Changes between Version 18 and Version 19 of GENIRacksHome/ExogeniRacks/AcceptanceTestStatus/EG-ADM-2

Timestamp:

07/23/12 16:21:35 (12 years ago)

Author:

chaos@bbn.com

Comment:

--

GENIRacksHome/ExogeniRacks/AcceptanceTestStatus/EG-ADM-2

@@ -5 +5 @@
 ''This page is GPO's working page for performing EG-ADM-2.  It is public for informational purposes, but it is not an official status report.  See [wiki:GENIRacksHome/ExogeniRacks/AcceptanceTestStatus] for the current status of ExoGENI acceptance tests.''
 
-''Last substantive edit of this page: 2012-05-28''
+''Last substantive edit of this page: 2012-07-23''
 
 == Page format ==
@@ -19 +19 @@
 == Status of test ==
 
-|| '''Step''' || '''State'''                               || '''Date completed''' || '''Open Tickets''' || '''Closed Tickets/Comments'''                                                                    ||
-|| 1A         || [[Color(orange,Blocked)]]                 ||                      || [exoticket:34]     || blocked on information about bbn-hn configuration                                                ||
-|| 1B         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                  ||
-|| 1C         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                  ||
-|| 2A         || [[Color(yellow,Complete)]]                ||                      ||                    || retest when experiments are known to be running on the worker                                    ||
-|| 2B         || [[Color(orange,Blocked)]]                 ||                      ||                    || blocked on retest of 2A; this is n/a if no public IPs                                            ||
-|| 2C         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                  ||
-|| 3A         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    || ([exoticket:10]) ready to test                                                                   ||
-|| 3B         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-27           ||                    || enable mode on switch not available to site admins, but available information appears sufficient ||
-|| 3C         || [[Color(green,Pass)]]                     || 2012-05-28           ||                    ||                                                                                                  ||
-|| 3D         || [[Color(orange,Blocked)]]                 ||                      || [exoticket:19]     || ([exoticket:10]) blocked on serial access to switches                                            ||
-|| 4A         ||                                           ||                      ||                    || ([exoticket:10]) ready to test                                                                   ||
-|| 4B         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-28           ||                    || enable mode on switch not available to site admins, but available information seems sufficient ||
-|| 4C         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-28           ||                    || http access may be enabled, but probably does not work at all, and at most works on the private network ||
-|| 4D         || [[Color(orange,Blocked)]]                 ||                      || [exoticket:19]     || ([exoticket:10]) blocked on serial access to switches                                            ||
+|| '''Step''' || '''State'''                               || '''Date completed''' || '''Open Tickets''' || '''Closed Tickets/Comments'''                                                                             ||
+|| 1A         || [[Color(#63B8FF,In Progress)]]            ||                      || [exoticket:34]     || iterating about bbn-hn configuration                                                                      ||
+|| 1B         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                           ||
+|| 1C         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                           ||
+|| 2A         || [[Color(yellow,Complete)]]                ||                      ||                    || retest when experiments are known to be running on the worker                                             ||
+|| 2B         || [[Color(orange,Blocked)]]                 ||                      ||                    || blocked on retest of 2A; this is n/a if no public IPs                                                     ||
+|| 2C         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    ||                                                                                                           ||
+|| 3A         || [[Color(green,Pass)]]                     || 2012-05-27           ||                    || ([exoticket:10]) ready to test                                                                            ||
+|| 3B         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-27           ||                    || enable mode on switch not available to site admins, but available information appears sufficient          ||
+|| 3C         || [[Color(green,Pass)]]                     || 2012-05-28           ||                    ||                                                                                                           ||
+|| 3D         || [[Color(orange,Blocked)]]                 ||                      || [exoticket:19]     || ([exoticket:10]) blocked on serial access to switches                                                     ||
+|| 4A         ||                                           ||                      ||                    || ([exoticket:10]) ready to test                                                                            ||
+|| 4B         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-28           ||                    || enable mode on switch not available to site admins, but available information seems sufficient            ||
+|| 4C         || [[Color(lightgreen,Pass: most criteria)]] || 2012-05-28           ||                    || http access may be enabled, but probably does not work at all, and at most works on the private network   ||
+|| 4D         || [[Color(orange,Blocked)]]                 ||                      || [exoticket:19]     || ([exoticket:10]) blocked on serial access to switches                                                     ||
 || 5          || [[Color(orange,Blocked)]]                 ||                      ||                    || blocked on EG-ADM-1 step 4C (i need to investigate the network topology to figure out where to test from) ||
 
@@ -96 +96 @@
 I opened exoticket:34 to request explanation of the protection mechanisms on bbn-hn, so i can redo this test and verify that they work and seem likely to be sufficient.
 
+==== Results of testing step 1A: 2012-07-23 ====
+
+According to [http://groups.geni.net/exogeni/ticket/34#comment:1], i should expect:
+ * If i attempt to login to bbn-hn.exogeni.gpolab.bbn.com as valid user chaos, and fail five times, my IP address will be added to `/etc/hosts.deny`
+ * If i attempt to login to bbn-hn.exogeni.gpolab.bbn.com as invalid user xyzzy, and fail a smaller number of times, my IP address will be added to `/etc/hosts.deny`.
+ * If i attempt to login to bbn-hn.exogeni.gpolab.bbn.com as root, and fail a smaller number of times, my IP address will be added to `/etc/hosts.deny`.
+
+Testing this:
+ * Look at `/etc/hosts.deny`:
+{{{
+bbn-hn,[~],20:06(0)$ cat /etc/hosts.deny
+...
+# DenyHosts: Mon Jul 23 18:10:48 2012 | sshd: 192.96.129.254
+sshd: 192.96.129.254
+}}}
+ * Try to login from tarabon.gpolab.bbn.com and fail five times:
+{{{
+tarabon,[~],16:09(0)$ ssh bbn-hn.exogeni
+The authenticity of host 'bbn-hn.exogeni (192.1.242.3)' can't be established.
+RSA key fingerprint is 2f:71:d6:ab:03:00:f5:2d:f2:69:55:46:b5:67:84:ce.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added 'bbn-hn.exogeni,192.1.242.3' (RSA) to the list of known hosts.
+chaos@bbn-hn.exogeni's password:
+Permission denied, please try again.
+chaos@bbn-hn.exogeni's password:
+Permission denied, please try again.
+chaos@bbn-hn.exogeni's password:
+Permission denied (publickey,password).
+tarabon,[~],16:09(255)$ ssh bbn-hn.exogeni
+chaos@bbn-hn.exogeni's password:
+Permission denied, please try again.
+chaos@bbn-hn.exogeni's password:
+Permission denied, please try again.
+chaos@bbn-hn.exogeni's password:
+Permission denied (publickey,password).
+tarabon,[~],16:10(255)$ ssh bbn-hn.exogeni
+chaos@bbn-hn.exogeni's password:
+Permission denied, please try again.
+chaos@bbn-hn.exogeni's password:
+Permission denied, please try again.
+chaos@bbn-hn.exogeni's password:
+Permission denied (publickey,password).
+tarabon,[~],16:10(255)$ ssh bbn-hn.exogeni
+chaos@bbn-hn.exogeni's password:
+Permission denied, please try again.
+chaos@bbn-hn.exogeni's password:
+Permission denied, please try again.
+chaos@bbn-hn.exogeni's password:
+Permission denied (publickey,password).
+tarabon,[~],16:11(255)$ ssh bbn-hn.exogeni
+ssh_exchange_identification: Connection closed by remote host
+tarabon,[~],16:11(255)$
+}}}
+ * And then look at hosts.deny again:
+{{{
+bbn-hn,[~],20:11(0)$ cat /etc/hosts.deny
+...
+# DenyHosts: Mon Jul 23 20:11:11 2012 | sshd: 128.89.91.28
+sshd: 128.89.91.28
+}}}
+ So, with a known user, it let me try 12 passwords.
+ * Okay, now trying to login as xyzzy from another lab host in the same subnet, picon.gpolab.bbn.com:
+{{{
+picon,[~],16:14(0)$ ssh xyzzy@bbn-hn.exogeni
+The authenticity of host 'bbn-hn.exogeni (192.1.242.3)' can't be established.
+RSA key fingerprint is 2f:71:d6:ab:03:00:f5:2d:f2:69:55:46:b5:67:84:ce.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added 'bbn-hn.exogeni,192.1.242.3' (RSA) to the list of known hosts.
+xyzzy@bbn-hn.exogeni's password: 
+Permission denied, please try again.
+xyzzy@bbn-hn.exogeni's password: 
+Permission denied, please try again.
+xyzzy@bbn-hn.exogeni's password: 
+Permission denied (publickey,password).
+picon,[~],16:15(255)$ ssh xyzzy@bbn-hn.exogeni
+xyzzy@bbn-hn.exogeni's password: 
+Permission denied, please try again.
+xyzzy@bbn-hn.exogeni's password: 
+Permission denied, please try again.
+xyzzy@bbn-hn.exogeni's password: 
+Permission denied (publickey,password).
+picon,[~],16:15(255)$ ssh xyzzy@bbn-hn.exogeni
+ssh_exchange_identification: Connection closed by remote host
+picon,[~],16:15(255)$ 
+}}}
+ * And, indeed:
+{{{
+bbn-hn,[~],20:16(0)$ cat /etc/hosts.deny
+...
+# DenyHosts: Mon Jul 23 20:15:43 2012 | sshd: 128.89.91.48
+sshd: 128.89.91.48
+}}}
+ * Now trying login as root from another lab machine, virgon.gpolab.bbn.com:
+{{{
+virgon,[~],16:16(0)$ ssh root@bbn-hn.exogeni
+The authenticity of host 'bbn-hn.exogeni (192.1.242.3)' can't be established.
+RSA key fingerprint is 2f:71:d6:ab:03:00:f5:2d:f2:69:55:46:b5:67:84:ce.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added 'bbn-hn.exogeni,192.1.242.3' (RSA) to the list of known hosts.
+root@bbn-hn.exogeni's password: 
+Permission denied, please try again.
+root@bbn-hn.exogeni's password: 
+Permission denied, please try again.
+root@bbn-hn.exogeni's password: 
+Permission denied (publickey,password).
+virgon,[~],16:17(255)$ ssh root@bbn-hn.exogeni
+root@bbn-hn.exogeni's password: 
+Permission denied, please try again.
+root@bbn-hn.exogeni's password: 
+Permission denied, please try again.
+root@bbn-hn.exogeni's password: 
+Permission denied (publickey,password).
+virgon,[~],16:17(255)$ ssh root@bbn-hn.exogeni
+root@bbn-hn.exogeni's password: 
+Permission denied, please try again.
+root@bbn-hn.exogeni's password: 
+Permission denied, please try again.
+root@bbn-hn.exogeni's password: 
+Permission denied (publickey,password).
+virgon,[~],16:17(255)$ ssh root@bbn-hn.exogeni
+ssh_exchange_identification: Connection closed by remote host
+virgon,[~],16:17(255)$ 
+}}}
+ * And, indeed:
+{{{
+bbn-hn,[~],20:18(0)$ cat /etc/hosts.deny
+...
+# DenyHosts: Mon Jul 23 20:17:43 2012 | sshd: 128.89.91.49
+sshd: 128.89.91.49
+}}}
+
+
 === Step 1B: verify the absence of common unencrypted login protocols ===