Add "node/user_passwords" sitevar to control passing of password hashes.

Defaults to 0, which means do not pass user password hashes to nodes via
tmcc. Non-zero will restore the old behavior.

sql/sitevars-create.sql

@@ -161,6 +161,7 @@ INSERT INTO sitevariables VALUES ('cloudlab/message',NULL,'','Message to display
 INSERT INTO sitevariables VALUES ('aptui/autoextend_maximum',NULL,'7','Maximum number of days requested that will automaticaly be granted; zero means only admins can extend an experiment.',0);
 INSERT INTO sitevariables VALUES ('aptui/autoextend_maxage',NULL,'14','Maximum age (in days) of an experiment before all extension requests require admin approval.',0);
 INSERT INTO sitevariables VALUES ('node/nfs_transport',NULL,'udp','Transport protocol to be used by NFS mounts on clients. One of: udp, tcp, or osdefault, where osdefault means use the client OS default setting.',0);
+INSERT INTO sitevariables VALUES ('node/user_passwords',NULL,'0','If non-zero, password hashes for users are passed to nodes allow user logins on the console. For better security, you should leave this zero.',0);
 INSERT INTO sitevariables VALUES ('images/default_typelist',NULL,'','List of types to associate with an imported image when it is not appropriate to associate all existing types.',0);
 INSERT INTO sitevariables VALUES ('protogeni/use_imagetracker',NULL,'0','Enable use of the image tracker.',0);
 INSERT INTO sitevariables VALUES ('general/no_openflow',NULL,'0','Disallow topologies that specify openflow controllers, there is no local support for it.',0);

sql/updates/4/610

+#
+# Add sitevariables to control whether user password hashes are distributed
+# to nodes via tmcd.
+#
+use strict;
+use libdb;
+
+sub DoUpdate($$$)
+{
+    my ($dbhandle, $dbname, $version) = @_;
+    
+    DBQueryFatal("INSERT INTO `sitevariables` VALUES ".
+		 "('node/user_passwords',NULL,'0',".
+		 "'If non-zero, password hashes for users are passed to nodes allow user logins on the console. For better security, you should leave this zero.',0)")
+	if (!TBSiteVarExists("node/user_passwords"));
+
+    return 0;
+}
+
+1;
+
+# Local Variables:
+# mode:perl
+# End:

tmcd/tmcd.c

@@ -2665,6 +2665,7 @@ COMMAND_PROTOTYPE(doaccounts)
 	int		tbadmin, didwidearea = 0, nodetypeprojects = 0;
 	int		didnonlocal = 0;
 	int             swapper_only = 0;
+	int		dohashes = 0;
 
 	if (! tcp) {
 		error("ACCOUNTS: %s: Cannot give account info out over UDP!\n",
@@ -2894,10 +2895,29 @@ COMMAND_PROTOTYPE(doaccounts)
 	}
 #endif /* EVENTSYS */
 
+	/*
+	 * For local nodes, see if we should return password hashes.
+	 * This is controlled by the node/user_passwords sitevar.
+	 */
+	res = mydb_query("select value,defaultvalue from sitevariables "
+			 "where name='node/user_passwords'", 2);
+	if (res) {
+		if ((int)mysql_num_rows(res) > 0) {
+			row = mysql_fetch_row(res);
+			if (row[0] && row[0][0])
+				dohashes = atoi(row[0]);
+			else if (row[1] && row[1][0])
+				dohashes = atoi(row[1]);
+		}
+		mysql_free_result(res);
+	}
+
 	/*
 	 * Now onto the users in the project.
 	 */
 	if (reqp->iscontrol) {
+		char *passwdfield = dohashes ? "u.usr_pswd" : "'*'";
+
 		/*
 		 * All users! This is not currently used. The problem
 		 * is that returning a list of hundreds of users whenever
@@ -2906,7 +2926,7 @@ COMMAND_PROTOTYPE(doaccounts)
 		 * but is not scalable.
 		 */
 		res = mydb_query("select distinct "
-				 "  u.uid,u.usr_pswd,u.unix_uid,u.usr_name, "
+				 "  u.uid,%s,u.unix_uid,u.usr_name, "
 				 "  p.trust,g.pid,g.gid,g.unix_gid,u.admin, "
 				 "  u.emulab_pubkey,u.home_pubkey, "
 				 "  UNIX_TIMESTAMP(u.usr_modified), "
@@ -2918,7 +2938,7 @@ COMMAND_PROTOTYPE(doaccounts)
 				 "      and u.webonly=0 "
                                  "      and g.unix_id is not NULL "
 				 "      and u.status='active' order by u.uid",
-				 15, reqp->pid, reqp->gid);
+				 15, passwdfield);
 	}
 	else if (nodetypeprojects) {
 		/*
@@ -2994,7 +3014,8 @@ COMMAND_PROTOTYPE(doaccounts)
 		 * groups for that user.
 		 */
 	  	char adminclause[MYBUFSIZE];
-		char *passwdfield = (!reqp->islocal && reqp->isdedicatedwa) ? 
+		char *passwdfield =
+			(!dohashes || (!reqp->islocal && reqp->isdedicatedwa))?
 			"'*'" : "u.usr_pswd";
 		strcpy(adminclause, "");
 #ifdef ISOLATEADMINS