Re: [Oscar-devel] Re: [Oscar-users] Mandriva 2006 status report - openssh "bug" identified

Wed, 08 Feb 2006 11:52:06 -0800 

Hi Bernard,
I will wait for the reply from our Mandriva contact.
For now, what I see as solution for our problem is to integrate a command like:
passwd -u oscartst -f
in the post nodes install (Stage 7), so it'll be executed in each node 
unlocking the access from users without password, as oscartst.
What do you think?
Fernando

Bernard Li a écrit :

Hi Fernando:
Passwordless ssh is different from having no password with your UNIX account. The way it works right now is that once you are logged into the system, you can go to any nodes via ssh without entering any password. However, as a regular user, you still need log into the headnode with a password. All I'm saying is that there doesn't need to be a password generated for the oscartst user (as your solution proposes) as you would never really log in as that user, the account will always be invoked via "su -" or similar mechanism. Bottomline is, this worked before, and doesn't work any more - we should fix it on the "openssh" level, but not by changing oscartst's passwd file entry. You might want to reply back to Mandriva saying that we already generated the DSA key (in /etc/profile.d/ssh-oscar.sh) and thus the problem is not there - tell him the situation and perhaps he has a better solution for us. P.S. You might also want to turn on debugging for ssh when you do tests using the oscartst user, that might give you some hints as to what is wrong... Cheers, Bernard 
------------------------------------------------------------------------
*From:* Fernando Laudares Camargos [mailto:[EMAIL PROTECTED]
*Sent:* Wed 08/02/2006 08:59
*To:* Bernard Li
*Cc:* [email protected]
*Subject:* Re: [Oscar-devel] Re: [Oscar-users] Mandriva 2006 status report - openssh "bug" identified 

Hi Bernard,

 > What did the Mandriva folks say regarding this issue?

his tip didn't worked:
-------------------------------------------------------------------------------
> no need to rebuild openssh, a simple manipulation in home user dir fix the 
 > pb.
 >
 > generate a DSA SSH key with an empty password:
 > ---------------------------------
 > ssh-genkey -t dsa
 > ---------------------------------
 >
 > now just do:
 > -------------------------------------------------------
 > cd ~/.ssh
 > cat id_dsa.pub > ~/.ssh/authorized_keys
 > -------------------------------------------------------
 > User will be able to longon on evrey node without ssh password.
-------------------------------------------------------------------------------

 > "!!" in the shadow file means there is no corresponding password
 > associated with that user account, i.e. you cannot ssh
 > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> and log in (because there
 > is no password), but "su - oscartst" as root would work.
> > I do not think we want to change this behavior.
So them how the tests in step 8 are perfomed?? NODE -> SERVER and SERVER- -> NODE ? Is the oscartst we use to make the ssh tests or no? 

Thanks,
Fernando
 >
 > ------------------------------------------------------------------------
 > *From:* [EMAIL PROTECTED] on behalf of Fernando
 > Laudares Camargos
 > *Sent:* Wed 08/02/2006 08:19
 > *To:* Fernando Laudares Camargos
 > *Cc:* [email protected]
 > *Subject:* [Oscar-devel] Re: [Oscar-users] Mandriva 2006 status report -
 > openssh "bug" identified
 >
 > Fernando Laudares Camargos a écrit :
 >  > 2) The problem with *openssh* newer than 3.6 (as 3.9 in Mandrake 10.1
 >  > and 4.2 in Mandriva 2006) is that the user 'oscartst' have his ssh
 >  > access 'locked' by default. I have not completed my study at this
 >  > question yet, but the solution I used was manually unlock the user (in
 >  > all nodes) with the command 'passwd -u oscartst -f'.
 >
 > Well, I guess I was wrong here. Actually, that works, but this is
 > probably not the right way to do it.
 > When the cluster is installed, the /etc/shadow file show the following
 > line for the user oscartst:
 >
 > oscartst:!!:13186:0:99999:7:::
 >
> Another regular user, "laudares" (myself), has this line in the same file. 
 >
 > laudares:$1$Jck9.vTD$8sKdM32ytVh7svBv9OYfi/:13186:0:99999:7:::
 >
 > The difference between the two is that the "field" for the password is
 > filled by "!!" for oscartst and by "$1$Jck9.vTD$8sKdM32ytVh7svBv9OYfi/"
 > for laudares.
 >
 > When I try to connect from the server to the node and back with the user
 > laudares, it works (with that I mean `It does not ask for my passwd`),
 > but not when I try that with oscartst.
 >
 > If I change the password of oscartst with the command "passwd oscartst",
 > its line in the shadow file is replaced by one similar to that of
 > laudares, and ssh (without password) works. But then I have to do this
 > with all nodes, or have this line changed in the image, before to spread
 > it across the cluster.
 >
 > I would like to hear your comments about that, since it`s one of the
 > main problems we`re having with Mandriva after the 10.0 version.
 >
 > Thanks,
 > --
 > Fernando Laudares Camargos
 >
> Révolution Linux > http://www.revolutionlinux.com 
 > ---------------------------------------
 > * Tout opinion et prise de position exprimée dans ce message est celle
 > de son auteur et pas nécessairement celle de Révolution Linux.
 > ** Any views and opinion presented in this e-mail are solely those of
 > the author and do not necessarily represent those of Révolution Linux.
 >
 >
 >
 > -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files 
 > for problems?  Stop!  Download the new AJAX search engine that makes
 > searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=k&kid <http://sel.as-us.falkag.net/sel?cmd=k&kid> > <http://sel.as-us.falkag.net/sel?cmd=k&kid <http://sel.as-us.falkag.net/sel?cmd=k&kid>>3432&bid#0486&dat1642 
 > _______________________________________________
 > Oscar-devel mailing list
 > [email protected]
 > https://lists.sourceforge.net/lists/listinfo/oscar-devel
 >

--
Fernando Laudares Camargos
Révolution Linux http://www.revolutionlinux.com --------------------------------------- * Tout opinion et prise de position exprimée dans ce message est celle de son auteur et pas nécessairement celle de Révolution Linux. ** Any views and opinion presented in this e-mail are solely those of the author and do not necessarily represent those of Révolution Linux. 



--
Fernando Laudares Camargos
Révolution Linux http://www.revolutionlinux.com 
---------------------------------------
* Tout opinion et prise de position exprimée dans ce message est celle de son 
auteur et pas nécessairement celle de Révolution Linux.
** Any views and opinion presented in this e-mail are solely those of the 
author and do not necessarily represent those of Révolution Linux.



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
_______________________________________________
Oscar-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/oscar-devel

Reply via email to