Changes between Version 14 and Version 15 of GENIRacksHome/InstageniRacks/AcceptanceTestStatus/IG-ADM-2
- Timestamp:
- 11/12/12 12:58:36 (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
GENIRacksHome/InstageniRacks/AcceptanceTestStatus/IG-ADM-2
v14 v15 5 5 ''This page is GPO's working page for performing IG-ADM-2. It is public for informational purposes, but it is not an official status report. See [wiki:GENIRacksHome/InstageniRacks/AcceptanceTestStatus] for the current status of InstaGENI acceptance tests.'' 6 6 7 ''Last substantive edit of this page: 2012- 05-26''7 ''Last substantive edit of this page: 2012-11-12'' 8 8 9 9 == Page format == … … 20 20 21 21 || '''Step''' || '''State''' || '''Date completed''' || '''Open Tickets''' || '''Closed Tickets/Comments''' || 22 || 1A || [[Color(green,Pass)]] || 2012-05-15 || || ([instaticket:18]) question about root SSH access was resolved satisfactorily with no change to rack ||22 || 1A || [[Color(green,Pass)]] || 2012-05-15 || || ([instaticket:18]) question about root SSH access was resolved satisfactorily with no change to rack || 23 23 || 1B || [[Color(green,Pass)]] || 2012-05-16 || || || 24 24 || 1C || [[Color(green,Pass)]] || 2012-05-16 || || || 25 || 2A || [[Color(green,Pass)]] || 2012-05-21 || || ([instaticket:22]) password-based login to ops is now disallowed for all users ||25 || 2A || [[Color(green,Pass)]] || 2012-05-21 || || ([instaticket:22]) password-based login to ops is now disallowed for all users || 26 26 || 2B || [[Color(green,Pass)]] || 2012-05-16 || || || 27 27 || 2C || [[Color(green,Pass)]] || 2012-05-16 || || || 28 || 3A || [[Color(orange,Blocked)]] || || || blocked on access to FOAM VM||29 || 3B || [[Color( orange,Blocked)]] || || || blocked on 3A||30 || 3C || [[Color( orange,Blocked)]] || || || blocked on 3A||31 || 4A || [[Color( orange,Blocked)]] || || || blocked on access to FlowVisor VM||32 || 4B || [[Color( orange,Blocked)]] || || || blocked on 4A||33 || 4C || [[Color( orange,Blocked)]] || || || blocked on 4A||28 || 3A || [[Color(orange,Blocked)]] || || [instaticket:59] || blocked on resolution of FOAM remote password login issue || 29 || 3B || [[Color(green,Pass)]] || 2012-11-12 || || || 30 || 3C || [[Color(green,Pass)]] || 2012-11-12 || || || 31 || 4A || [[Color(green,Pass)]] || 2012-11-12 || || || 32 || 4B || [[Color(green,Pass)]] || 2012-11-12 || || || 33 || 4C || [[Color(green,Pass)]] || 2012-11-12 || || || 34 34 || 5A || [[Color(green,Pass)]] || 2012-05-16 || || || 35 35 || 5B || [[Color(green,Pass)]] || 2012-05-17 || || || … … 45 45 || 8B || [[Color(green,Pass)]] || 2012-05-17 || || || 46 46 || 8C || N/A || 2012-05-17 || || per 8A, device allows telnet from private network, so not testing this step || 47 || 8D || [[Color(orange,Blocked)]] || || [instaticket:37] 47 || 8D || [[Color(orange,Blocked)]] || || [instaticket:37] || blocked on serial access to dataplane switch || 48 48 || 9 || [[Color(green,Pass)]] || 2012-05-17 || || || 49 49 … … 332 332 * Password-based SSH does not succeed 333 333 334 ==== Results of testing step 3A: 2012-11-12 ==== 335 336 * Public-key SSH works: 337 {{{ 338 $ ssh -o PubkeyAuthentication=yes foam.utah.geniracks.net 339 Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-24-generic x86_64) 340 341 * Documentation: https://help.ubuntu.com/ 342 Last login: Mon Nov 12 10:35:49 2012 from capybara.bbn.com 343 }}} 344 * Password-based SSH also works, hmm: 345 {{{ 346 $ ssh -o PubkeyAuthentication=no foam.utah.geniracks.net 347 chaos@foam.utah.geniracks.net's password: 348 Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-24-generic x86_64) 349 350 * Documentation: https://help.ubuntu.com/ 351 Last login: Mon Nov 12 10:36:18 2012 from capybara.bbn.com 352 foam,[~],10:37(0)$ 353 }}} 354 I'll open a ticket about that. 355 334 356 === Step 3B: verify the absence of common unencrypted login protocols === 335 357 … … 343 365 * Login does not succeed via any unencrypted login protocol 344 366 367 ==== Results of testing step 3B: 2012-11-12 ==== 368 369 On Ubuntu, `netstat -anp | grep LISTEN` shows IPv4 and IPv6 listeners. 370 371 I found the following listeners, none of which are problematic for our purposes here: 372 {{{ 373 nginx 374 sshd 375 }}} 376 345 377 === Step 3C: verify sudo and sudo logging === 346 378 … … 353 385 * The command which was run should be recorded in a log 354 386 387 ==== Results of testing step 3C: 2012-11-12 ==== 388 389 * Sudo command succeeded: 390 {{{ 391 foam,[~],10:40(0)$ sudo whoami 392 root 393 }}} 394 * The file `/var/log/auth.log` contains: 395 {{{ 396 Nov 12 10:42:59 foam sudo: chaos : TTY=pts/0 ; PWD=/home/chaos ; USER=root ; COMMAND=/usr/bin/whoami 397 }}} 398 355 399 == Step 4: verify access to rack FlowVisor node == 356 400 … … 365 409 * Password-based SSH does not succeed 366 410 367 === Step 3B: verify the absence of common unencrypted login protocols === 368 369 '''Using:''' 370 * Use netstat to enumerate the network-listening processes running on foam 411 ==== Results of testing step 4A: 2012-11-12 ==== 412 413 * Public-key SSH works: 414 {{{ 415 $ ssh -o PubkeyAuthentication=yes flowvisor.utah.geniracks.net 416 Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-24-generic x86_64) 417 418 * Documentation: https://help.ubuntu.com/ 419 Last login: Mon Nov 12 10:14:09 2012 from capybara.bbn.com 420 }}} 421 * Password-based SSH does not work on flowvisor: 422 {{{ 423 $ ssh -o PubkeyAuthentication=no flowvisor.utah.geniracks.net 424 Permission denied (publickey). 425 }}} 426 * From a login, i can corroborate that the config is right here: 427 {{{ 428 flowvisor,[~],10:42(0)$ grep PasswordAuthentication /etc/ssh/sshd_config | nocomment 429 PasswordAuthentication no 430 }}} 431 432 === Step 4B: verify the absence of common unencrypted login protocols === 433 434 '''Using:''' 435 * Use netstat to enumerate the network-listening processes running on flowvisor 371 436 * Identify each process and determine whether it is a common unencrypted login protocol 372 437 * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible … … 376 441 * Login does not succeed via any unencrypted login protocol 377 442 443 ==== Results of testing step 4B: 2012-11-12 ==== 444 445 On Ubuntu, `netstat -anp | grep LISTEN` shows IPv4 and IPv6 listeners. 446 447 I found the following listeners, none of which are problematic for our purposes here: 448 {{{ 449 sshd 450 flowvisor 451 }}} 452 (Flowvisor allows remote access on port 6633 from switches, and may allow access to port 8080 and/or 8081 from FOAM, but does not allow them from offsite, e.g. 453 {{{ 454 $ telnet flowvisor.utah.geniracks.net 8080 455 Trying 155.98.34.7... 456 457 }}} 458 hangs from capybara.bbn.com, likewise for port 8081.) 459 378 460 === Step 4C: verify sudo and sudo logging === 379 461 … … 385 467 * The sudo command should succeed 386 468 * The command which was run should be recorded in a log 469 470 ==== Results of testing step 4C: 2012-11-12 ==== 471 472 * Sudo command succeeded: 473 {{{ 474 flowvisor,[~],10:48(0)$ sudo whoami 475 root 476 }}} 477 * The file `/var/log/auth.log` contains: 478 {{{ 479 Nov 12 10:48:21 flowvisor sudo: chaos : TTY=pts/1 ; PWD=/home/chaos ; USER=root ; COMMAND=/usr/bin/whoami 480 }}} 387 481 388 482 == Step 5: verify access to rack infrastructure VM server host ==