Opened 8 years ago

Last modified 7 years ago

#110 new

SSH Keys: The keys of only one user are installed in the nodes

Reported by: nriga@bbn.com Owned by: somebody
Priority: major Milestone:
Component: AM Version: SPIRAL4
Keywords: Cc:
Dependencies:

Description

Createsliver gives the capability to a user to provide login information for multiple users. When multiple users are provided then only a key from one of the users is installed in the nodes.

Ideally we would like separate accounts for each user, i.e. if users alice and bob are specified then two accounts should be created one for alice and one for bob. Alice should be able to login to the nodes using her ssh keys, while Bob should be able to login using his ssh keys.

If the above behavior is not feasible then the next best thing is that if all the keys of all the users are installed for the default user "root". In the above example all the keys of Alice and all the keys of Bob should be in the authorized_keys file of the root user.

Change History (3)

comment:1 Changed 7 years ago by lnevers@bbn.com

Created a sliver with 3 user accounts, sliver was successful, but was not able to login as any of the users requested. Problem remains.

comment:2 Changed 7 years ago by lnevers@bbn.com

Using version "ORCA Dungeness: v.4.0-SNAPSHOT.build-5468" on the NICTA rack was able to verify the ability to support multiple users for a sliver.

Test includes 4 users (lnevers, lnevers1, lnever2 and inki), verified access from each user (lnevers, lnever1, lnever2) did not access with inki account (Niki's keys), but was able to find inki's keys in ~/.ssh/authorized_keys. Verified all keys existed on each one of the 4 hosts that were part of the sliver.

comment:3 Changed 7 years ago by lnevers@bbn.com

The original ticket requests that individual user account be created rather than the root account being the one login used by all. The root account is still the only account available whether one user or multiple user keys are uploaded. The request for individual user login remains un-addressed. Ticket remains open for this portion of the original request.

Multiple keys are uploaded and this was verified using version 'ORCA Dungeness: v.4.0-SNAPSHOT.build-5495' on the GPO rack. Test created a sliver which had 3 sets of keys associated with it. Key upload verification:

$ readyToLogin.py -a eg-gpo lnexpires
<...>
User root logs in to geni1 using:
	ssh -i /home/lnevers/.ssh/id_rsa root@192.1.242.14
	ssh -i /home/lnevers2/.ssh/id_rsa root@192.1.242.14
	ssh -i /home/lnevers1/.ssh/id_rsa root@192.1.242.14

Logged in to the node to verify keys are present:

$ ssh -i /home/lnevers/.ssh/id_rsa root@192.1.242.14
Linux debian 2.6.32-5-amd64 #1 SMP Mon Jan 16 16:22:28 UTC 2012 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 19 15:24:02 2012 from dhcp152-54-9-28.europa.renci.org
root@debian:~# cat .ssh/authorized_keys 

# The following ssh key was injected by Nova
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAl460XUo0O8XB5+E5xGQ7jyRzXphn+nsBH8fYUf+nYZVhHWSX4i8tcpImhgQoZv0EodNw3gROSo9fZ2Ws/kULxk4F1CJAs4DWwbe70hH6/TZusGPt/VWuply3L+2Est+nw4Llzghbus5YhavWKnHEAWlXZmJ4smz5Nm/4QME3Zac= nova@bbn-hn.exogeni.net
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxy0LvixSvXoDM3UfhPPLi5ua6ZiX8eGbao7X/VDfO+uhHNRpjBvaWImXRsF4WA7Wvj9gvGwBBBhL7GkTu9dURX36udWA6Hf2NA97yTT81grrgTzzuughfgSxXLk4oL/H8uST5UJ65XP82m+Ir8HvNqLHbi8WmDIGP+kPpzmuv9CRUikn5g0+J0YdC1ime0U1Sq/uVP/WkwvmlaS1A0O3RhpfujSXLio+z6l6Wixh4ZekKVrFcx/90F/kP6cDJ0rHeHuLKW5oPX/XtqB2GAKrYd//dwC9HGiANUVlfCmqObl3zYsLP7Qfwvei/QF7yvy5edDoEYuZ4xNWcfuDPEmE6Q== lnevers@arendia.gpolab.bbn.com

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9RFBhBA+5s8sfaO36W1jJkgZRtkB+xtiA9mwR6gr2xb+Y3aV4trBx9WVZizsOKFaDWi8/57ZoCliP+dPmBN+Jlq7VuIta+rNK/09b5ds/x2hdbM6HCDzCffV01LgMvfC7gkj0Jxy+KNhmWNRGMfDKxox0ss2nlRu+YUAIgFpGFnpNyfu89j/ihah6HGYkMQ0y2BzScADngCZGi710AdJAjWHPCa6TeM1Pk7U1SRb5HRJSMVKB6dngxoqKXAg0vDCBa0OYZm40d/4XJU1g620v7Jb0F3FXeMO0ApYqKm7KfbZ6HPBtlwr/PYiITpPwSkBNlI8pR8VMtARaPwiZtDpj lnevers@dhcp89-069-044.bbn.com
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAlyESlInEUSiB1PlMhLFsj1/x7ixbquiQznviT9VusyVdPIGscSlwrE1gjvEucDYSQEsuQvV5k0MUy8NJZkdCCJFYbSD8/rbZOxuDYGaLq2uc2F379Am2Kfn6kaJzxat41KIlVjA/XrVHaauJNY/woGatKnkuD/7faFsxk9UO1dFB+smfTF/nZ3hQOrKBHWGm7t+nbqH5iiWDjK7N7HqSP/VYRgL4U8Z62NUMuzJ09rSPGWCGPSE2YeU9GnQwtl3zlOC+ScKWrfVePiR92+3rgSqPo/97fdY4ZYX/JrwGXV/nZbor4niKq8xBPiXpbrbX+pTkjXsYmjCuITMPLXv48w== lnevers@sendaria.gpolab.bbn.com
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr2SX/xGxlSzq8dTCt7r1KNArxX2gCsW5rHp9ImgEho+dEDMkKmx8DE/gbrxHhENjHqJiS4b5uoxkvwSelxDmlYl/OMXh1AnJqvgY/bEdyF+5L7+jI7nWNXTy7rvIrRu6zj/aWc0EWSljHYxA1Q1btVyJYAqhhz6B5j+K049wqk8ltbfN9cx02KifPZo4iCwrmupQpZgIt20xBqR+JajmQdZBQ2fPg/x+jEmh1B1wvNB+ITgePhLzTf6vwJZpwxquCNRkhm34RmTYk+iFZW8s7PlaS8Cq+UQcoq7CZgFRUcRtzxaTDL9TIqypAV/WiJVoB9gXWXOJnB9Cpg77VsaAlw== lnevers2@arendia.gpolab.bbn.com

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCrPN6YwRW5j0GTECUAX2hHz1fXcr2qpKHXgEj/tDI2LfuuKxNqYkilfChAhci0WKty7ZBqwkuIw4ie6ThaUui/FXzeZSautDeqi09uGoWMyBUzPHm27fJwOXYKfLwlJonhnkMAeQAhZMB+U/IjFYIwbuyJk0lH8ffql5feqcXLLw==
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1jOmNeUaGvfSYK3DUlx0KHo/LKf/fma0pjOZsqSdnICARsszJzePMvJ3JL6tWQSbrJ7AcJuvcq5GTX/NNJYTJfo899E7lWDv7qIeRSjYi3GrTbeq5jwTFxBKIhTMm/v//mnPxRAAkPaT0py4MJ2Pg2hiRjV+TeZM6KoSE+GcOINozOsucEDJ1X8NZIPHSYrqGKlkbA28RQIEgu59MU5iOmUDyb1IFJ7Rc6IZBZeFiaEj3eoeVTyS+3IBXJ9Z+sNLUZg87xvtqdfRvApZMDwsdwcnLcuBK+7zvr0Vt4CVfRX9B719kX1eUKISxmEtBB4ddBKZDIOlYTiWunI7e7hveQ== lnevers1@arendia.gpolab.bbn.com

root@debian:~# 
Note: See TracTickets for help on using tickets.