Commit 1ed7fdab authored by Mike Hibler's avatar Mike Hibler

Add "node/user_passwords" sitevar to control passing of password hashes.

Defaults to 0, which means do not pass user password hashes to nodes via
tmcc. Non-zero will restore the old behavior.
parent 94a5df2b
......@@ -161,6 +161,7 @@ INSERT INTO sitevariables VALUES ('cloudlab/message',NULL,'','Message to display
INSERT INTO sitevariables VALUES ('aptui/autoextend_maximum',NULL,'7','Maximum number of days requested that will automaticaly be granted; zero means only admins can extend an experiment.',0);
INSERT INTO sitevariables VALUES ('aptui/autoextend_maxage',NULL,'14','Maximum age (in days) of an experiment before all extension requests require admin approval.',0);
INSERT INTO sitevariables VALUES ('node/nfs_transport',NULL,'udp','Transport protocol to be used by NFS mounts on clients. One of: udp, tcp, or osdefault, where osdefault means use the client OS default setting.',0);
INSERT INTO sitevariables VALUES ('node/user_passwords',NULL,'0','If non-zero, password hashes for users are passed to nodes allow user logins on the console. For better security, you should leave this zero.',0);
INSERT INTO sitevariables VALUES ('images/default_typelist',NULL,'','List of types to associate with an imported image when it is not appropriate to associate all existing types.',0);
INSERT INTO sitevariables VALUES ('protogeni/use_imagetracker',NULL,'0','Enable use of the image tracker.',0);
INSERT INTO sitevariables VALUES ('general/no_openflow',NULL,'0','Disallow topologies that specify openflow controllers, there is no local support for it.',0);
......
#
# Add sitevariables to control whether user password hashes are distributed
# to nodes via tmcd.
#
use strict;
use libdb;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
DBQueryFatal("INSERT INTO `sitevariables` VALUES ".
"('node/user_passwords',NULL,'0',".
"'If non-zero, password hashes for users are passed to nodes allow user logins on the console. For better security, you should leave this zero.',0)")
if (!TBSiteVarExists("node/user_passwords"));
return 0;
}
1;
# Local Variables:
# mode:perl
# End:
......@@ -2665,6 +2665,7 @@ COMMAND_PROTOTYPE(doaccounts)
int tbadmin, didwidearea = 0, nodetypeprojects = 0;
int didnonlocal = 0;
int swapper_only = 0;
int dohashes = 0;
if (! tcp) {
error("ACCOUNTS: %s: Cannot give account info out over UDP!\n",
......@@ -2894,10 +2895,29 @@ COMMAND_PROTOTYPE(doaccounts)
}
#endif /* EVENTSYS */
/*
* For local nodes, see if we should return password hashes.
* This is controlled by the node/user_passwords sitevar.
*/
res = mydb_query("select value,defaultvalue from sitevariables "
"where name='node/user_passwords'", 2);
if (res) {
if ((int)mysql_num_rows(res) > 0) {
row = mysql_fetch_row(res);
if (row[0] && row[0][0])
dohashes = atoi(row[0]);
else if (row[1] && row[1][0])
dohashes = atoi(row[1]);
}
mysql_free_result(res);
}
/*
* Now onto the users in the project.
*/
if (reqp->iscontrol) {
char *passwdfield = dohashes ? "u.usr_pswd" : "'*'";
/*
* All users! This is not currently used. The problem
* is that returning a list of hundreds of users whenever
......@@ -2906,7 +2926,7 @@ COMMAND_PROTOTYPE(doaccounts)
* but is not scalable.
*/
res = mydb_query("select distinct "
" u.uid,u.usr_pswd,u.unix_uid,u.usr_name, "
" u.uid,%s,u.unix_uid,u.usr_name, "
" p.trust,g.pid,g.gid,g.unix_gid,u.admin, "
" u.emulab_pubkey,u.home_pubkey, "
" UNIX_TIMESTAMP(u.usr_modified), "
......@@ -2918,7 +2938,7 @@ COMMAND_PROTOTYPE(doaccounts)
" and u.webonly=0 "
" and g.unix_id is not NULL "
" and u.status='active' order by u.uid",
15, reqp->pid, reqp->gid);
15, passwdfield);
}
else if (nodetypeprojects) {
/*
......@@ -2994,7 +3014,8 @@ COMMAND_PROTOTYPE(doaccounts)
* groups for that user.
*/
char adminclause[MYBUFSIZE];
char *passwdfield = (!reqp->islocal && reqp->isdedicatedwa) ?
char *passwdfield =
(!dohashes || (!reqp->islocal && reqp->isdedicatedwa))?
"'*'" : "u.usr_pswd";
strcpy(adminclause, "");
#ifdef ISOLATEADMINS
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment