21 | | || '''Step''' || '''State''' || '''Date completed''' || '''Tickets''' || '''Comments''' || |
22 | | || 1A || [[Color(green,Pass)]] || || instaticket:18 || question about root SSH access was resolved satisfactorily with no change to rack || |
23 | | || 1B || [[Color(green,Pass)]] || || || || |
24 | | || 1C || || || || ready to test || |
25 | | || 2A || || || || ready to test || |
26 | | || 2B || || || || ready to test || |
27 | | || 2C || || || || ready to test || |
28 | | || 3A || [[Color(orange,Blocked)]] || || || blocked on access to FOAM VM || |
29 | | || 3B || [[Color(orange,Blocked)]] || || || blocked on 3A || |
30 | | || 3C || [[Color(orange,Blocked)]] || || || blocked on 3A || |
31 | | || 4A || [[Color(orange,Blocked)]] || || || blocked on access to FlowVisor VM || |
32 | | || 4B || [[Color(orange,Blocked)]] || || || blocked on 4A || |
33 | | || 4C || [[Color(orange,Blocked)]] || || || blocked on 4A || |
34 | | || 5A || || || || ready to test || |
35 | | || 5B || [[Color(orange,Blocked)]] || || || blocked on 5A || |
36 | | || 5C || [[Color(orange,Blocked)]] || || || blocked on 5A || |
37 | | || 6A || [[Color(orange,Blocked)]] || || || blocked on allocation of OpenVZ node || |
38 | | || 6B || [[Color(orange,Blocked)]] || || || blocked on 6A || |
39 | | || 6C || [[Color(orange,Blocked)]] || || || blocked on 6A || |
40 | | || 7A || || || || ready to test || |
41 | | || 7B || || || || ready to test || |
42 | | || 7C || || || || ready to test || |
43 | | || 7D || [[Color(orange,Blocked)]] || || || blocked on serial access to switches || |
44 | | || 8A || [[Color(orange,Blocked)]] || || || blocked on access to dataplane switch || |
45 | | || 8B || [[Color(orange,Blocked)]] || || || blocked on 8A || |
46 | | || 8C || [[Color(orange,Blocked)]] || || || blocked on 8A || |
47 | | || 8D || [[Color(orange,Blocked)]] || || || blocked on serial access to switches || |
48 | | || 9 || [[Color(orange,Blocked)]] || || || blocked on access to rack iLO || |
| 21 | || '''Step''' || '''State''' || '''Date completed''' || '''Tickets''' || '''Comments''' || |
| 22 | || 1A || [[Color(green,Pass)]] || || instaticket:18 || question about root SSH access was resolved satisfactorily with no change to rack || |
| 23 | || 1B || [[Color(green,Pass)]] || || || || |
| 24 | || 1C || [[Color(green,Pass)]] || || || ready to test || |
| 25 | || 2A || [[Color(orange,Blocked)]] || || instaticket:22 || resolve question about password-based login to ops || |
| 26 | || 2B || [[Color(green,Pass)]] || || || ready to test || |
| 27 | || 2C || [[Color(green,Pass)]] || || || ready to test || |
| 28 | || 3A || [[Color(orange,Blocked)]] || || || blocked on access to FOAM VM || |
| 29 | || 3B || [[Color(orange,Blocked)]] || || || blocked on 3A || |
| 30 | || 3C || [[Color(orange,Blocked)]] || || || blocked on 3A || |
| 31 | || 4A || [[Color(orange,Blocked)]] || || || blocked on access to FlowVisor VM || |
| 32 | || 4B || [[Color(orange,Blocked)]] || || || blocked on 4A || |
| 33 | || 4C || [[Color(orange,Blocked)]] || || || blocked on 4A || |
| 34 | || 5A || [[Color(green,Pass)]] || || || || |
| 35 | || 5B || [[Color(green,Pass)]] || || || || |
| 36 | || 5C || [[Color(green,Pass)]] || || || || |
| 37 | || 6A || [[Color(green,Pass)]] || || || password-based login is allowed, but passwords are pseudorandom and considered sufficiently strong to discourage guessing || |
| 38 | || 6B || [[Color(green,Pass)]] || || || || |
| 39 | || 6C || [[Color(green,Pass)]] || || || || |
| 40 | || 7A || [[Color(#98FB98,Pass: most criteria)]] || || || unencrypted login is assumed to be okay provided only boss has an interface on the switch control network || |
| 41 | || 7B || [[Color(green,Pass)]] || || || || |
| 42 | || 7C || N/A || || || per 7A, device allows telnet from private network, so not testing this step || |
| 43 | || 7D || [[Color(orange,Blocked)]] || || || blocked on serial access to switches || |
| 44 | || 8A || [[Color(#98FB98,Pass: most criteria)]] || || || unencrypted login is assumed to be okay provided only boss has an interface on the switch control network || |
| 45 | || 8B || [[Color(green,Pass)]] || || || || |
| 46 | || 8C || N/A || || || per 8A, device allows telnet from private network, so not testing this step || |
| 47 | || 8D || [[Color(orange,Blocked)]] || || || blocked on serial access to switches || |
| 48 | || 9 || [[Color(green,Pass)]] || || || || |
| 205 | |
| 206 | ==== Results of testing: 2012-05-16 ==== |
| 207 | |
| 208 | * Public key authentication succeeds: |
| 209 | {{{ |
| 210 | capybara,[~],22:58(0)$ ssh -o PubkeyAuthentication=yes ops.utah.geniracks.net |
| 211 | Last login: Wed May 16 09:23:18 2012 from capybara.bbn.co |
| 212 | Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 |
| 213 | The Regents of the University of California. All rights reserved. |
| 214 | |
| 215 | FreeBSD 8.3-RC1 (XEN) #0: Tue Mar 13 16:27:12 MDT 2012 |
| 216 | |
| 217 | Welcome to FreeBSD! |
| 218 | |
| 219 | ops,[~],20:58(0)$ |
| 220 | }}} |
| 221 | * Password-based authentication also succeeds: |
| 222 | {{{ |
| 223 | capybara,[~],22:59(0)$ ssh -o PubkeyAuthentication=no ops.utah.geniracks.net |
| 224 | Password: |
| 225 | Last login: Wed May 16 20:58:43 2012 from capybara.bbn.co |
| 226 | Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 |
| 227 | The Regents of the University of California. All rights reserved. |
| 228 | |
| 229 | FreeBSD 8.3-RC1 (XEN) #0: Tue Mar 13 16:27:12 MDT 2012 |
| 230 | |
| 231 | Welcome to FreeBSD! |
| 232 | |
| 233 | ops,[~],20:59(0)$ |
| 234 | }}} |
| 235 | * Given that password-based authentication works, i am worried about the setting: |
| 236 | {{{ |
| 237 | $ grep "^PermitRootLogin" /etc/ssh/sshd_config |
| 238 | PermitRootLogin yes |
| 239 | PermitRootLogin yes |
| 240 | }}} |
| 371 | |
| 372 | ==== Results of testing: 2012-05-16 ==== |
| 373 | |
| 374 | ''Testing with Utah rack, whose control node is utah.control.geniracks.net (which believes its hostname is control.utah.geniracks.net, see instaticket:23).'' |
| 375 | |
| 376 | * Public key login succeeds: |
| 377 | {{{ |
| 378 | capybara,[~],23:55(0)$ ssh -o PubkeyAuthentication=yes utah.control.geniracks.net |
| 379 | Welcome to Ubuntu precise (development branch) (GNU/Linux 3.2.0-23-generic x86_64) |
| 380 | |
| 381 | * Documentation: https://help.ubuntu.com/ |
| 382 | |
| 383 | System information as of Wed May 16 21:55:30 MDT 2012 |
| 384 | |
| 385 | System load: 0.0 Users logged in: 1 |
| 386 | Usage of /: 45.0% of 5.85GB IP address for xenbr0: 155.98.34.2 |
| 387 | Memory usage: 24% IP address for xenbr1: 10.1.1.254 |
| 388 | Swap usage: 0% IP address for xenbr2: 10.2.1.254 |
| 389 | Processes: 150 IP address for xenbr3: 10.3.1.254 |
| 390 | |
| 391 | Graph this data and manage this system at https://landscape.canonical.com/ |
| 392 | Last login: Wed May 16 21:45:14 2012 from capybara.bbn.com |
| 393 | control,[~],21:55(0)$ |
| 394 | }}} |
| 395 | * Password-based login should fail because i don't have a password set, and because `/etc/ssh/sshd_config` contains: |
| 396 | {{{ |
| 397 | ChallengeResponseAuthentication no |
| 398 | PasswordAuthentication no |
| 399 | }}} |
| 400 | and it does: |
| 401 | {{{ |
| 402 | capybara,[~],23:56(0)$ ssh -o PubkeyAuthentication=no utah.control.geniracks.net |
| 403 | Permission denied (publickey). |
| 404 | }}} |
| 461 | |
| 462 | ==== Results of testing: 2012-05-17 ==== |
| 463 | |
| 464 | ''Testing with Utah rack, using shared OpenVZ host pc5.utah.geniracks.net.'' |
| 465 | |
| 466 | * SSH to `root` from boss does work: |
| 467 | {{{ |
| 468 | boss,[~],22:12(0)$ sudo ssh pc5 |
| 469 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
| 470 | @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ |
| 471 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
| 472 | IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! |
| 473 | Someone could be eavesdropping on you right now (man-in-the-middle attack)! |
| 474 | It is also possible that the RSA host key has just been changed. |
| 475 | The fingerprint for the RSA key sent by the remote host is |
| 476 | 46:63:92:67:c8:75:20:4e:52:9f:2d:f6:cb:58:16:77. |
| 477 | Please contact your system administrator. |
| 478 | Add correct host key in /root/.ssh/known_hosts to get rid of this message. |
| 479 | Offending key in /root/.ssh/known_hosts:18 |
| 480 | Password authentication is disabled to avoid man-in-the-middle attacks. |
| 481 | Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. |
| 482 | Last login: Wed May 16 22:10:34 2012 from boss.utah.geniracks.net |
| 483 | [root@vhost1 ~]# |
| 484 | }}} |
| 485 | * Incidentally, SSH as myself also works: |
| 486 | {{{ |
| 487 | capybara,[~/src/git/tango-monitor],00:11(0)$ ssh pc5.utah.geniracks.net |
| 488 | The authenticity of host 'pc5.utah.geniracks.net (155.98.34.15)' can't be established. |
| 489 | RSA key fingerprint is 46:63:92:67:c8:75:20:4e:52:9f:2d:f6:cb:58:16:77. |
| 490 | Are you sure you want to continue connecting (yes/no)? yes |
| 491 | Warning: Permanently added 'pc5.utah.geniracks.net,155.98.34.15' (RSA) to the list of known hosts. |
| 492 | Last login: Wed May 16 22:11:24 2012 from boss.utah.geniracks.net |
| 493 | vhost1,[~],22:11(0)$ |
| 494 | }}} |
| 495 | * Hmm, password-based SSH as root (using the password listed for the node within the Emulab admin UI) also works: |
| 496 | {{{ |
| 497 | capybara,[~],00:15(0)$ ssh root@pc5.utah.geniracks.net |
| 498 | root@pc5.utah.geniracks.net's password: |
| 499 | Last login: Wed May 16 22:12:21 2012 from boss.utah.geniracks.net |
| 500 | [root@vhost1 ~]# |
| 501 | }}} |
| 502 | However, given the size of the pseudorandom passwords used for Emulab experimental hosts, i think it's fine to assert that root password guessing is not a realistic threat, so i am not opening a ticket. |
| 677 | ==== Results of testing: 2012-05-17 ==== |
| 678 | |
| 679 | ''Tested using Utah rack.'' |
| 680 | |
| 681 | * SSH login succeeds using the password in `/etc/testbed/etc/switch.pswd`: |
| 682 | {{{ |
| 683 | boss,[~],22:56(0)$ ssh elabman@procurve2 |
| 684 | We'd like to keep you up to date about: |
| 685 | * Software feature updates |
| 686 | * New product announcements |
| 687 | * Special events |
| 688 | |
| 689 | Please register your products now at: www.ProCurve.com |
| 690 | |
| 691 | elabman@procurve2's password: |
| 692 | ... |
| 693 | ProCurve Switch 6600ml-48G-4XG# |
| 694 | }}} |
| 695 | * Telnet succeeds as well: |
| 696 | {{{ |
| 697 | boss,[~],22:57(0)$ telnet procurve2 |
| 698 | Trying 10.2.1.253... |
| 699 | Connected to procurve2. |
| 700 | Escape character is '^]'. |
| 701 | ... |
| 702 | Password: |
| 703 | ... |
| 704 | ProCurve Switch 6600ml-48G-4XG# |
| 705 | }}} |
| 706 | |
| 707 | This is presumed to be acceptable as long as only server nodes (such as boss) have interfaces on 10.2.1.0/24. |
| 708 | |
| 785 | ==== Results of testing: 2012-05-17 ==== |
| 786 | |
| 787 | * The pc1.utah.geniracks.net iLO is at 155.98.34.103 |
| 788 | * Telnet fails: |
| 789 | {{{ |
| 790 | boss,[~],23:06(0)$ telnet 155.98.34.103 |
| 791 | Trying 155.98.34.103... |
| 792 | telnet: connect to address 155.98.34.103: Connection refused |
| 793 | telnet: Unable to connect to remote host |
| 794 | }}} |
| 795 | * Unencrypted telnet to port 80 succeeds, but closes the connection immediately: |
| 796 | {{{ |
| 797 | boss,[~],23:08(1)$ telnet 155.98.34.103 80 |
| 798 | Trying 155.98.34.103... |
| 799 | Connected to 155.98.34.103. |
| 800 | Escape character is '^]'. |
| 801 | Connection closed by foreign host. |
| 802 | }}} |
| 803 | In a web browser, this connection is redirected from port 80 to port 443 |
| 804 | * According to Administration -> Access Settings in iLO, the only additional ports this thing uses are remote console, virtual media, and IPMI/DCMI, all expected iLO functions which i don't need to test this way. |