.1 on
> > NetBSD. Except for some modes for syntax highlighting and temp
> directories
> > I have it pretty standard. Any pointer are welcome...
>
> Is it asking you for a password? Is it asking you for a passphrase?
> Is it using a SSH_ASKPASS defined service? Are you using an ssh rsa
> key? Why not? I think it most likely that you are running into
> problems during these phases.
>
I use user/password authentication, but it doesn't ask for a password when
within emacs, but it does so in a normal shell.
I tried setting it up with an rsa key, but it seems a cron job is running
that
removes authorized_keys from user profiles (or they are copying profiles
because they have multiple servers. I have to dig deeper into that after
this issue is fixed).
The debug decision tree is somewhat complicated with several different
> possibilities at several different levels in the debug tree. This
> makes pursuing all possible problems in one exchange difficult and
> practically impossible. But here are a few hints for the most common
> problems.
>
> While in your emacs shell at the same point that you would run the
> command 'cvs up' or whatever look to see what environment variables
> are defined.
>
> $ env | grep -i ssh
> SSH_AGENT_PID=6963
> SSH_AUTH_SOCK=/tmp/ssh-Et2xWGLY52jb/agent.6927
>
> That is a normal output from my environment running the ssh-agent. If
> you have SSH_ASKPASS defined then I would unset it. Try clearing all
> variables from the environment using 'env -i'. Note that cvs obtains
> HOME from the password file.
>
> $ env -i PATH=$PATH cvs up
> Enter passphrase for key '/home/rwp/.ssh/id_rsa':
> cvs update: Updating .
>
> I would avoid debugging against your production remote machine.
> Instead use a different victim machine that won't blacklist you for
> repeated failures while debugging your problem. Working against the
> "localhost" machine seems reasonable. Create a local repository and
> then check it out from "localhost" using the remote ssh protocol.
> Then debug your problem using it. Once the problem has been found and
> fixed then return to using your remote production machine.
I tried this on a non-production setup and up to now no solution,
but I did find the following using the verbose option on ssh:
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
Permission denied, please try again.
So it seems from within emacs it can't read from /dev/tty. Outside emacs
this works (I'm assuming it either finds /dev/tty or uses the actual device
needed).
From env I have the following related to terminals..
In emacs:
TERM=dumb
SSH_TTY=/dev/pts/0
In a normal shell:
TERM=screen -or- TERM=linux
SSH_TTY=/dev/pts/0
Any ideas?
Thanks,
Roel.
[-- Attachment #2: Type: text/html, Size: 6478 bytes --]
next prev parent reply other threads:[~2012-11-21 6:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-20 19:43 SSH blocks account when running within emacs Roel Sergeant
2012-11-20 21:22 ` Bob Proulx
2012-11-21 6:15 ` Roel Sergeant [this message]
2012-11-21 12:08 ` OT: Allowing PAM auth and reverting authorized_keys?! (Was: SSH blocks account when running within emacs) Jeremiah Dodds
2012-11-21 12:26 ` Roel Sergeant
2012-12-01 8:13 ` SSH blocks account when running within emacs Bob Proulx
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHktkOM0suv0Ji_jEZma5YY=D9R3rq4hF3ExfbubgHXGtuYYfw@mail.gmail.com' \
--to=rsergeant@gmail.com \
--cc=help-gnu-emacs@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.