Commit 5a13ba08 authored by Leigh Stoller's avatar Leigh Stoller

Generate separate email to users about bogus passwords, with some

instructions about what to do and stern warnings.
parent a47da297
......@@ -48,6 +48,8 @@ my %pools = ();
# Configure ...
my $TB = "@prefix@";
my $TBOPS = "@TBOPSEMAIL@";
my $TBLOGS = "@TBLOGSEMAIL@";
my $PGENISUPPORT = @PROTOGENI_SUPPORT@;
my $MEDUSA = "/usr/local/bin/medusa";
# Medusa options.
......@@ -58,6 +60,10 @@ my $MEDUSAOPTS = "-R 0 -T 10 -t 5 -b -e ns -w 3";
my $SSHOPTS = "-M ssh -H $HOSTFILE -U $USERFILE -P $WORDFILE";
my $VNCOPTS = "-M vnc -H $HOSTFILE -u admin -p vnc"; # Ports 5900-5902.
# For Geni slices: do this early so that we talk to the right DB.
use vars qw($GENI_DBNAME);
$GENI_DBNAME = "geni-cm";
use lib '@prefix@/lib';
use emdb;
use emutil;
......@@ -65,9 +71,13 @@ use libtestbed;
use User;
use Experiment;
use Project;
if ($PGENISUPPORT) {
require GeniSlice;
require GeniUser;
}
# Protos
sub RunMedusa($$);
sub RunMedusa($$$);
sub fatal($)
{
......@@ -122,9 +132,30 @@ while (my ($node_id,$IP,$pid,$eid) = $query_result->fetchrow_array()) {
my $experiment = Experiment->Lookup($pid,$eid);
my $project = Project->Lookup($pid);
if ($experiment && $project) {
$nodes{$IP}->{"experiment"} = $experiment;
$nodes{$IP}->{"project"} = $project;
$nodes{$IP}->{"eid"} = $experiment->eid();
$nodes{$IP}->{"url"} = "@TBBASE@" . "/showexp.php3?pid=$pid&eid=$eid";
#
# Find user email for telling them.
#
my $email;
if ($experiment->geniflags()) {
my $slice = GeniSlice->LookupByExperiment($experiment);
if (defined($slice)) {
my $geniuser = GeniUser->Lookup($slice->creator_uuid(), 1);
if (defined($geniuser)) {
$email = $geniuser->email();
}
}
}
else {
my $user = $experiment->GetCreator();
if (defined($user)) {
$email = $user->email();
}
}
$nodes{$IP}->{"email"} = $email if (defined($email));
}
}
......@@ -143,35 +174,71 @@ while (my ($pool_id,$IP,$pid,$eid) = $query_result->fetchrow_array()) {
my $experiment = Experiment->Lookup($pid,$eid);
my $project = Project->Lookup($pid);
if ($experiment && $project) {
$pools{$IP}->{"experiment"} = $experiment;
$pools{$IP}->{"project"} = $project;
$pools{$IP}->{"eid"} = $experiment->eid();
$pools{$IP}->{"url"} = "@TBBASE@" . "/showexp.php3?pid=$pid&eid=$eid";
#
# Find user email for telling them.
#
my $email;
if ($experiment->geniflags()) {
my $slice = GeniSlice->LookupByExperiment($experiment);
if (defined($slice)) {
my $geniuser = GeniUser->Lookup($slice->creator_uuid(), 1);
if (defined($geniuser)) {
$email = $geniuser->email();
}
}
}
else {
my $user = $experiment->GetCreator();
if (defined($user)) {
$email = $user->email();
}
}
$pools{$IP}->{"email"} = $email if (defined($email));
}
}
close(HOSTS);
RunMedusa("$SSHOPTS $MEDUSAOPTS", 900);
RunMedusa("$VNCOPTS -n 5900 $MEDUSAOPTS", 500);
RunMedusa("$VNCOPTS -n 5901 $MEDUSAOPTS", 500);
RunMedusa("$VNCOPTS -n 5902 $MEDUSAOPTS", 500);
RunMedusa("$SSHOPTS $MEDUSAOPTS", 1200,
"Insecure passwords for SSH");
RunMedusa("$VNCOPTS -n 5900 $MEDUSAOPTS",
"Insecure VNC password on port 5900", 500);
RunMedusa("$VNCOPTS -n 5901 $MEDUSAOPTS",
"Insecure VNC password on port 5901", 500);
RunMedusa("$VNCOPTS -n 5902 $MEDUSAOPTS",
"Insecure VNC password on port 5902", 500);
exit(0);
#
# Run medusa with limits
#
sub RunMedusa($$)
sub RunMedusa($$$)
{
my ($options, $timeout) = @_;
my ($options, $timeout, $subject) = @_;
my $start = time();
if ($debug) {
print "Running with '$options'\n";
}
my $warning =
"If the warnings are about SSH passwords (no password, or an easily\n".
"guessable password), then please change the password for the account\n".
"using the passwd command. Always use a STRONG password!\n\n".
"If the warnings are about VNC passwords, then you should either\n".
"1) change your VNC setup to listen on 127.0.0.0 and use SSH tunneling,".
"or\n".
"2) Change the password on the vnc account to a STRONG password.\n\n".
"Failure to resolve this matter immediately may result in your\n".
"experiment being terminated with no further warning.\n";
#
# Medusa spits out offending accounts line by line.
#
my $output = "";
my $warnings = "";
my %emails = ();
#
# This open implicitly forks a child, which goes on to execute the
......@@ -197,22 +264,42 @@ sub RunMedusa($$)
while (<PIPE>) {
$output .= $_;
if ($_ =~ /^ACCOUNT FOUND:[^\d]+([\d\.]+)\s+(.*)$/) {
if ($_ =~ /^ACCOUNT FOUND:[^\d]+([\d\.]+)\s+(.*)\s*\[SUCCESS\]\s*$/) {
if (exists($nodes{$1})) {
my $nodeinfo = $nodes{$1};
my $node_id = $nodeinfo->{"node_id"};
my $url = $nodeinfo->{"url"};
my $eid = $nodeinfo->{"eid"};
$warnings .= "Node: $node_id:$1 $2\n";
$warnings .= " $url\n" if (defined($url));
if (exists($nodeinfo->{"email"})) {
my $email = $nodeinfo->{"email"};
if (!exists($emails{$email})) {
$emails{$email} = "";
}
$emails{$email} .=
"Node: $node_id ($1) - $2\n" .
" Experiment $eid\n";
}
}
elsif (exists($pools{$1})) {
my $poolinfo = $pools{$1};
my $pool_id = $poolinfo->{"pool_id"};
my $url = $poolinfo->{"url"};
my $eid = $poolinfo->{"eid"};
$warnings .= "Pool: $pool_id:$1 $2\n";
$warnings .= " $url\n" if (defined($url));
if (exists($poolinfo->{"email"})) {
my $email = $poolinfo->{"email"};
if (!exists($emails{$email})) {
$emails{$email} = "";
}
$emails{$email} .=
"Pool: $pool_id:$1 - $2\n" .
" Experiment $eid\n";
}
}
else {
$warnings .= $_;
......@@ -231,6 +318,12 @@ sub RunMedusa($$)
$warnings . "\n\n" . "Command options: $options\n".
$TBOPS);
}
foreach my $email (keys(%emails)) {
SENDMAIL($email,
"WARNING: insecure passwords!",
"$subject:\n" . $emails{$email} . "\n" . $warning,
$TBLOGS);
}
if ($?) {
if ($? == 15) {
print STDERR "$MEDUSA runaway was just killed!\n";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment