Context Navigation

IG-ADM-2

Timestamp:: 05/18/12 05:22:07 (12 years ago)
Author:: chaos@bbn.com
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

GENIRacksHome/InstageniRacks/AcceptanceTestStatus/IG-ADM-2

-                      v7
+                      v8
 ''This page is GPO's working page for performing IG-ADM-2.  It is public for informational purposes, but it is not an official status report.  See [wiki:GENIRacksHome/InstageniRacks/AcceptanceTestStatus] for the current status of InstaGENI acceptance tests.''
 ''Last substantive edit of this page: 2012-05-16''
+''Last substantive edit of this page: 2012-05-17''
 == Page format ==
 …
 == Status of test ==
 || '''Step''' || '''State'''               || '''Date completed''' || '''Tickets'''  || '''Comments'''                                   ||
 || 1A         || [[Color(green,Pass)]] ||                      || instaticket:18 || question about root SSH access was resolved satisfactorily with no change to rack ||
 || 1B         || [[Color(green,Pass)]] ||                      ||                || ||
 || 1C         ||                           ||                      ||                || ready to test                                    ||
 || 2A         ||                           ||                      ||                || ready to test                                    ||
 || 2B         ||                           ||                      ||                || ready to test                                    ||
 || 2C         ||                           ||                      ||                || ready to test                                    ||
 || 3A         || [[Color(orange,Blocked)]] ||                      ||                || blocked on access to FOAM VM                     ||
 || 3B         || [[Color(orange,Blocked)]] ||                      ||                || blocked on 3A                                    ||
 || 3C         || [[Color(orange,Blocked)]] ||                      ||                || blocked on 3A                                    ||
 || 4A         || [[Color(orange,Blocked)]] ||                      ||                || blocked on access to FlowVisor VM                ||
 || 4B         || [[Color(orange,Blocked)]] ||                      ||                || blocked on 4A                                    ||
 || 4C         || [[Color(orange,Blocked)]] ||                      ||                || blocked on 4A                                    ||
 || 5A         ||                           ||                      ||                || ready to test                                    ||
 || 5B         || [[Color(orange,Blocked)]] ||                      ||                || blocked on 5A                                    ||
 || 5C         || [[Color(orange,Blocked)]] ||                      ||                || blocked on 5A                                    ||
 || 6A         || [[Color(orange,Blocked)]] ||                      ||                || blocked on allocation of OpenVZ node             ||
 || 6B         || [[Color(orange,Blocked)]] ||                      ||                || blocked on 6A                                    ||
 || 6C         || [[Color(orange,Blocked)]] ||                      ||                || blocked on 6A                                    ||
 || 7A         ||                           ||                      ||                || ready to test                                    ||
 || 7B         ||                           ||                      ||                || ready to test                                    ||
 || 7C         ||                           ||                      ||                || ready to test                                    ||
 || 7D         || [[Color(orange,Blocked)]] ||                      ||                || blocked on serial access to switches             ||
 || 8A         || [[Color(orange,Blocked)]] ||                      ||                || blocked on access to dataplane switch            ||
 || 8B         || [[Color(orange,Blocked)]] ||                      ||                || blocked on 8A                                    ||
 || 8C         || [[Color(orange,Blocked)]] ||                      ||                || blocked on 8A                                    ||
 || 8D         || [[Color(orange,Blocked)]] ||                      ||                || blocked on serial access to switches             ||
 || 9          || [[Color(orange,Blocked)]] ||                      ||                || blocked on access to rack iLO                    ||
+|| '''Step''' || '''State'''                            || '''Date completed''' || '''Tickets'''  || '''Comments'''                                                                                                            ||
+|| 1A         || [[Color(green,Pass)]]                  ||                      || instaticket:18 || question about root SSH access was resolved satisfactorily with no change to rack                                         ||
+|| 1B         || [[Color(green,Pass)]]                  ||                      ||                ||                                                                                                                           ||
+|| 1C         || [[Color(green,Pass)]]                  ||                      ||                || ready to test                                                                                                             ||
+|| 2A         || [[Color(orange,Blocked)]]              ||                      || instaticket:22 || resolve question about password-based login to ops                                                                        ||
+|| 2B         || [[Color(green,Pass)]]                  ||                      ||                || ready to test                                                                                                             ||
+|| 2C         || [[Color(green,Pass)]]                  ||                      ||                || ready to test                                                                                                             ||
+|| 3A         || [[Color(orange,Blocked)]]              ||                      ||                || blocked on access to FOAM VM                                                                                              ||
+|| 3B         || [[Color(orange,Blocked)]]              ||                      ||                || blocked on 3A                                                                                                             ||
+|| 3C         || [[Color(orange,Blocked)]]              ||                      ||                || blocked on 3A                                                                                                             ||
+|| 4A         || [[Color(orange,Blocked)]]              ||                      ||                || blocked on access to FlowVisor VM                                                                                         ||
+|| 4B         || [[Color(orange,Blocked)]]              ||                      ||                || blocked on 4A                                                                                                             ||
+|| 4C         || [[Color(orange,Blocked)]]              ||                      ||                || blocked on 4A                                                                                                             ||
+|| 5A         || [[Color(green,Pass)]]                  ||                      ||                ||                                                                                                                           ||
+|| 5B         || [[Color(green,Pass)]]                  ||                      ||                ||                                                                                                                           ||
+|| 5C         || [[Color(green,Pass)]]                  ||                      ||                ||                                                                                                                           ||
+|| 6A         || [[Color(green,Pass)]]                  ||                      ||                || password-based login is allowed, but passwords are pseudorandom and considered sufficiently strong to discourage guessing ||
+|| 6B         || [[Color(green,Pass)]]                  ||                      ||                ||                                                                                                                           ||
+|| 6C         || [[Color(green,Pass)]]                  ||                      ||                ||                                                                                                                           ||
+|| 7A         || [[Color(#98FB98,Pass: most criteria)]] ||                      ||                || unencrypted login is assumed to be okay provided only boss has an interface on the switch control network                 ||
+|| 7B         || [[Color(green,Pass)]]                  ||                      ||                ||                                                                                                                           ||
+|| 7C         || N/A                                    ||                      ||                || per 7A, device allows telnet from private network, so not testing this step                                               ||
+|| 7D         || [[Color(orange,Blocked)]]              ||                      ||                || blocked on serial access to switches                                                                                      ||
+|| 8A         || [[Color(#98FB98,Pass: most criteria)]] ||                      ||                || unencrypted login is assumed to be okay provided only boss has an interface on the switch control network                 ||
+|| 8B         || [[Color(green,Pass)]]                  ||                      ||                ||                                                                                                                           ||
+|| 8C         || N/A                                    ||                      ||                || per 8A, device allows telnet from private network, so not testing this step                                               ||
+|| 8D         || [[Color(orange,Blocked)]]              ||                      ||                || blocked on serial access to switches                                                                                      ||
+|| 9          || [[Color(green,Pass)]]                  ||                      ||                ||                                                                                                                           ||
 == High-level description from test plan ==
 …
  * The command which was run should be recorded in a log
+==== Results of testing: 2012-05-16 ====
+ * Command succeeds:
+{{{
+boss,[~],20:49(0)$ sudo whoami
+root
+}}}
+ * Record of command shows up in `/var/log/messages`:
+{{{
+boss,[~],20:57(0)$ tail -1 /var/log/messages
+May 16 20:56:31 boss sudo:    chaos : TTY=pts/6 ; PWD=/users/chaos ; USER=root ; COMMAND=/usr/bin/whoami
+}}}
 == Step 2: verify access to rack ops node ==
 …
  * Public-key SSH succeeds
  * Password-based SSH does not succeed
+==== Results of testing: 2012-05-16 ====
+ * Public key authentication succeeds:
+{{{
+capybara,[~],22:58(0)$ ssh -o PubkeyAuthentication=yes ops.utah.geniracks.net
+Last login: Wed May 16 09:23:18 2012 from capybara.bbn.co
+Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
+        The Regents of the University of California.  All rights reserved.
+FreeBSD 8.3-RC1 (XEN) #0: Tue Mar 13 16:27:12 MDT 2012
+Welcome to FreeBSD!
+ops,[~],20:58(0)$
+}}}
+ * Password-based authentication also succeeds:
+{{{
+capybara,[~],22:59(0)$ ssh -o PubkeyAuthentication=no ops.utah.geniracks.net
+Password:
+Last login: Wed May 16 20:58:43 2012 from capybara.bbn.co
+Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
+        The Regents of the University of California.  All rights reserved.
+FreeBSD 8.3-RC1 (XEN) #0: Tue Mar 13 16:27:12 MDT 2012
+Welcome to FreeBSD!
+ops,[~],20:59(0)$
+}}}
+ * Given that password-based authentication works, i am worried about the setting:
+{{{
+$ grep "^PermitRootLogin" /etc/ssh/sshd_config
+PermitRootLogin yes
+PermitRootLogin yes
+}}}
 === Step 2B: verify the absence of common unencrypted login protocols ===
 …
  * Login does not succeed via any unencrypted login protocol
+==== Results of testing: 2012-05-16 ====
+On FreeBSD, `sockstat -lL46` shows IPv4 and IPv6 listeners on non-loopback networks.
+I found the following listeners, none of which are problematic for our purposes here:
+{{{
+httpd
+sshd
+sendmail
+pubsubd (emulab)
+ntpd
+nfsd
+mountd
+rpcbind
+syslogd
+mysqld
+}}}
 === Step 2C: verify sudo and sudo logging ===
 …
  * The sudo command should succeed
  * The command which was run should be recorded in a log
+==== Results of testing: 2012-05-16 ====
+ * Command succeeds:
+{{{
+ops,[~],21:27(0)$ sudo whoami
+root
+}}}
+ * Command is logged:
+{{{
+$ tail -1 /var/log/messages
+May 16 21:37:55 ops sudo:    chaos : TTY=pts/2 ; PWD=/q/users/chaos ; USER=root ; COMMAND=/usr/bin/whoami
+}}}
 == Step 3: verify access to rack foam node ==
 …
 == Step 5: verify access to rack infrastructure VM server host ==
 === Step 5A: verify that SSH to foam succeeds and allows public keys only ===
+=== Step 5A: verify that SSH to infrastructure host succeeds and allows public keys only ===
 '''Using:'''
 …
  * Public-key SSH succeeds
  * Password-based SSH does not succeed
+==== Results of testing: 2012-05-16 ====
+''Testing with Utah rack, whose control node is utah.control.geniracks.net (which believes its hostname is control.utah.geniracks.net, see instaticket:23).''
+ * Public key login succeeds:
+{{{
+capybara,[~],23:55(0)$ ssh -o PubkeyAuthentication=yes utah.control.geniracks.net
+Welcome to Ubuntu precise (development branch) (GNU/Linux 3.2.0-23-generic x86_64)
+ * Documentation:  https://help.ubuntu.com/
+  System information as of Wed May 16 21:55:30 MDT 2012
+  System load:  0.0               Users logged in:       1
+  Usage of /:   45.0% of 5.85GB   IP address for xenbr0: 155.98.34.2
+  Memory usage: 24%               IP address for xenbr1: 10.1.1.254
+  Swap usage:   0%                IP address for xenbr2: 10.2.1.254
+  Processes:    150               IP address for xenbr3: 10.3.1.254
+  Graph this data and manage this system at https://landscape.canonical.com/
+Last login: Wed May 16 21:45:14 2012 from capybara.bbn.com
+control,[~],21:55(0)$
+}}}
+ * Password-based login should fail because i don't have a password set, and because `/etc/ssh/sshd_config` contains:
+{{{
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+}}}
+ and it does:
+{{{
+capybara,[~],23:56(0)$ ssh -o PubkeyAuthentication=no utah.control.geniracks.net
+Permission denied (publickey).
+}}}
 === Step 5B: verify the absence of common unencrypted login protocols ===
 …
  * Login does not succeed via any unencrypted login protocol
+==== Results of testing: 2012-05-17 ====
+ * On Ubuntu, get a list of listeners using:
+{{{
+sudo netstat -anp | grep LISTEN
+}}}
+ * This reveals that only sshd is listening for remote connections on non-localhost interfaces.
 === Step 5C: verify sudo and sudo logging ===
 …
  * The command which was run should be recorded in a log
+==== Results of testing: 2012-05-17 ====
+ * The command succeeds:
+{{{
+control,[~],22:05(0)$ sudo whoami
+root
+}}}
+ * A record of sudo is found in `/var/log/auth.log`:
+{{{
+control,[~],22:05(0)$ sudo tail /var/log/auth.log
+...
+May 16 22:05:17 control sudo:    chaos : TTY=pts/5 ; PWD=/home/chaos ; USER=root ; COMMAND=/usr/bin/whoami
+...
+}}}
 == Step 6: verify access to experimental OpenVZ node ==
 …
  * Public-key SSH succeeds from boss
  * Password-based SSH does not succeed from outside of the rack
+==== Results of testing: 2012-05-17 ====
+''Testing with Utah rack, using shared OpenVZ host pc5.utah.geniracks.net.''
+ * SSH to `root` from boss does work:
+{{{
+boss,[~],22:12(0)$ sudo ssh pc5
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
+Someone could be eavesdropping on you right now (man-in-the-middle attack)!
+It is also possible that the RSA host key has just been changed.
+The fingerprint for the RSA key sent by the remote host is
+:63:92:67:c8:75:20:4e:52:9f:2d:f6:cb:58:16:77.
+Please contact your system administrator.
+Add correct host key in /root/.ssh/known_hosts to get rid of this message.
+Offending key in /root/.ssh/known_hosts:18
+Password authentication is disabled to avoid man-in-the-middle attacks.
+Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
+Last login: Wed May 16 22:10:34 2012 from boss.utah.geniracks.net
+[root@vhost1 ~]#
+}}}
+ * Incidentally, SSH as myself also works:
+{{{
+capybara,[~/src/git/tango-monitor],00:11(0)$ ssh pc5.utah.geniracks.net
+The authenticity of host 'pc5.utah.geniracks.net (155.98.34.15)' can't be established.
+RSA key fingerprint is 46:63:92:67:c8:75:20:4e:52:9f:2d:f6:cb:58:16:77.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added 'pc5.utah.geniracks.net,155.98.34.15' (RSA) to the list of known hosts.
+Last login: Wed May 16 22:11:24 2012 from boss.utah.geniracks.net
+vhost1,[~],22:11(0)$
+}}}
+ * Hmm, password-based SSH as root (using the password listed for the node within the Emulab admin UI) also works:
+{{{
+capybara,[~],00:15(0)$ ssh root@pc5.utah.geniracks.net
+root@pc5.utah.geniracks.net's password:
+Last login: Wed May 16 22:12:21 2012 from boss.utah.geniracks.net
+[root@vhost1 ~]#
+}}}
+ However, given the size of the pseudorandom passwords used for Emulab experimental hosts, i think it's fine to assert that root password guessing is not a realistic threat, so i am not opening a ticket.
 === Step 6B: verify the absence of common unencrypted login protocols ===
 …
  * Login does not succeed via any unencrypted login protocol
+==== Results of testing: 2012-05-17 ====
+ * On RHEL-like OSes, get a list of listeners using:
+{{{
+sudo netstat -anp | grep LISTEN
+}}}
+ * This reveals that the following processes, which are not concerning, are listening for remote connections:
+{{{
+sshd
+rpc.statd
+rpcbind
+emulab-syncd (emulab)
+pubsubd (emulab)
+}}}
+ * There is also an unidentifiable process listening on this port:
+{{{
+tcp        0      0 0.0.0.0:58441               0.0.0.0:*                   LISTEN      -
+}}}
+ I was unable to turn up any further information about it from lsof, so i tried connecting to it (perhaps unreasonably).  I got:
+{{{
+$ telnet pc5.utah.geniracks.net 58441
+Trying 155.98.34.15...
+Connected to pc5.utah.geniracks.net.
+Escape character is '^]'.
+HELP
+Connection closed by foreign host.
+}}}
+ and in the logs:
+{{{
+May 16 22:39:28 localhost kernel: [27502.595007] RPC: multiple fragments per record not supported
+}}}
+ So i think this is an RPC-based thing, and that this kind of testing is not very useful.
 === Step 6C: verify sudo and sudo logging ===
 …
  * The command which was run should be recorded in a log
+==== Results of testing: 2012-05-17 ====
+ * The command succeeds and the log entry is created:
+{{{
+vhost1,[/var/log],22:40(0)$ sudo whoami
+root
+vhost1,[/var/log],22:43(0)$ sudo tail /var/log/secure
+...
+May 16 22:43:48 localhost sudo:    chaos : TTY=pts/2 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/whoami
+...
+}}}
 == Step 7: verify access to control network switch ==
 …
 '''Verify:'''
  * SSH login succeeds
+==== Results of testing: 2012-05-17 ====
+''Tested using Utah rack.''
+ * SSH login does not succeed:
+{{{
+boss,[~],22:46(0)$ ssh procurve1
+ssh: connect to host procurve1 port 22: Connection refused
+}}}
+ * Telnet succeeds instead, using the password in `/usr/testbed/etc/switch.pswd`:
+{{{
+boss,[~],22:47(0)$ telnet procurve1
+Trying 10.1.1.253...
+Connected to procurve1.
+Escape character is '^]'.
+...
+Password:
+...
+ProCurve Switch 2610-24#
+}}}
+This is presumed to be acceptable as long as only server nodes (such as boss) have interfaces on 10.1.1.0/24.
 === Step 7B: verify privileged access to the control network switch ===
 …
  * Viewing the running configuration should succeed
  * Viewing the MAC address table should succeed
+==== Results of testing: 2012-05-17 ====
+ * Enable command isn't needed, since login is privileged already
+ * Running config is viewable:
+{{{
+ProCurve Switch 2610-24# show running-config
+Running configuration:
+; J9085A Configuration Editor; Created on release #R.11.70
+...
+}}}
+ * MAC address table is viewable:
+{{{
+ProCurve Switch 2610-24# show mac-address
+ Status and Counters - Port Address Table
+...
+}}}
 === Step 7C: verify absence of unencrypted login access ===
 …
  * No other services appear to allow remote unencrypted authentication
+==== Results of testing: 2012-05-17 ====
+Not applicable: given results of 7A, not bothering to test for other instances of unencrypted login.
 === Step 7D: verify serial console access to the device ===
 …
  * SSH login succeeds
+==== Results of testing: 2012-05-17 ====
+''Tested using Utah rack.''
+ * SSH login succeeds using the password in `/etc/testbed/etc/switch.pswd`:
+{{{
+boss,[~],22:56(0)$ ssh elabman@procurve2
+We'd like to keep you up to date about:
+  * Software feature updates
+  * New product announcements
+  * Special events
+Please register your products now at:  www.ProCurve.com
+elabman@procurve2's password:
+...
+ProCurve Switch 6600ml-48G-4XG#
+}}}
+ * Telnet succeeds as well:
+{{{
+boss,[~],22:57(0)$ telnet procurve2
+Trying 10.2.1.253...
+Connected to procurve2.
+Escape character is '^]'.
+...
+Password:
+...
+ProCurve Switch 6600ml-48G-4XG#
+}}}
+This is presumed to be acceptable as long as only server nodes (such as boss) have interfaces on 10.2.1.0/24.
 === Step 8B: verify privileged access to the dataplane switch ===
 …
  * Viewing the running configuration should succeed
  * Viewing the MAC address table should succeed
+==== Results of testing: 2012-05-17 ====
+ * Enable command isn't needed, since login is privileged already
+ * Running config is viewable:
+{{{
+ProCurve Switch 6600ml-48G-4XG# show running-config
+Running configuration:
+; J9452A Configuration Editor; Created on release #K.14.41
+...
+}}}
+ * MAC address table is viewable:
+{{{
+ProCurve Switch 6600ml-48G-4XG# show mac-address
+ Status and Counters - Port Address Table
+...
+}}}
 === Step 8C: verify absence of unencrypted login access ===
 …
  * No other services appear to allow remote unencrypted authentication
+==== Results of testing: 2012-05-17 ====
+Not applicable: given results of 8A, not bothering to test for other instances of unencrypted login.
 === Step 8D: verify serial console access to the device ===
 …
  * From boss, attempt to connect via http (port 80) to the the pc1 iLO IP
  * If a port 80 connection is successful, determine whether login is allowed via that interface
  * If any prospective unencrypted protocols were identified in the iLO configurations during IG-ADM-1 step 3F, attempt to connect to those ports from boss
+ * If any prospective unencrypted protocols were identified in the iLO configurations during IG-ADM-1 step 3G, attempt to connect to those ports from boss
 '''Verify:'''
 …
  * No other services appear to allow remote unencrypted authentication
+==== Results of testing: 2012-05-17 ====
+ * The pc1.utah.geniracks.net iLO is at 155.98.34.103
+ * Telnet fails:
+{{{
+boss,[~],23:06(0)$ telnet 155.98.34.103
+Trying 155.98.34.103...
+telnet: connect to address 155.98.34.103: Connection refused
+telnet: Unable to connect to remote host
+}}}
+ * Unencrypted telnet to port 80 succeeds, but closes the connection immediately:
+{{{
+boss,[~],23:08(1)$ telnet 155.98.34.103 80
+Trying 155.98.34.103...
+Connected to 155.98.34.103.
+Escape character is '^]'.
+Connection closed by foreign host.
+}}}
+ In a web browser, this connection is redirected from port 80 to port 443
+ * According to Administration -> Access Settings in iLO, the only additional ports this thing uses are remote console, virtual media, and IPMI/DCMI, all expected iLO functions which i don't need to test this way.