[Pkg-ltsp-devel] Bug#471793: [Ltsp-developer] properly closing ldm logins

Vagrant Cascadian vagrant at freegeek.org
Wed Aug 20 18:44:05 UTC 2008 

i've been working on getting pam logouts, and figured i'd forward some
of the information:

----- Forwarded message from Vagrant Cascadian <vagrant at freegeek.org> -----

 Date: Wed, 20 Aug 2008 10:23:03 -0700
 From: Vagrant Cascadian <vagrant at freegeek.org>
 To: ltsp-developer at lists.sourceforge.net
 Subject: [Ltsp-developer] properly closing ldm logins

so, the basic story is that we do an ugly hack to make sure when you log
out of an ldm session, ssh closes the connection and logs out.

this ugly hack is tacking on the end of the ssh call to Xsession,
ltspfsmounter, etc.:

  kill -1 $PPID

without it, logouts tend to hang (at least with older versions of
openssh-server, more later).

PPID is set to the pid of the sshd socket closed, so this effectively
breaks the ssh connection, but in a very unclean manner. this has a
couple drawbacks:

  * ldm's logout scripts (/usr/share/ldm/rc.d/K*) do not have access to
    the ssh tunnel
  * pam doesn't properly register the logout, so any pam hooks executed
    on logout will not work (http://bugs.debian.org/471793)

there was a patch to use "ssh -O exit", but this doesn't work with older
openssh-server versions (seems to work on debian lenny with 5.1, but not
4.7- would be good to get feedback from other distros).

it seems a little bit harsh to require openssh-server 5.1 (or even 5 or
4.8 or whatever) just to properly log out of an application server, so
i'm thinking we need some sort of conditional behavior based on the
version of openssh-server installed on the server.

figuring out the version of openssh-server in a distro-independent way
is... tricky.

my current thought about how to implement it, would be to add
distro-specific plugins to ldminfod that determine the openssh-server
version, and pass a flag onto connecting ldms, which revert to the old
behavior (kill -1 $PPID) unless a flag is set.  something like:

  ldm-force-logout: false

which sets an environment variable LDM_FORCE_LOGOUT if not already set
(thus, it could be overridden in lts.conf, though this isn't ideal).

if LDM_FORCE_LOGOUT != false, then it reverts to the old behavior 
(kill -1 $PPID), otherwise, it drops it and we can use "ssh -O exit".

does this seem like a reasonable approach?

other ideas based on suggestions from gadi and ryan52:

ideally, we could ssh to the server, do "/usr/sbin/sshd -V" and get the
version info, but sshd doesn't support -V. we could use "ssh -V", which
is *probably* going to be the same as the openssh server version, but
not definitely... so that seems kind of hackish, also.

live well,
  vagrant

_____________________________________________________________________
Ltsp-developer mailing list.   To un-subscribe, or change prefs, goto:
      https://lists.sourceforge.net/lists/listinfo/ltsp-developer
For additional LTSP help,   try #ltsp channel on irc.freenode.net

----- End forwarded message -----

More information about the Pkg-ltsp-devel mailing list