1. 26 Jul, 2017 4 commits
    • Mike Hibler's avatar
      Merge branch 'master' into root-keypair-r1 · f3f17806
      Mike Hibler authored
      f3f17806
    • Mike Hibler's avatar
      Include the experiment name in all outputs. · 66781988
      Mike Hibler authored
      66781988
    • Mike Hibler's avatar
      Deep six the "dd" command stderr output. · f2381b07
      Mike Hibler authored
      f2381b07
    • Mike Hibler's avatar
      Support for per-experiment root keypairs (Round 1). See issue #302. · c6150425
      Mike Hibler authored
      Provide automated setup of an ssh keypair enabling root to login without
      a password between nodes. The biggest challenge here is to get the private
      key onto nodes in such a way that a non-root user on those nodes cannot
      obtain it. Otherwise that user would be able to ssh as root to any node.
      This precludes simple distribution of the private key using tmcd/tmcc as
      any user can do a tmcc (tmcd authentication is based on the node, not the
      user).
      
      This version does a post-imaging "push" of the private key from boss using
      ssh. The key is pushed from tbswap after nodes are imaged but before the
      event system, and thus any user startup scripts, are started. We actually
      use "pssh" (really "pscp") to scale a bit better, so YOU MUST HAVE THE
      PSSH PACKAGE INSTALLED. So be sure to do a:
      
          pkg install -r Emulab pssh
      
      on your boss node. See the new utils/pushrootkeys.in script for more.
      
      The public key is distributed via the "tmcc localization" command which
      was already designed to handle adding multiple public keys to root's
      authorized_keys file on a node.
      
      This approach should be backward compatible with old images. I BUMPED THE
      VERSION NUMBER OF TMCD so that newer clients can also get back (via
      rc.localize) a list of keys and the names of the files they should be stashed
      in. This is used to allow us to pass along the SSL and SSH versions of the
      public key so that they can be placed in /root/.ssl/<node>.pub and
      /root/.ssh/id_rsa.pub respectively. Note that this step is not necessary for
      inter-node ssh to work.
      
      Also passed along is an indication of whether the returned key is encrypted.
      This might be used in Round 2 if we securely implant a shared secret on every
      node at imaging time and then use that to encrypt the ssh private key such
      that we can return it via rc.localize. But the client side script currently
      does not implement any decryption, so the client side would need to be changed
      again in this future.
      
      The per experiment root keypair mechanism has been exposed to the user via
      old school NS experiments right now by adding a node "rootkey" method. To
      export the private key to "nodeA" and the public key to "nodeB" do:
      
          $nodeA rootkey private 1
          $nodeB rootkey public 1
      
      This enables an asymmetric relationship such that "nodeA" can ssh into
      "nodeB" as root but not vice-versa. For a symmetric relationship you would do:
      
          $nodeA rootkey private 1
          $nodeB rootkey private 1
          $nodeA rootkey public 1
          $nodeB rootkey public 1
      
      These user specifications will be overridden by hardwired Emulab restrictions.
      The current restrictions are that we do *not* distribute a root pubkey to
      tainted nodes (as it opens a path to root on a node where no one should be
      root) or any keys to firewall nodes, virtnode hosts, delay nodes, subbosses,
      storagehosts, etc. which are not really part of the user topology.
      
      For more on how we got here and what might happen in Round 2, see:
      
          #302
      c6150425
  2. 25 Jul, 2017 2 commits
  3. 24 Jul, 2017 2 commits
  4. 17 Jul, 2017 1 commit
  5. 14 Jul, 2017 3 commits
  6. 13 Jul, 2017 2 commits
    • Leigh B Stoller's avatar
      Work on issue #302: · 92c8e4ba
      Leigh B Stoller authored
      Add new table experiment_keys to hold RSA priv/pub key pair and an SSH
      public key derived from the private key.
      
      Initialized when experiment is first created, I have not done anything
      to set the keys for existing experiments yet.
      
      But for testing, you can do this:
      
      	use lib "/usr/testbed/lib";
      	use Experiment;
      
      	my $experiment = Experiment->Lookup("testbed", "layers");
      	$experiment->GenerateKeys();
      92c8e4ba
    • Leigh B Stoller's avatar
      Minor fix. · f97862c3
      Leigh B Stoller authored
      f97862c3
  7. 12 Jul, 2017 8 commits
  8. 11 Jul, 2017 1 commit
  9. 10 Jul, 2017 12 commits
  10. 07 Jul, 2017 3 commits
    • Leigh B Stoller's avatar
      Deal with user privs (issue #309): · d1516912
      Leigh B Stoller authored
      * Make user privs work across remote clusters (including stitching). I
        took a severe shortcut on this; I do not expect the Cloudlab portal
        will ever talk to anything but an Emulab based aggregate, so I just
        added the priv indicator to the user keys array we send over. If I am
        ever proved wrong on this, I will come out of retirement and fix
        it (for a nominal fee of course).
      
      * Do not show the root password for the console to users with user
        privs.
      
      * Make sure users with user privs cannot start experiments.
      
      * Do show the user trust values on the user dashboard membership tab.
      
      * Update tmcd to use the new privs slot in the nonlocal_user_accounts
        table.
      
      This closes issue #309.
      d1516912
    • Leigh B Stoller's avatar
      Stop leaving temp files behind. · b8a86a6a
      Leigh B Stoller authored
      b8a86a6a
    • Leigh B Stoller's avatar
  11. 06 Jul, 2017 2 commits