ssh oslogin and sudo

[Francois Le Bec]

Hi there,

I enabled oslogin for my centOS instances as well as tunnel through iap. I have enable-oslogin and enable-oslogin-2fa in my project metadata.

I can ssh from anywhere so I know it's working. The problem is once I'm logged in to an instance, I try to sudo a command and it's asking me for a password. I type my password and it doesn't let me escalate.

Prior to that, I gave Compute OS Admin Login to my account which supposed to let me run commands as sudo. It doesn't

Would someone be able to let me know what I am missing ?

Thank you in advance,

[Alexandre Duval-Cid]

I followed our tutorials here [1, 2] and was unable to replicate your situation, I was successfully able to "sudo su" after enabling the features you mentioned. 

I have found this thread that could assist you in fixing your issue [3, 4].

I would recommend posting questions related to VM configurations on Severfault.com [5].They have a wealth of knowledge at your disposal. Google Groups is a venue for architectural and outages based discussion.

[1] https://cloud.google.com/compute/docs/instances/managing-instance-access#configure_users

[2] https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication

[3] https://serverfault.com/questions/935572/google-cloud-compute-engine-centos-7-sudo-command

[4] https://issuetracker.google.com/117747895

[5] https://serverfault.com/questions/tagged/google-cloud-platform

[Francois Le Bec]

Thank you for that Alexandre.

I have been investigating, followed some threads and noticed that as when I use oslogin to ssh to an instance I see that my oslogin name (name_domain) has been removed from the sudoers file.

I tried to replicate on different instances and 2 projects. Same results.

When I use pub keys, no issues.

Even with the right roles enabled (os login admin is useless in my case), I cannot sudo.

[Max Illfelder]

Hi Francois,

What sudoers file are you checking? When you log into an instance with OS Login enabled, a file should be created in the /var/google-sudoers.d directory for users with sudo permission. The user is not expected to appear directly in any sudo file.

Are you able to reproduce this issue when you create a new VM using a Google provided CentOS image?

Max

[Francois Le Bec]

Hi Max,

Thank you.

Yes, I'm aware of that file. If my username_domain is inside /var/google-sudoers.d, I should be golden. 

I think something is wrong with my existing CentOS instances since it doesn't work. I created some new ones and oslogin+2fa worked every time. I have to keep investigating.

On a slightly different note:

I cannot have SSH access through the WEB console on my prod project. I end up with fail...

It works on my test project but when I enable 2fa, I click on SSH, it's asking for an authentication method then end up with fail as well.  Works without 2fa

IAM roles look fine. SSH FW rules should allow SSH WEB console to work.

I'm really puzzled, I followed the Google Cloud SSH troubleshooting guide and checked everything many times but it still fails.

gcloud compute SSH from Cloud Shell and from Terminal work no problem.

[Max Illfelder]

Hi,

Thanks for the feedback! Glad it works in your other instances; strange that something isn't working properly on the original. For debugging issues on CentOS, it's often useful to check /var/log/secure for login related messages.

We have a known issue where SSH in the Browser fails with 2FA enabled if the user has more than one challenge types. We are working with the SSH in the Browser team to implement a fix, but there's no current timeline on the fix. In the mean time, cloud shell, gcloud, and open sourced ssh clients should all work properly when using the 2FA feature.

Max

[Francois Le Bec]

Hey Max,

Thank you for the quick response. Somehow the fact that you guys have a known issue for 2fa over the browser makes me feel slightly better. My management people would disagree since they'd see this option as the easiest one over typing commands.

Would you be able to post an update when this issue using multiple challenge types is resolved ?

Thanks.

[Alexandre Duval-Cid]

Hey,

Max has filed an internal issue regarding the 2fa issue, in order for you to follow the progress on this issue I have created a public version.

Feel free to star the issue to get notifications once the thread is updated.

All future updates regarding this issue will be found on this thread [1].

I can not provide you an ETA at this time regarding the resolution of the issue.

Thanks for your patience.

[1] https://issuetracker.google.com/144588828

[Francois Le Bec]

Thank you. I hope your Dev team will be addressing this soon. Not anyone wants or know how to use terminal to connect to a remote instance safely.

I'm fine with that but upper management would probably disagree.

[Max Illfelder]

The SSH in the Browser issue should now be fixed.