Changes between Version 18 and Version 19 of GENIRacksHome/ExogeniRacks/AcceptanceTestStatus/EG-ADM-2


Ignore:
Timestamp:
07/23/12 16:21:35 (12 years ago)
Author:
chaos@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GENIRacksHome/ExogeniRacks/AcceptanceTestStatus/EG-ADM-2

    v18 v19  
    55''This page is GPO's working page for performing EG-ADM-2.  It is public for informational purposes, but it is not an official status report.  See [wiki:GENIRacksHome/ExogeniRacks/AcceptanceTestStatus] for the current status of ExoGENI acceptance tests.''
    66
    7 ''Last substantive edit of this page: 2012-05-28''
     7''Last substantive edit of this page: 2012-07-23''
    88
    99== Page format ==
     
    1919== Status of test ==
    2020
    21 || '''Step''' || '''State'''                               || '''Date completed''' || '''Open Tickets''' || '''Closed Tickets/Comments'''                                                                    ||
    22 || 1A         || [[Color(orange,Blocked)]]                 ||                      || [exoticket:34]     || blocked on information about bbn-hn configuration                                                ||
    23 || 1B         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                  ||
    24 || 1C         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                  ||
    25 || 2A         || [[Color(yellow,Complete)]]                ||                      ||                    || retest when experiments are known to be running on the worker                                    ||
    26 || 2B         || [[Color(orange,Blocked)]]                 ||                      ||                    || blocked on retest of 2A; this is n/a if no public IPs                                            ||
    27 || 2C         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                  ||
    28 || 3A         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    || ([exoticket:10]) ready to test                                                                   ||
    29 || 3B         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-27           ||                    || enable mode on switch not available to site admins, but available information appears sufficient ||
    30 || 3C         || [[Color(green,Pass)]]                     || 2012-05-28           ||                    ||                                                                                                  ||
    31 || 3D         || [[Color(orange,Blocked)]]                 ||                      || [exoticket:19]     || ([exoticket:10]) blocked on serial access to switches                                            ||
    32 || 4A         ||                                           ||                      ||                    || ([exoticket:10]) ready to test                                                                   ||
    33 || 4B         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-28           ||                    || enable mode on switch not available to site admins, but available information seems sufficient ||
    34 || 4C         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-28           ||                    || http access may be enabled, but probably does not work at all, and at most works on the private network ||
    35 || 4D         || [[Color(orange,Blocked)]]                 ||                      || [exoticket:19]     || ([exoticket:10]) blocked on serial access to switches                                            ||
     21|| '''Step''' || '''State'''                               || '''Date completed''' || '''Open Tickets''' || '''Closed Tickets/Comments'''                                                                             ||
     22|| 1A         || [[Color(#63B8FF,In Progress)]]            ||                      || [exoticket:34]     || iterating about bbn-hn configuration                                                                      ||
     23|| 1B         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                           ||
     24|| 1C         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                           ||
     25|| 2A         || [[Color(yellow,Complete)]]                ||                      ||                    || retest when experiments are known to be running on the worker                                             ||
     26|| 2B         || [[Color(orange,Blocked)]]                 ||                      ||                    || blocked on retest of 2A; this is n/a if no public IPs                                                     ||
     27|| 2C         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                           ||
     28|| 3A         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    || ([exoticket:10]) ready to test                                                                            ||
     29|| 3B         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-27           ||                    || enable mode on switch not available to site admins, but available information appears sufficient          ||
     30|| 3C         || [[Color(green,Pass)]]                     || 2012-05-28           ||                    ||                                                                                                           ||
     31|| 3D         || [[Color(orange,Blocked)]]                 ||                      || [exoticket:19]     || ([exoticket:10]) blocked on serial access to switches                                                     ||
     32|| 4A         ||                                           ||                      ||                    || ([exoticket:10]) ready to test                                                                            ||
     33|| 4B         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-28           ||                    || enable mode on switch not available to site admins, but available information seems sufficient            ||
     34|| 4C         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-28           ||                    || http access may be enabled, but probably does not work at all, and at most works on the private network   ||
     35|| 4D         || [[Color(orange,Blocked)]]                 ||                      || [exoticket:19]     || ([exoticket:10]) blocked on serial access to switches                                                     ||
    3636|| 5          || [[Color(orange,Blocked)]]                 ||                      ||                    || blocked on EG-ADM-1 step 4C (i need to investigate the network topology to figure out where to test from) ||
    3737
     
    9696I opened exoticket:34 to request explanation of the protection mechanisms on bbn-hn, so i can redo this test and verify that they work and seem likely to be sufficient.
    9797
     98==== Results of testing step 1A: 2012-07-23 ====
     99
     100According to [http://groups.geni.net/exogeni/ticket/34#comment:1], i should expect:
     101 * If i attempt to login to bbn-hn.exogeni.gpolab.bbn.com as valid user chaos, and fail five times, my IP address will be added to `/etc/hosts.deny`
     102 * If i attempt to login to bbn-hn.exogeni.gpolab.bbn.com as invalid user xyzzy, and fail a smaller number of times, my IP address will be added to `/etc/hosts.deny`.
     103 * If i attempt to login to bbn-hn.exogeni.gpolab.bbn.com as root, and fail a smaller number of times, my IP address will be added to `/etc/hosts.deny`.
     104
     105Testing this:
     106 * Look at `/etc/hosts.deny`:
     107{{{
     108bbn-hn,[~],20:06(0)$ cat /etc/hosts.deny
     109...
     110# DenyHosts: Mon Jul 23 18:10:48 2012 | sshd: 192.96.129.254
     111sshd: 192.96.129.254
     112}}}
     113 * Try to login from tarabon.gpolab.bbn.com and fail five times:
     114{{{
     115tarabon,[~],16:09(0)$ ssh bbn-hn.exogeni
     116The authenticity of host 'bbn-hn.exogeni (192.1.242.3)' can't be established.
     117RSA key fingerprint is 2f:71:d6:ab:03:00:f5:2d:f2:69:55:46:b5:67:84:ce.
     118Are you sure you want to continue connecting (yes/no)? yes
     119Warning: Permanently added 'bbn-hn.exogeni,192.1.242.3' (RSA) to the list of known hosts.
     120chaos@bbn-hn.exogeni's password:
     121Permission denied, please try again.
     122chaos@bbn-hn.exogeni's password:
     123Permission denied, please try again.
     124chaos@bbn-hn.exogeni's password:
     125Permission denied (publickey,password).
     126tarabon,[~],16:09(255)$ ssh bbn-hn.exogeni
     127chaos@bbn-hn.exogeni's password:
     128Permission denied, please try again.
     129chaos@bbn-hn.exogeni's password:
     130Permission denied, please try again.
     131chaos@bbn-hn.exogeni's password:
     132Permission denied (publickey,password).
     133tarabon,[~],16:10(255)$ ssh bbn-hn.exogeni
     134chaos@bbn-hn.exogeni's password:
     135Permission denied, please try again.
     136chaos@bbn-hn.exogeni's password:
     137Permission denied, please try again.
     138chaos@bbn-hn.exogeni's password:
     139Permission denied (publickey,password).
     140tarabon,[~],16:10(255)$ ssh bbn-hn.exogeni
     141chaos@bbn-hn.exogeni's password:
     142Permission denied, please try again.
     143chaos@bbn-hn.exogeni's password:
     144Permission denied, please try again.
     145chaos@bbn-hn.exogeni's password:
     146Permission denied (publickey,password).
     147tarabon,[~],16:11(255)$ ssh bbn-hn.exogeni
     148ssh_exchange_identification: Connection closed by remote host
     149tarabon,[~],16:11(255)$
     150}}}
     151 * And then look at hosts.deny again:
     152{{{
     153bbn-hn,[~],20:11(0)$ cat /etc/hosts.deny
     154...
     155# DenyHosts: Mon Jul 23 20:11:11 2012 | sshd: 128.89.91.28
     156sshd: 128.89.91.28
     157}}}
     158 So, with a known user, it let me try 12 passwords.
     159 * Okay, now trying to login as xyzzy from another lab host in the same subnet, picon.gpolab.bbn.com:
     160{{{
     161picon,[~],16:14(0)$ ssh xyzzy@bbn-hn.exogeni
     162The authenticity of host 'bbn-hn.exogeni (192.1.242.3)' can't be established.
     163RSA key fingerprint is 2f:71:d6:ab:03:00:f5:2d:f2:69:55:46:b5:67:84:ce.
     164Are you sure you want to continue connecting (yes/no)? yes
     165Warning: Permanently added 'bbn-hn.exogeni,192.1.242.3' (RSA) to the list of known hosts.
     166xyzzy@bbn-hn.exogeni's password:
     167Permission denied, please try again.
     168xyzzy@bbn-hn.exogeni's password:
     169Permission denied, please try again.
     170xyzzy@bbn-hn.exogeni's password:
     171Permission denied (publickey,password).
     172picon,[~],16:15(255)$ ssh xyzzy@bbn-hn.exogeni
     173xyzzy@bbn-hn.exogeni's password:
     174Permission denied, please try again.
     175xyzzy@bbn-hn.exogeni's password:
     176Permission denied, please try again.
     177xyzzy@bbn-hn.exogeni's password:
     178Permission denied (publickey,password).
     179picon,[~],16:15(255)$ ssh xyzzy@bbn-hn.exogeni
     180ssh_exchange_identification: Connection closed by remote host
     181picon,[~],16:15(255)$
     182}}}
     183 * And, indeed:
     184{{{
     185bbn-hn,[~],20:16(0)$ cat /etc/hosts.deny
     186...
     187# DenyHosts: Mon Jul 23 20:15:43 2012 | sshd: 128.89.91.48
     188sshd: 128.89.91.48
     189}}}
     190 * Now trying login as root from another lab machine, virgon.gpolab.bbn.com:
     191{{{
     192virgon,[~],16:16(0)$ ssh root@bbn-hn.exogeni
     193The authenticity of host 'bbn-hn.exogeni (192.1.242.3)' can't be established.
     194RSA key fingerprint is 2f:71:d6:ab:03:00:f5:2d:f2:69:55:46:b5:67:84:ce.
     195Are you sure you want to continue connecting (yes/no)? yes
     196Warning: Permanently added 'bbn-hn.exogeni,192.1.242.3' (RSA) to the list of known hosts.
     197root@bbn-hn.exogeni's password:
     198Permission denied, please try again.
     199root@bbn-hn.exogeni's password:
     200Permission denied, please try again.
     201root@bbn-hn.exogeni's password:
     202Permission denied (publickey,password).
     203virgon,[~],16:17(255)$ ssh root@bbn-hn.exogeni
     204root@bbn-hn.exogeni's password:
     205Permission denied, please try again.
     206root@bbn-hn.exogeni's password:
     207Permission denied, please try again.
     208root@bbn-hn.exogeni's password:
     209Permission denied (publickey,password).
     210virgon,[~],16:17(255)$ ssh root@bbn-hn.exogeni
     211root@bbn-hn.exogeni's password:
     212Permission denied, please try again.
     213root@bbn-hn.exogeni's password:
     214Permission denied, please try again.
     215root@bbn-hn.exogeni's password:
     216Permission denied (publickey,password).
     217virgon,[~],16:17(255)$ ssh root@bbn-hn.exogeni
     218ssh_exchange_identification: Connection closed by remote host
     219virgon,[~],16:17(255)$
     220}}}
     221 * And, indeed:
     222{{{
     223bbn-hn,[~],20:18(0)$ cat /etc/hosts.deny
     224...
     225# DenyHosts: Mon Jul 23 20:17:43 2012 | sshd: 128.89.91.49
     226sshd: 128.89.91.49
     227}}}
     228
     229
    98230=== Step 1B: verify the absence of common unencrypted login protocols ===
    99231