1. 13 Dec, 2005 2 commits
  2. 12 Dec, 2005 2 commits
    • Leigh Stoller's avatar
    • Leigh Stoller's avatar
      Several changes; · be9e6fbe
      Leigh Stoller authored
      * Add creation of no-passphrase Protocol 2 RSA key in addition to
        Protocol 1 key. Currently Protocol 1 will continue to be generated,
        until we figure out an acceptable way to conditionalize this for old
        and new sites.
      
      * No longer generate authorized_keys2 file. All keys go in the main
        file, and the authorized_keys2 file is deleted if it exists, after
        successful creation of the main file.
      
      * When regenerating the Emulab keys, read the current .pub file in and
        delete the existing keys from the DB.
      be9e6fbe
  3. 10 Nov, 2005 1 commit
  4. 14 Oct, 2005 2 commits
  5. 04 Oct, 2005 1 commit
  6. 26 Sep, 2005 1 commit
  7. 20 Sep, 2005 1 commit
    • Leigh Stoller's avatar
      Checkpoint Chat Support stuff; mostly working but still needs work. · 90cdfb60
      Leigh Stoller authored
      Ready for local people to play with.
      
      The current implementation is that we munge the mysql DB on ops directly,
      underneath jabberd. We add/del users from the authreg table, and set up
      buddy lists in the roster-items and roster-groups tables. modgroups will
      invoke the modjabberbuddies whenever a user is added or removed from a
      group, although currently I am building buddy lists for just the top level
      projects.
      
      The "My IM" link in the collaboration menu will tell the user their
      jabber ID on the Emulab chat server (jabber.emulab.net) and also give
      them their plain text password to plug into their chat client.
      
      I also installed a java applet (Jeti) that is a simple chat client that
      I found off the jabberware page. Like all applets, it exhibits a degree
      of flakiness, but I really do not expect too many people to use it.
      90cdfb60
  8. 14 Sep, 2005 1 commit
    • Mike Hibler's avatar
      Changes related to allowing seperate 'fs' (file server) node. · c53d5827
      Mike Hibler authored
      Entailed new instructions for manual setup as well as integration into
      elabinelab framework.  First, the manual path:
      
      setup.txt, setup-boss.txt, setup-ops.txt and new setup-fs.txt:
          Updated to reflect potential for separate fs node.  The org here
          is a little dicey and could be confusing with ops+fs vs. ops and fs.
          Has not been field tested yet.
      
      */GNUmakefile.in: new fs-install target.
      
      configure, configure.in, defs-*:
          Somewhat unrelated, make min uid/gid to use be a defs setting.
          Also add config of fs-install.in script.
      
      boss-install.in, ops-install.in and new fs-install.in:
          Handle distinct fs node.  If you have one, fs-install is run before
          ops-install.  All scripts rely on the defs file settings of FSNODE
          and USERNODE to determine if the fs node is seperate.
      
      utils/checkquota.in:
          Just return "ok" if quotas are not used (i.e., if defs file FS_WITH_QUOTA
          string is null.
      
      install/ports/emulab-fs:
          Meta port for fs node specific stuff.  Also a patch for the samba port
          Makefile so it doesn't drag in CUPs, etc.  Note that the current samba
          port Makefile has this change, I am just backporting to our version.
      
      Elabinelab specific changes:
      
      elabinelab-withfs.ns:
          NS fragment used in conjunction with
      	tb-elab-in-elab-topology "withfs"
          to setup inner-elab with fs node.
      
      elabinelab.ns:
          The hard work on the boss side.  Recognize seperate-fs config and handle
          running of rc.mkelab on that node.  fs setup happens before ops setup.
      
      rc.mkelab:
          The hard work on the client side.  Recognize FsNode setup as well as
          differentiate ops+fs from ops setup.
      
      Related stuff either not part of the repo or checked in previously:
          emulab-fs package
      c53d5827
  9. 20 Jul, 2005 1 commit
  10. 24 Jun, 2005 1 commit
  11. 14 Jun, 2005 1 commit
  12. 02 Jun, 2005 1 commit
  13. 31 May, 2005 1 commit
  14. 25 Mar, 2005 1 commit
    • Leigh Stoller's avatar
      Okay, I think I am finally done with WikiWhacking (or WhackingTheWiki?) · 90dcbbe2
      Leigh Stoller authored
      for the near future. Two big changes:
      
      * Add WikiOnly accounts. An external user can register for an account on
        the wiki. Rather then use the registration stuff that comes with TWiki,
        redirect to new Emulab web page so we can manage all of the wiki accounts
        from one place. I modified the joinproject page to spit out a subset of
        the required fields so that its simple to get a wiki only account (just a
        few things to fill in).
      
        In keeping with current security practices, we still generate a
        verification email message to ensure the email address works. However,
        when the user completes the verification, the wiki account is created right
        away, rather then waiting for someone to approve it (since that would
        defeat the entire point of the wiki).
      
        Aside: I have not thought much about the conversion from a wiki-only
        account to a real account. That is going to happen, and it would be nice
        if that step did not require one of use to go in and hack the DB. Will
        cross that moat later.
      
        Aside: Rather beat up on the modify user info page too much, I continue
        to spit out the same form, but mark most of the fields as not required,
        and allow wiki-only people to not specify them.
      
      * Both the joinproject and newproject pages sport a new WikiName field so
        that users can select their own WikiName. I added some JavaScript to
        both pages that generate a suitable wikiname from the FullName field, so
        that as soon as the user clicks out of the FullName, a default wikiname is
        inserted in the field.
      
        Both pages verify the wikinames by checking to make sure it is not
        already in use, and that it meets the WikiRules for WikiTopic names.
        (someone please shoot me if I continue to use WikiNotation).
      90dcbbe2
  15. 21 Mar, 2005 1 commit
  16. 31 Jan, 2005 1 commit
  17. 18 Jan, 2005 1 commit
  18. 03 Dec, 2004 1 commit
  19. 26 Oct, 2004 1 commit
  20. 25 Oct, 2004 1 commit
  21. 17 Sep, 2004 3 commits
  22. 08 Sep, 2004 2 commits
    • Leigh Stoller's avatar
      Two changes. · 9992ae20
      Leigh Stoller authored
      * When generating the initial ssh ley, use -C option to keygen so that
        the comment field is rational. Now set to $user@$domain.
      
      * Add -f (force) option to use in conjunction with -i (inituser)
        option to regenerate the initial (unencrypted) ssh key. The user's
        auth_keys are files are regenerated as well.
      
        The bad thing about all this is that you have to go remove any old
        keys by hand via the web interface since we do not mark the key we
        generate in the DB.
      9992ae20
    • Leigh Stoller's avatar
      Fix shell quoting problem which I indirectly introduced just before · 9b8f4519
      Leigh Stoller authored
      the big power down when I changed sshtb to not invoke a subshell
      wrapper, but to exec ssh directly. Built into tbacct was an extra pair
      of \\ escapes to protect the outer double quotes from that extra
      subshell.  When I removed that subshell, the extra escapes wreaked
      havoc.
      
      Needless to say, I really want to change how accounts are built on ops
      to use tmcd like a regular experimental node. We can almost do that
      now, except for the little detail that sending over 800 users would be
      a lot of traffic for single updates. I've been meaning to extend the
      protocol to allow for single updates, but have not had time yet!
      9b8f4519
  23. 01 Sep, 2004 2 commits
    • Leigh Stoller's avatar
      23341ef7
    • Leigh Stoller's avatar
      SSL version of the XMLRPC server. · a9c1045e
      Leigh Stoller authored
      * SSL based server (sslxmlrpc_server.py) that wraps the existing Python
        classes (what we export via the existing ssh XMLRPC server). I also have a
        demo client that is analogous the ssh demo client (sslxmlrpc_client.py).
        This client looks for an ssl cert in the user's .ssl directory, or you can
        specify one on the command line. The demo client is installed on ops, and
        is in the downloads directory with the rest of the xmlrpc stuff we export
        to users. The server runs as root, forking a child for each connection and
        logs connections to /usr/testbed/log/sslxmlrpc.log via syslog.
      
      * New script (mkusercert) generates SSL certs for users. Two modes of
        operation; when called from the account creation path, generates a
        unencrypted private key and certificate for use on Emulab nodes (this is
        analagous to the unencrypted SSH key we generate for users). The other mode
        of operation is used to generate an encrypted private key so that the user
        can drag a certificate to their home/desktop machine.
      
      * New webpage (gensslcert.php3) linked in from the My Emulab page that
        allows users to create a certificate. The user is prompted for a pass
        phrase to encrypt the private key, as well as the user's current Emulab
        login password. mkusercert is called to generate the certificate, and the
        result is stored in the user's ~/.ssl directory, and spit back to the user
        as a text file that can be downloaded and placed in the users homedir on
        their local machine.
      
      * The server needs to associate a certificate with a user so that it can
        flip to that user in the child after it forks. To do that, I have stored
        the uid of the user in the certificate. When a connection comes in, I grab
        the uid out of the certificate and check it against the DB. If there is a
        match (see below) the child does the usual setgid,setgroups,setuid to the
        user, instantiates the Emulab server class, and dispatches the method. At
        the moment, only one request per connection is dispatched. I'm not sure
        how to do a persistant connection on the SSL path, but probably not a big
        deal right now.
      
      * New DB table user_sslcerts that stores the PEM formatted certificates and
        private keys, as well as the serial number of the certificate, for each
        user. I also mark if the private key is encrypted or not, although not
        making any use of this data. At the moment, each user is allowed to get
        one unencrypted cert/key pair and one encrypted cert/key pair. No real
        reason except that I do not want to spend too much time on this until we
        see how/if it gets used. Anyway, the serial number is used as a crude form
        of certificate revocation. When the connection is made, I suck the serial
        number and uid out of the certificate, and look for a match in the table.
        If cert serial number does not match, the connection is rejected. In other
        words, revoking a certificate just means removing its entry from the DB
        for that user. I could also compare the certificate itself, but I am not
        sure what purpose that would serve since that is what the SSL handshake is
        supposed to take of, right?
      
      * Updated the documentation for the XMLRPC server to mention the existence
        of the SSL server and client, with a pointer into the downloads directory
        where users can pick up the client.
      a9c1045e
  24. 09 Aug, 2004 1 commit
    • Leigh Stoller's avatar
      Some cleanups and performance improvements: · f604dc33
      Leigh Stoller authored
      * Be more selective about what lists are regenerated; we were generating
        way too many lists each time called. When calling from tbswap, use new
        -t option to generate just the active lists. When called from setgroups,
        use -p option to generate lists just for the project. Add update option
        for when user changes email address (and all lists really do need to be
        regenerated).
      
      * Add "diff" processing. Instead of blindly firing each new list over to
        ops with ssh, store a copy of all of the lists in
        /usr/testbed/lists. After we generate the new list, diff it against the
        stored copy. If the same, skip it. Otherwise stash new copy and fire it
        over. This should reduce the wait times by quite a bit since the lists
        rarely change (except for the activity lists of course).
      
      * Add -n (impotent) option for debugging; skips the ssh over to ops.
      
      * Reorg a lot of stuff; it was getting hard to follow.
      f604dc33
  25. 13 Apr, 2004 1 commit
  26. 17 Mar, 2004 1 commit
  27. 04 Mar, 2004 1 commit
  28. 09 Feb, 2004 1 commit
  29. 24 Oct, 2003 1 commit
  30. 13 Oct, 2003 2 commits
  31. 18 Aug, 2003 1 commit
  32. 06 Aug, 2003 1 commit