Commit def1c265 authored by Leigh B. Stoller's avatar Leigh B. Stoller

Add new pages to add/delete SFS public keys. To save work (and of

course, thats the whole reason I worked on these pages) there is
nothing in the join/start project pages. Users have to go here on
their own to manage their keys.

Also add a start at SFS documentation as it pertains the the testbed.
parent 9280811f
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
include("showstuff.php3");
#
# No PAGEHEADER since we spit out a redirect later.
#
#
# Only known and logged in users can do this.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
$isadmin = ISADMIN($uid);
#
# Verify form arguments.
#
if (!isset($target_uid) ||
strcmp($target_uid, "") == 0) {
USERERROR("Improper form arguments!", 1);
}
if (!isset($key) ||
strcmp($key, "") == 0) {
USERERROR("Improper form arguments!", 1);
}
#
# Check to make sure thats this is a valid UID.
#
if (! TBCurrentUser($target_uid)) {
USERERROR("The user $target_uid is not a valid user", 1);
}
#
# Verify that this uid is a member of one of the projects that the
# target_uid is in. Must have proper permission in that group too.
#
if (!$isadmin &&
strcmp($uid, $target_uid)) {
if (! TBUserInfoAccessCheck($uid, $target_uid, $TB_USERINFO_MODIFYINFO)) {
USERERROR("You do not have permission to change ${user}'s keys!", 1);
}
}
#
# Get the actual key.
#
$query_result =
DBQueryFatal("select * from user_sfskeys ".
"where uid='$target_uid' and comment='$key'");
if (! mysql_num_rows($query_result)) {
USERERROR("SFS Key '$key' for user '$target_uid' does not exist!", 1);
}
$row = mysql_fetch_array($query_result);
$pubkey = $row[pubkey];
$comment= $row[comment];
$chunky = chunk_split("$pubkey $comment", 70, "<br>\n");
#
# We run this twice. The first time we are checking for a confirmation
# by putting up a form. The next time through the confirmation will be
# set. Or, the user can hit the cancel button, in which case we should
# probably redirect the browser back up a level.
#
if ($canceled) {
PAGEHEADER("SFS Public Key Maintenance");
echo "<center><h2><br>
SFS Public Key deletion canceled!
</h2></center>\n";
echo "<br>
Back to <a href='showsfskeys.php3?target_uid=$target_uid'>
sfs public keys</a> for user '$uid'.\n";
PAGEFOOTER();
return;
}
if (!$confirmed) {
PAGEHEADER("SFS Public Key Maintenance");
echo "<center><h3><br>
Are you <b>REALLY</b>
sure you want to delete this SFS Public Key for user '$target_uid'?
</h3>\n";
echo "<form action='deletesfskey.php3?target_uid=$target_uid&key=$key'
method=post>";
echo "<b><input type=submit name=confirmed value=Confirm></b>\n";
echo "<b><input type=submit name=canceled value=Cancel></b>\n";
echo "</form>\n";
echo "</center>\n";
echo "<table align=center border=1 cellpadding=2 cellspacing=2>
<tr>
<td>$chunky</td>
</tr>
</table>\n";
PAGEFOOTER();
return;
}
#
# Audit
#
TBUserInfo($uid, $uid_name, $uid_email);
TBUserInfo($target_uid, $targuid_name, $targuid_email);
TBMAIL("$targuid_name <$targuid_email>",
"SFS Public Key for '$target_uid' Deleted",
"\n".
"SFS Public Key for '$target_uid' deleted by '$uid'.\n".
"\n".
"$chunky\n".
"\n".
"Thanks,\n".
"Testbed Ops\n".
"Utah Network Testbed\n",
"From: $uid_name <$uid_email>\n".
"Cc: $TBMAIL_AUDIT\n".
"Errors-To: $TBMAIL_WWW");
DBQueryFatal("delete from user_sfskeys ".
"where uid='$target_uid' and comment='$key'");
DBQueryFatal("update users set usr_modified=now() ".
"where uid='$target_uid'");
#
# mkacct updates the user pubkeys.
#
#SUEXEC($uid, $TBADMINGROUP, "webmkacct -a $target_uid", 0);
header("Location: showsfskeys.php3?target_uid=$target_uid");
?>
<!--
EMULAB-COPYRIGHT
Copyright (c) 2000-2002 University of Utah and the Flux Group.
All rights reserved.
-->
<center>
<h2>SFS</h2>
</center>
We use <a href=http://www.fs.net>SFS</a> to provide a secure
distributed filesystem. Both emulab classic nodes and widearea netbed
nodes in your experiments can be accessed via the SFS filesystem,
either from <tt>users.emulab.net</tt> or from any machine you have
access to that is running the SFS client software. Further, you can
access any node in your experiment from any other node in your
experiment, all via the <tt>/sfs/netbed</tt> directory.
<p>
When your Emulab account is created, we create an SFS public/private
key pair for you and store the public part in our database. Your
private key is stored in your ~/.sfs directory, and just like your
Emulab generated <a href=docwrapper.php3?docname=security.html>SSH</a>
key, there is no passphrase protecting your SFS key; you should not
reuse this key anywhere else. It is fine to copy this private key back
to your home machine, but only if your home machine is
secure and your home directory is not NFS mounted on a public network!
This will allow you to access your experimental nodes without having
to first log into <tt>users.emulab.net</tt>. Either way, accessing
your experimental nodes is easy. When you are logged into
<tt>users.emulab.net</tt>:
<code><pre>
sfsagent
cd /sfs/netbed/nodeA.myexp.mypid </code></pre>
<p>
If instead you have copied your emulab private key to your home
machine, and have added it to your agent, then you can add the
following <em>certprog</em> to your agent:
<code><pre>
sfskey certprog -p netbed dirsearch \
/sfs/ops.emulab.net:eu7f8hmfpxk54t4uqdhpkhy7qtwqx7fn/q/proj/.sfs
cd /sfs/netbed/nodeA.myexp.mypid </code></pre>
<p>
As with SSH public keys, we distribute SFS public keys to all of the
nodes in your experiment (for all of the users in your project or
group). This allows anyone in your project to access the fileystems on
all of the experimental nodes. Further, when your experimental nodes
boot for the first time, a new SFS host key is generated and passed
back to <tt>ops.emulab.net</tt>. These host keys are used to generate
the /sfs/netbed directory so that you see the same view of your nodes,
no matter where you are logged in.
<p>
You can also use the SFS <em>rex</em> program to log into your nodes
(or to <tt>users.emulab.net</tt>). Rex is the SFS equivalent of SSH;
once you have started your SFS agent, rex will forward your private
keys, much like SSH forwards your private keys when you use it to log
in to another node. To log into one of your experimental nodes with
rex:
<code><pre>
sfsagent
rex -x /sfs/netbed/nodeA.myexp.mypid </code></pre>
To rex into <tt>users.emulab.net</tt>:
<code><pre>
sfsagent
rex -x /sfs/netbed/users.emulab.net </code></pre>
......@@ -217,7 +217,9 @@ function SPITFORM($formfields, $errors)
regarding passwords and email addresses.
<li> You can also
<a href='showpubkeys.php3?target_uid=$target_uid'>
edit your ssh public keys.</a>
edit your ssh public keys</a> and your
<a href='showsfskeys.php3?target_uid=$target_uid'>
sfs public keys</a>.
</ol>
</blockquote></blockquote>
</h4>\n";
......
<?php
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# All rights reserved.
#
include("defs.php3");
include("showstuff.php3");
#
# Only known and logged in users can do this.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
$isadmin = ISADMIN($uid);
#
# Verify form arguments.
#
if (!isset($target_uid) ||
strcmp($target_uid, "") == 0) {
$target_uid = $uid;
}
#
# Check to make sure thats this is a valid UID.
#
if (! TBCurrentUser($target_uid)) {
USERERROR("The user $target_uid is not a valid user", 1);
}
#
# Verify that this uid is a member of one of the projects that the
# target_uid is in. Must have proper permission in that group too.
#
if (!$isadmin &&
strcmp($uid, $target_uid)) {
if (! TBUserInfoAccessCheck($uid, $target_uid, $TB_USERINFO_READINFO)) {
USERERROR("You do not have permission to view ${user}'s keys!", 1);
}
}
function SPITFORM($formfields, $errors)
{
global $isadmin, $usr_keyfile_name, $target_uid, $BOSSNODE;
#
# Standard Testbed Header, now that we know what we want to say.
#
if (strcmp($uid, $target_uid)) {
PAGEHEADER("SFS Public Keys for user: $target_uid");
}
else {
PAGEHEADER("My SFS Public Keys");
}
#
# Get the list and show it.
#
$query_result =
DBQueryFatal("select * from user_sfskeys where uid='$target_uid'");
if (mysql_num_rows($query_result)) {
echo "<table align=center border=1 cellpadding=2 cellspacing=2>\n";
echo "<center>
Current sfs public keys for user $target_uid.
</center><br>\n";
echo "<tr>
<th>Delete?</th>
<th>Key</th>
</tr>\n";
while ($row = mysql_fetch_array($query_result)) {
$comment = $row[comment];
$pubkey = $row[pubkey];
$date = $row[stamp];
$fnote = "";
if (strstr($comment, $OURDOMAIN)) {
$fnote = "[<b>1</b>]";
}
$chunky = chunk_split("$pubkey $comment $fnote", 75, "<br>\n");
echo "<tr>
<td align=center>
<A href='deletesfskey.php3?target_uid=$target_uid" .
"&key=$comment'><img alt=X src=redball.gif></A>
</td>
<td>$chunky</td>
</tr>\n";
}
echo "</table>\n";
}
else {
echo "<center>
There are no sfs keys on file for user $target_uid!
</center>\n";
}
echo "<blockquote><blockquote><blockquote>
<ol>
<li> Please do not delete your Emulab generated SFS public key.
</ol>
</blockquote></blockquote></blockquote>\n";
echo "<br><hr size=4>\n";
echo "<center>
Enter sfs public keys for user ${target_uid}[<b>1</b>].
</center><br>\n";
if ($errors) {
echo "<table class=stealth
align=center border=0 cellpadding=0 cellspacing=2>
<tr>
<td class=stealth align=center colspan=3>
<font size=+1 color=red>
Oops, please fix the following errors!
</font>
</td>
</tr>\n";
while (list ($name, $message) = each ($errors)) {
echo "<tr>
<td class=stealth align=right>
<font color=red>$name:</font></td>
<td class=stealth>&nbsp</td>
<td class=stealth align=left>
<font color=red>$message</font></td>
</tr>\n";
}
echo "</table><br>\n";
}
echo "<table align=center border=1>
<form enctype=multipart/form-data
action=showsfskeys.php3?target_uid=$target_uid method=post>\n";
#
# SFS public key
#
echo "<tr>
<td>Insert Public Key</td>
<td><input type=text
name=\"formfields[usr_key]\"
value=\"$formfields[usr_key]\"
size=70
maxlength=1024>
</td>
</tr>\n";
#
# Verify with password.
#
if (!$isadmin) {
echo "<tr>
<td>Password[<b>3</b>]:</td>
<td class=left>
<input type=password
name=\"formfields[password]\"
size=8></td>
</tr>\n";
}
echo "<tr>
<td colspan=2 align=center>
<b><input type=submit name=submit value='Add New Key'></b>
</td>
</tr>\n";
echo "</form>
</table>\n";
echo "<blockquote><blockquote><blockquote>
<ol>
<li> Please consult our
<a href = 'docwrapper.php3?docname=security.html#SSH'>
security policies</a> for information
regarding ssh/sfs public keys.
<li> Note to <a href=http://www.opera.com><b>Opera 5</b></a> users:
The file upload mechanism is broken in Opera, so you cannot
specify a local file for upload. Instead, please paste your
key in.
<li> As a security precaution, you must supply your password
when adding new sfs public keys.
</ol>
</blockquote></blockquote></blockquote>\n";
echo "<font color=red>NOTE:</font> The SFS public key is somewhat
difficult to find. Unlike SSH (where the public is kept in
separate file), the SFS public key is contained in the same file
as the private key. This means you have to go into the file and
extract it so you can paste it into the form above. Yes, we could
take the entire key file and extract it for you, but we would
rather <b>NOT</b> see your private keys. So, if you read the key
file (typically ~/.sfs/identity) into your favorite editor, you
will see a number of comma (,) separated fields; we want the last
two. Basically, we want to see something like this in the
form when its posted:<br><br>
<center>
0x17efcbd7bb0c2f7ffba6bd705236f6<b>,</b>yourname@yourserver.your.org
</center>\n";
}
#
# On first load, display a form of current values.
#
if (! isset($submit) || isset($finished)) {
$defaults = array();
SPITFORM($defaults, 0);
PAGEFOOTER();
return;
}
#
# Otherwise, must validate and redisplay if errors
#
$errors = array();
$matches = array();
if (isset($formfields[usr_key]) &&
strcmp($formfields[usr_key], "")) {
#
# This is passed off to the shell, so taint check it.
#
if (! preg_match("/^[\w\n\,\@\.]*$/", $formfields[usr_key])) {
$errors["SFSKey"] = "Invalid characters";
}
else {
#
# Replace any embedded newlines first.
#
$formfields[usr_key] = ereg_replace("[\n]", "", $formfields[usr_key]);
#
# Must parse it and construct a key for the DB.
#
if (! preg_match("/(\w*),([-\w\@\.]*)/",
$formfields[usr_key], $matches)) {
$errors["SFSKey"] = "Invalid Key Format";
}
$pubkey = $matches[1];
$comment = $matches[2];
$tag = "$target_uid/" . substr(GENHASH(), 0, 8);
$usr_key = "$tag:$pubkey:$target_uid::";
#
# Must verify passwd to add keys.
#
if (! $isadmin) {
if (!isset($formfields[password]) ||
strcmp($formfields[password], "") == 0) {
$errors["Password"] = "Must supply a verification password";
}
elseif (VERIFYPASSWD($target_uid, $formfields[password]) != 0) {
$errors["Password"] = "Incorrect password";
}
}
}
}
else {
$errors["Missing Args"] = "Please supply an SFS key";
}
# Spit the errors
if (count($errors)) {
SPITFORM($formfields, $errors);
PAGEFOOTER();
return;
}
DBQueryFatal("replace into user_sfskeys ".
"values ('$target_uid', '$comment', '$usr_key', now())");
DBQueryFatal("update users set usr_modified=now() ".
"where uid='$target_uid'");
#
# Audit
#
TBUserInfo($uid, $uid_name, $uid_email);
TBUserInfo($target_uid, $targuid_name, $targuid_email);
$chunky = chunk_split("$usr_key $comment", 75, "\n");
TBMAIL("$targuid_name <$targuid_email>",
"SFS Public Key for '$target_uid' Added",
"\n".
"SFS Public Key for '$target_uid' added by '$uid'.\n".
"\n".
"$chunky\n".
"\n".
"Thanks,\n".
"Testbed Ops\n".
"Utah Network Testbed\n",
"From: $uid_name <$uid_email>\n".
"Cc: $TBMAIL_AUDIT\n".
"Errors-To: $TBMAIL_WWW");
#
# mkacct arranges for nodes to be updated.
#
#SUEXEC($uid, $TBADMINGROUP, "webmkacct -a $target_uid", 0);
header("Location: showsfskeys.php3?target_uid=$target_uid&finished=1");
?>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment