lynne
Uploaded by
10 SLIDES
232 VUES
100LIKES

SLM: Slice Login Manager

DESCRIPTION

This guide details the setup of host-based authentication using Slice Login Manager (SLM) for improved SSH security. It covers the process of configuring host authentication on both client and server sides, managing user slices, and maintaining slice information within PlanetLab. The SLM interacts with authorized keys, SSH configurations, and user management to streamline access for active slices while ensuring proper security measures are in place. Follow along for step-by-step instructions to enhance your SSH configuration and slice management.

1 / 10

Télécharger la présentation

SLM: Slice Login Manager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ritun Patney, Fred Kuhns SLM: Slice Login Manager

  2. SLM Design drn01 ‘slice pl_techx01’ Host based host SLM (sshd)‏ User ‘xyz’ ssh –l pl_techx01 Slice login mappings ~pl_techx01/.ssh/authorized_keys2 xyz – pub key pl_techx01 = drn01

  3. Host based authentication • Client Side (SRM)‏ • Copy server key from server::/etc/ssh/ssh_host_key_rsa.pub to /etc/ssh/ssh_known_hosts in the foll. format • drn01.arl.wustl.edu,128.2.3.4 ssh-rsa AAxxxxx • Enable host based authentication by editing /etc/ssh/ssh_config file to include • Host * • EnableSSHKeysign yes • HostbasedAuthentication yes

  4. Host Based Authentication • Server Side (GPEs)‏ • Enable it in /etc/ssh/sshd_config file • HostbasedAuthentication yes • Add public key of client to /etc/ssh/ssh_known_hosts as • slm.arl.wustl.edu,128.22.13.4 ssh-rsa AAxxxxx • Add the following line to /etc/ssh/shosts.equiv • +ebony.arl.wustl.edu • Any user logged in at ebony will be able to login with the same login name

  5. Slice Information • SRM writes slice info • /etc/planetlab/db • Contains information on current active slices • File Format [ slice_name ] PlabID= gpeIP= key0= . . keyn= [ slice_name ] PlabID= gpeIP= key0= . . keyn=

  6. Example File [ pl_techx04 ] PlabID=12 gpeIP=172.16.1.5 key0=ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4ko5aNtvfSJwzilBrzmsqPf4S1BttcxgO9sJp key1=ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAztellgkIwPoS+p0Dqj9nkcuVcj7qK0GsSjbC3 key2=ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvszPitee7pHIwC8+47RmPa0pdcBkkz5Gl8v4i [ pl_techx01 ] PlabID=11 gpeIP=172.16.1.1 key0=ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAztellgkIwPoS+p0Dqj9nkcuVcj7qK0GsSjbC3 key1=ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4ko5aNtvfSJwzilBrzmsqPf4S1BttcxgO9sJp key2=ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvszPitee7pHIwC8+47RmPa0pdcBkkz5Gl8v4i

  7. Processing slice information • Open /etc/planetlab/db • Find file size, allocate and read into buffer, close file • Maintain 2 lists • new_slice_list • old_slice_list • Do a qsort on new_slice_list

  8. Compare ordered linked lists “new_slice_list” and “old_slice_list” • Remove login for any slice in old_slice_list but not in new_slice_list • Call “userdel” to remove the user, entry from passwd file • Delete the home directory • Set old_slice_list = new_slice_list

  9. Processing slice information • For every active slice: • Call “useradd” to create user with the slicename • Set login to /sbin/nologin • Read the GPE IP and store in mappings_buffer • slicename=gpeip • Read keys into keys_buffer • Overwrite ~slicename/.ssh/authorized_keys2 file with keys_buffer • Overwrite mappings file (/etc/planetlab/gpe_mappings) used by sshd with contents of mappings_buffer

  10. Misc • To avoid opening files for long, every file read is first copied as a .tmp file. • SLM reads /etc/passwd file at start, removes any user starting with “pl_”. • Runs every 30s.

More Related