sshpiper not showing DeniedGroup Banner

We ran the role in rabbitmq_agents#164 (closed) to add ssh denied groups to gpfs5 login node for hold and certification state but the message is not showing while connecting via sshpiper.

added Backlog label

marked this issue as related to rabbitmq_agents#164 (closed)

changed the description

The author have a workaround in the issue: https://github.com/tg123/sshpiper/issues/532

added Sprint 25-06 label and removed Backlog label

assigned to @atlurie

The latest PR tg123/sshpiper#548 enable this, tested build in my dev cluster. But seems like it will retry until fail2ban kicks in:

# The user is in hold state
$ ssh -l diedpigs@gmail.com 138.26.49.27
Your account is currently on hold.\n Please reach out to administrator to clear your account.\n
Your account has expired; please contact your system administrator
account expired 2 days ago
Your account is currently on hold.\n Please reach out to administrator to clear your account.\n
Your account has expired; please contact your system administrator
account expired 2 days ago
Your account is currently on hold.\n Please reach out to administrator to clear your account.\n
Your account has expired; please contact your system administrator
account expired 2 days ago
Your account is currently on hold.\n Please reach out to administrator to clear your account.\n
Your account has expired; please contact your system administrator
account expired 2 days ago
Your account is currently on hold.\n Please reach out to administrator to clear your account.\n
Your account has expired; please contact your system administrator
account expired 2 days ago
Your account is currently on hold.\n Please reach out to administrator to clear your account.\n
Your account has expired; please contact your system administrator
account expired 2 days ago
Your account is currently on hold.\n Please reach out to administrator to clear your account.\n
Your account has expired; please contact your system administrator
account expired 2 days ago
diedpigs@gmail.com@138.26.49.27: Permission denied (publickey).
$ ssh -l diedpigs@gmail.com 138.26.49.27
Connection closed by 138.26.49.27 port 22

# Change the user to certification state
$ ssh -l diedpigs@gmail.com 138.26.49.27
Account certification is required.\n Please reach out to administrator to clear your account.\n
Account certification is required.\n Please reach out to administrator to clear your account.\n
Account certification is required.\n Please reach out to administrator to clear your account.\n
Account certification is required.\n Please reach out to administrator to clear your account.\n
Account certification is required.\n Please reach out to administrator to clear your account.\n
Account certification is required.\n Please reach out to administrator to clear your account.\n
Account certification is required.\n Please reach out to administrator to clear your account.\n
diedpigs@gmail.com@138.26.49.27: Permission denied (publickey).

added Sprint 25-07 label and removed Sprint 25-06 label

added Sprint 25-08 label and removed Sprint 25-07 label

added Sprint 25-09 label and removed Sprint 25-08 label

added Sprint 25-10 label and removed Sprint 25-09 label

assigned to @louistw and unassigned @atlurie

The author replied here:

this is a good question

the reason sshpiper displayed the banner multiple times is sshpiper creates a new connection to a (maybe new) upstream for each auth request, that is, the banner message could be from different upstream.

client would attempt to use password, publickey, etc to sshpiper, then sshpiper displayed banner for each retry.

i do not have good idea how to handle it now, but i am going to a provider an option to disable banner from upstream and you can use --banner-file of sshpiper only

He also provides option later in this PR, adding option upstream-banner-mode to daemon. The option accept either:

• (default) passthrough which passes the banner from upstream to client
• ignore which ignores the banner from upstream

marked this issue as related to hpc-factory#236 (closed)

The banner feature was introduced tg123/sshpiper#548, we verified it does show the banner message from upstream. However, the issue with our configuration, the piper will repeatedly sending banner message util it got interrupted. In our case, fail2ban kicks in.

The first fix from auther was passthrough/ignore mode for the banner mode. This does not really meet our needs. - hpc-factory#236 (closed)

Later, the author introduced another feature, dedup mode, which is the one we adopted. It does fix the repeat message issue but for key based auth, the user sill got banned. - hpc-factory#238 (closed)

closed