[Savannah-cvs] [795] Update.

savannah-cvs
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] [795] Update.

From:	ineiev
Subject:	[Savannah-cvs] [795] Update.
Date:	Mon, 8 Jul 2024 07:36:58 -0400 (EDT)
Revision: 795
          
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=795
Author:   ineiev
Date:     2024-07-08 07:36:56 -0400 (Mon, 08 Jul 2024)
Log Message:
-----------
Update.

Describe libnss-extrausers setup at download0.
Remove references to the lost check-user-pubkeys.sh.
s/GPG/SSH/; a few other minor fixes and updates.

Modified Paths:
--------------
    trunk/sviki/UserAuthentication.mdwn

Modified: trunk/sviki/UserAuthentication.mdwn
===================================================================
--- trunk/sviki/UserAuthentication.mdwn 2024-06-14 03:44:16 UTC (rev 794)
+++ trunk/sviki/UserAuthentication.mdwn 2024-07-08 11:36:56 UTC (rev 795)
@@ -7,7 +7,7 @@
 2. These accounts are used across all Savannah systems.
 3. Users can upload ssh public keys using the web interface at:
    <https://savannah.gnu.org/my/admin/editsshkeys.php>
-4. ssh public keys are stored in the database on
+4. SSH public keys are stored in the database on
    `internal0.savannah.gnu.org` (see [[SavannahServices]]).
 
 User information can be viewed by anyone on Savannah website.
@@ -34,7 +34,7 @@
 
 The `authorized_keys` field contains all user's SSH public keys,
 concatenated with a `###` delimiter, as a one-line string.
-Users upload their GPG keys, and they are stored in the database.
+Users upload their SSH keys, and they are stored in the database.
 Some users have uploaded malformed and invalid GPG key
 information.  Therefore some of these records are invalid due to
 having invalid information uploaded.
@@ -46,13 +46,13 @@
 
 ### Groups and accounts
 
-In Savannah systems, there is a Unix user for *each* Savannah
-registered account:
+In Savannah systems, there is a Unix user for each Savannah
+registered account that is a member of at least one group:
 
      download0:~# getent passwd agn
-     agn:x:131035:1003:Assaf Gordon:/srv:/usr/local/bin/sv_membersh
+     agn:x:131035:1003:Assaf 
Gordon:/etc/savane/user-home-dir:/etc/savane/user-shell
 
-and a unix group for *each* Savannah registered group:
+and a Unix group for each Savannah registered group:
 
     vcs0:~# getent group datamash
     datamash:x:77800:agn
@@ -84,8 +84,8 @@
 available services on these servers.
 
 Savannah users who are not members of any group (i.e., do not have
-write access to any repository) do not have ssh login access on `vcs`
-even if they have set up their ssh keys. `getent passwd USER` will
+write access to any repository) do not have SSH login access on `vcs`
+even if they have set up their SSH keys. `getent passwd USER` will
 return empty results for such users, even if they are valid users in the
 database (i.e., they exist in the `users` mysql table).
 
@@ -99,12 +99,11 @@
 * Unix user management, using
   [nsswitch](http://en.wikipedia.org/wiki/Name_Service_Switch) and
   [libnss-mysql](http://libnss-mysql.sourceforge.net/).
-* ssh key authentication, using the custom `AuthorizedKeysCommand` option.
+* SSH key authentication, using the custom `AuthorizedKeysCommand` option.
 
-### nsswitch and libnss-mysql
+### nsswitch
 
-The files `download0:/etc/nsswitch.conf` and `vcs0:/etc/nsswitch.conf` contain 
the
-following configuration:
+The file `vcs0:/etc/nsswitch.conf` contains the following configuration:
 
     ...
     passwd:         compat mysql
@@ -119,13 +118,31 @@
 section then look it up in mysql.  That is what allows libc to find
 users in the mysql database.
 
-     download0:~# getent passwd agn
-     agn:x:131035:1003:Assaf Gordon:/srv:/usr/local/bin/sv_membersh
+     vcs0:~# getent passwd agn
+     agn:x:131035:1003:Assaf 
Gordon:/var/local/git-shell-home:/usr/local/bin/shellcmdfw
 
 The SQL statements to extract information from the database on
-`internal0` are defined in `download0:/etc/libnss-mysql.cfg` and
-`vcs0:/etc/libnss-mysql.cfg`.
+`internal0` are defined in `vcs0:/etc/libnss-mysql.cfg`.
 
+The download0 host is configured to use libnss-extrausers instead
+of libnss-mysql.cfg; its /etc/nsswitch.conf contains the following:
+
+    ...
+    passwd:         files extrausers
+    group:          files extrausers
+    shadow:         files
+    ...
+
+`download0:/var/lib/extrausers/passwd` and 
`download0:/var/lib/extrausers/group`
+are linked from /net/vcs/var.lib.savane/; those files are updated on frontend
+whenever the set of any group members is modified.
+
+    download:~# getent passwd agn
+    agn:x:131035:1003:Assaf 
Gordon:/etc/savane/user-home-dir:/etc/savane/user-shell
+
+`download0:/etc/savane/user-home-dir` and `download0:/etc/savane/user-home-dir`
+link to /srv and /opt/savane/bin/sv_membersh, respectively.
+
 ### uidNumber
 
 Savannah users have two IDs in the database: `user.user_id` and
@@ -137,15 +154,13 @@
 unique, but the `uidNumber` will be *NULL*.
 
 A cron job (`mgt1:/etc/cron.d/savannah`) calls a script (sv_assign_uid_gid)
-which scans the new users in the database, and creates unix user IDs and
-group IDs if needed (if users are not part of any group, they won't need
-ssh access and thus won't need user ID).
+which scans the new users in the database, and creates unix user IDs if needed
+(if users are not part of any group, they won't need SSH access and thus won't
+need user ID).
 
-Search for `sv_assign_uid_gid` in [[SavannahInternals]] to see
-how it is called (but note that the page is outdated: the script now
-runs as a cron job on `mgt1`, not `internal0`).
+Search for `sv_assign_uid_gid` in [[SavannahInternals]] to see how it is 
called.
 
-### ssh authentication
+### SSH authentication
 
 The file `/etc/ssh/sshd_config` on `download0:` and `vcs0:` servers have the 
line:
 
@@ -153,13 +168,13 @@
     AuthorizedKeysCommand      /opt/savane/bin/sv_get_authorized_keys
     ...
 
-When users log in to Savannah servers using ssh, they specify the account:
+When users log in to Savannah servers using SSH, they specify the account:
 
     git clone agn@git.sv.gnu.org:/srv/git/datamash.git
 
 The user is therefore known, and OpenSSH needs to find user's public keys.
 The `sv_get_authorized_keys` Perl script simply queries
-the ssh public keys of the user (splitting them by `###` delimiter):
+the SSH public keys of the user (splitting them by `###` delimiter):
 
     ...
     my ($authorized_keys) = $dbd->selectrow_array(q[
@@ -176,22 +191,6 @@
     ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvs [...]
     ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ [...]
 
-To validate user's keys on `vcs`, use the following script:
-
-    vcs0:~# ~/bin/check-user-pubkeys.sh agn
-    gordon@host1     2048 fe:61:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
/tmp/pubkey.check.9WvGnA/key.00 (RSA)
-    gordon@host2     2048 87:21:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
/tmp/pubkey.check.9WvGnA/key.01 (RSA)
-    gordon@host3     2048 3d:00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
/tmp/pubkey.check.9WvGnA/key.02 (RSA)
-
-    vcs0:~# ~/bin/check-user-pubkeys.sh someuser
-    someuser@host1   4096 6b:36:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
/tmp/pubkey.check.DmNCzP/key.00 (RSA)
-    someuser@host2   4096 0b:c3:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
/tmp/pubkey.check.DmNCzP/key.01 (RSA)
-    Invalid key: /tmp/pubkey.check.DmNCzP/key.02
-    Errors found in ssh pubkeys for user 'someuser'.
-    to troubleshoot, check files in /tmp/pubkey.check.DmNCzP .
-
-The above script can help with troubleshooting user's SSH login problems.
-
 ### mgt and root access
 
 `mgt1.savannah.gnu.org` is the management server (see [[SavannahArchitecture]] 
for
[Prev in Thread]
Current Thread
[Next in Thread]
[Savannah-cvs] [795] Update., ineiev <=
Next by Date: [Savannah-cvs] [796] update on comments via email and signed notifications
Next by thread: [Savannah-cvs] [796] update on comments via email and signed notifications
Index(es):
- Date
- Thread