[6550] in Release_7.7_team
Re: new dialup testing
daemon@ATHENA.MIT.EDU (Mark W. Manley)
Thu Dec 10 13:11:13 2009
Date: Thu, 10 Dec 2009 13:11:03 -0500 (EST)
From: "Mark W. Manley" <mmanley@MIT.EDU>
To: Nelson Elhage <nelhage@mit.edu>
cc: release-team@mit.edu, ops@mit.edu
In-Reply-To: <20091210180112.GH5707@mit.edu>
Message-ID: <alpine.DEB.2.00.0912101307230.32528@green-arrow.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Score: 0
X-Spam-Flag: NO
That's the same behavior of Linerva. I chatted with Garry about this
yesterday because SSHD has its own GSSAPI authentication layer that
authenticates people with tickets. But, unless the user forwards the
ticket to the SSH server, it doesn't have access to generate a PAG for the
user, thus you have no home directory. Ironically, if you didn't present
a ticket to the SSH daemon, it will prompt you for a password, which in
turn gets you tickets, which in turn can generate AFS tokens. Or if you
forwarded your tickets to the SSH daemon on rw, it would be able to garner
tokens.
The only real way around this that we could see was deploying a hacked SSH
daemon on the new dialups as Garry did for the existing Athena dialups.
That doesn't strike me as the best answer out there since user education
should win here. But, we were interested in seeing the number of people
who raised this issue.
-MM
On Thu, 10 Dec 2009, Nelson Elhage wrote:
> [Should bug reports go to somewhere other than these two lists?]
>
> If I log in without forwarding credentials, it fails to attach my home
> directory, and so I get
>> Could not chdir to home directory /mit/nelhage: No such file or directory
>
> without any more clear indication of what went wrong.
>
> - Nelson
>
> On Thu, Dec 10, 2009 at 12:56:19PM -0500, Mark W. Manley wrote:
>> Greetings, release-team members.
>>
>> As promised, I have created a prototype Linux dialup to which the members
>> of this mailing list can telnet/ssh/rsh. Feel free to connect to:
>>
>> ringworld.mit.edu
>>
>> as yourself and kick some tires around. A few notes:
>>
>> 1. It's a prototype. I can't emphasize this point enough. As such, it
>> has less memory and vCPUs than we plan for production use. We're
>> planning now some dedicated VMWare hypervisors on which to run the
>> dialups, but it may be a teeny bit of time before these come into
>> fruition.
>>
>> 2. Because it's a prototype, I have restricted access to this box in two
>> ways. One, you can only connect to it via a 18.x.x.x address. When we
>> go to make these available to the general user community, it will cease
>> to have this restriction. The other is that I have set PAM to disallow
>> people that aren't receiving this mail from logging in. I took the
>> people from the release-team mailing list and coded it into the
>> access.conf file since dynamic lists weren't working so hot. This
>> restriction will also vanish when we replace the current test.dialup box
>> (cvp).
>>
>> I welcome constructive comments.
>>
>> Thanks,
>>
>> -MM
>
