Commit bac0172e authored by Leigh B. Stoller's avatar Leigh B. Stoller

A set of changes to implement dynamic root passwords on local nodes

(and vnodes). Each time a node is allocated to an experiment it gets a
new root password (using the node_attributes table). The watchdog has
a new section that resets the root password (defaults to hourly).  We
still using a common password in the image to avoid totally bricking
ourselves, but once a node boots into an experiment it gets a new root
password.

This prevents hundreds of nodes with the same password, and all of the
problems associated with that.
parent 96bdfff4
......@@ -1486,6 +1486,28 @@ sub SimpleWOL($)
return 0;
}
sub NewRootPasswd($)
{
my ($self) = @_;
# Must be a real reference.
return -1
if (! ref($self));
my $node_id = $self->node_id();
my $hash = TBGenSecretKey();
# But only part of it.
$hash = substr($hash, 0, 10);
DBQueryWarn("replace into node_attributes set ".
" node_id='$node_id',".
" attrkey='root_password',attrvalue='$hash'")
or return -1;
return 0;
}
# _Always_ make sure that this 1 is at the end of the file...
1;
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2005, 2007 University of Utah and the Flux Group.
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
# All rights reserved.
#
use strict;
......@@ -245,6 +245,9 @@ if (!$error && (!$noalloc || $partial) && @nodes) {
join(" or ",
map("node_id='" . $_->node_id() . "'", @nodes)));
foreach my $node (@nodes) {
$node->NewRootPasswd();
}
foreach my $node (@need_history) {
$node->SetNodeHistory(TB_NODEHISTORY_OP_ALLOC,
$this_user, $experiment);
......
......@@ -48,7 +48,7 @@ use libtmcc;
#
# BE SURE TO BUMP THIS AS INCOMPATIBILE CHANGES TO TMCD ARE MADE!
#
sub TMCD_VERSION() { 27; };
sub TMCD_VERSION() { 29; };
libtmcc::configtmcc("version", TMCD_VERSION());
# Control tmcc timeout.
......
#!/usr/bin/perl -wT
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2007 University of Utah and the Flux Group.
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -32,7 +32,7 @@ use Exporter;
TMCCCMD_BOOTERRNO TMCCCMD_BOOTLOG TMCCCMD_BATTERY TMCCCMD_USERENV
TMCCCMD_TIPTUNNELS TMCCCMD_TRACEINFO TMCCCMD_ELVINDPORT
TMCCCMD_PLABEVENTKEYS TMCCCMD_PORTREGISTER
TMCCCMD_MOTELOG TMCCCMD_BOOTWHAT
TMCCCMD_MOTELOG TMCCCMD_BOOTWHAT TMCCCMD_ROOTPSWD
);
# Must come after package declaration!
......@@ -177,6 +177,7 @@ my %commandset =
"motelog" => {TAG => "motelog"},
"portregister" => {TAG => "portregister"},
"bootwhat" => {TAG => "bootwhat"},
"rootpswd" => {TAG => "rootpswd"},
);
#
......@@ -236,6 +237,7 @@ sub TMCCCMD_PLABEVENTKEYS(){ $commandset{"plabeventkeys"}->{TAG}; }
sub TMCCCMD_MOTELOG() { $commandset{"motelog"}->{TAG}; }
sub TMCCCMD_PORTREGISTER(){ $commandset{"portregister"}->{TAG}; }
sub TMCCCMD_BOOTWHAT() { $commandset{"bootwhat"}->{TAG}; }
sub TMCCCMD_ROOTPSWD() { $commandset{"rootpswd"}->{TAG}; }
#
# Caller uses this routine to set configuration of this library
......
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2005, 2007 University of Utah and the Flux Group.
# Copyright (c) 2000-2008 University of Utah and the Flux Group.
# All rights reserved.
#
use Getopt::Std;
......@@ -87,6 +87,7 @@ my %iv = (
rusage => 0,
hkeys => 0,
batt => (STARGATE() ? 60 : 0),
rootpswd=> 3600,
);
my %funcs = (
......@@ -97,6 +98,7 @@ my %funcs = (
rusage => \&sendrusage,
hkeys => \&sendhkeys,
batt => \&sendbatt,
rootpswd=> \&setrootpswd,
);
my %immediate = (
......@@ -107,6 +109,7 @@ my %immediate = (
rusage => 1,
hkeys => 1,
batt => 1,
rootpswd=> 1,
);
#
......@@ -119,6 +122,7 @@ sub runcvsup($);
sub sendrusage($);
sub sendhkeys($);
sub sendbatt($);
sub setrootpswd($);
sub logmsg($;$);
sub saysomething($);
......@@ -390,6 +394,7 @@ sub setintervals($)
$iv{cvsup} = 21;
$iv{rusage} = 15;
$iv{batt} = 25;
$iv{rootpswd} = 10;
my $delta = $curtime - $faketimes{check};
$faketimes{check} = $curtime;
......@@ -447,8 +452,10 @@ sub setintervals($)
$oiv{$key} = $iv{$key};
}
print $tmccresults[0] . "\n";
if ($tmccresults[0] =~
/INTERVAL=(-?\d+) ISALIVE=(-?\d+) NTPDRIFT=(-?\d+) CVSUP=(-?\d+) RUSAGE=(-?\d+) HOSTKEYS=(-?\d+)/) {
/INTERVAL=(-?\d+) ISALIVE=(-?\d+) NTPDRIFT=(-?\d+) CVSUP=(-?\d+) RUSAGE=(-?\d+) HOSTKEYS=(-?\d+) SETROOTPSWD=(-?\d+)/) {
$iv{check} = $1
if ($1 >= 0);
$iv{isalive} = $2
......@@ -462,6 +469,8 @@ sub setintervals($)
# to enable finer granularity on plab.
$iv{hkeys} = $6
if ($6 >= 0);
$iv{rootpswd} = $7
if ($7 >= 0);
}
#
......@@ -473,6 +482,7 @@ sub setintervals($)
$iv{rusage} = 0;
$iv{hkeys} = 0;
$iv{batt} = 0;
$iv{rootpswd} = 0;
}
foreach my $key (keys %iv) {
......@@ -536,7 +546,8 @@ sub setintervals($)
if ($report) {
logmsg("setintervals: check=$iv{check}, isalive=$iv{isalive}, ".
"drift=$iv{drift}, cvsup=$iv{cvsup}, rusage=$iv{rusage}, ".
"hostkeys=$iv{hkeys}, battery=$iv{batt}\n");
"hostkeys=$iv{hkeys}, battery=$iv{batt}, ".
"rootpswd=$iv{rootpswd}\n");
}
#
......@@ -855,6 +866,39 @@ resched:
if ($iv{batt});
}
sub setrootpswd($)
{
my ($curtime) = @_;
if ($fakeit) {
my $delta = $curtime - $faketimes{rootpswd};
$faketimes{rootpswd} = $curtime;
logmsg("setrootpswd at +$delta\n");
qinsert($curtime + $iv{rootpswd}, \&setrootpswd) if ($iv{rootpswd});
return;
}
#
# Reset the root password.
#
if (tmcc(TMCCCMD_ROOTPSWD, undef, \@tmccresults) == 0
&& scalar(@tmccresults) &&
$tmccresults[0] =~ /^HASH=(.*)$/) {
my $hash = $1;
logmsg("Resetting root password\n");
liblocsetup::os_modpasswd("root", $hash);
}
resched:
#
# Set up for another interval.
# Since the tmcc call and update can take awhile, we update curtime
#
$curtime = time();
qinsert($curtime + $iv{rootpswd}, \&setrootpswd)
if ($iv{rootpswd});
}
sub saysomething($)
{
my ($curtime) = @_;
......
......@@ -484,6 +484,22 @@ sub os_userdel($)
return -1;
}
#
# Modify user password.
#
sub os_modpasswd($$)
{
my($login, $pswd) = @_;
my $cmd = "echo -e '$pswd\\n$pswd' | passwd $login >& /dev/null";
##print " $cmd\n";
if (system($cmd) != 0) {
warning("os_modpasswd error ($cmd)\n");
return -1;
}
return 0;
}
#
# Modify user group membership and password.
# Changing the login shell is unimplemented.
......
......@@ -17,7 +17,7 @@ use Exporter;
$LOOPBACKMOUNT
os_account_cleanup os_ifconfig_line os_etchosts_line
os_setup os_groupadd os_useradd os_userdel os_usermod os_mkdir
os_ifconfig_veth os_viface_name
os_ifconfig_veth os_viface_name os_modpasswd
os_routing_enable_forward os_routing_enable_gated
os_routing_add_manual os_routing_del_manual os_homedirdel
os_groupdel os_getnfsmounts os_islocaldir
......@@ -435,6 +435,25 @@ sub os_useradd($$$$$$$$$)
return 0;
}
#
# Modify user password
#
sub os_modpasswd($$)
{
my($login, $pswd) = @_;
if (system("$CHPASS '$pswd' $login") != 0) {
warn "*** WARNING: $CHPASS $login error.\n";
return -1;
}
if ($login eq "root" &&
system("$CHPASS '$pswd' toor") != 0) {
warn "*** WARNING: $CHPASS $login error.\n";
return -1;
}
return 0;
}
#
# Remove a homedir. Might someday archive and ship back.
#
......
......@@ -16,7 +16,7 @@ use Exporter;
$HOSTSFILE $LOOPBACKMOUNT
os_account_cleanup os_ifconfig_line os_etchosts_line
os_setup os_groupadd os_useradd os_userdel os_usermod os_mkdir
os_ifconfig_veth os_viface_name
os_ifconfig_veth os_viface_name os_modpasswd
os_routing_enable_forward os_routing_enable_gated
os_routing_add_manual os_routing_del_manual os_homedirdel
os_groupdel os_getnfsmounts os_islocaldir
......@@ -670,6 +670,25 @@ sub os_usermod($$$$$$)
return system("$USERMOD -s $shell -g $gid $glist -p '$pswd' $login");
}
#
# Modify user password.
#
sub os_modpasswd($$)
{
my($login, $pswd) = @_;
if (system("$USERMOD -p '$pswd' $login") != 0) {
warn "*** WARNING: resetting password for $login.\n";
return -1;
}
if ($login eq "root" &&
system("$USERMOD -p '$pswd' toor") != 0) {
warn "*** WARNING: resetting password for toor.\n";
return -1;
}
return 0;
}
#
# Add a user.
#
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2006, 2007 University of Utah and the Flux Group.
# Copyright (c) 2006-2008 University of Utah and the Flux Group.
# All rights reserved.
#
include_once("osinfo_defs.php");
......@@ -997,7 +997,9 @@ class Node
#
$query_result =
DBQueryFatal("select attrkey,attrvalue from node_attributes ".
"where node_id='$node_id'");
"where node_id='$node_id' ".
($noperm ? "" : "and attrkey!='root_password'"));
if (!$short && mysql_num_rows($query_result)) {
echo "<tr>
<td align=center colspan=2>Node Attributes</td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment