Recent changes to XCAT_2_Security

XCAT_2_Security modified by

Tue, 12 Aug 2014 21:46:22 -0000

--- v49
+++ v50
@@ -1,4 +1,4 @@
-[[img src=Official-xcat-doc.png]] 
+![](http://sourceforge.net/p/xcat/wiki/XCAT_Documentation/attachment/Official-xcat-doc.png)

 [TOC]

XCAT_2_Security modified by Lissa Valletta

Lissa Valletta — Thu, 24 Jul 2014 17:24:35 -0000

--- v48
+++ v49
@@ -148,7 +148,7 @@

 ### Secure Zones
 As of xCAT 2.8.4, you can setup secure zones in xCAT in the cluster.  A node in the zone can ssh without password to any other node in the zone,  but not to nodes in other zones.  See the following documentation:
-[Setting_Up_Zone]
+[Setting_Up_Zones]

XCAT_2_Security modified by Lissa Valletta

Lissa Valletta — Thu, 24 Jul 2014 17:23:40 -0000

--- v47
+++ v48
@@ -146,6 +146,9 @@
 See [Disable_node_to_node_root_passwordless_access]

+### Secure Zones
+As of xCAT 2.8.4, you can setup secure zones in xCAT in the cluster.  A node in the zone can ssh without password to any other node in the zone,  but not to nodes in other zones.  See the following documentation:
+[Setting_Up_Zone]

XCAT_2_Security modified by Lissa Valletta

Lissa Valletta — Thu, 24 Jul 2014 17:20:56 -0000

--- v46
+++ v47
@@ -127,7 +127,9 @@

 ## OpenSSH

-xCAT performs the setup for root to be able to ssh without password from the Management Node(MN) to all the nodes in the cluster. All nodes are able to ssh to each other without password or being prompted for a known_host entry, unless restricted (see [XCAT_2_Security#Restricting_node_to_node_ssh]). Nodes cannot ssh back to the Management Node or Service Nodes without a password by default. 
+xCAT performs the setup for root to be able to ssh without password from the Management Node(MN) to all the nodes in the cluster. All nodes are able to ssh to each other without password or being prompted for a known_host entry, unless restricted.
+See [XCAT_2_Security/#restricting-node-to-node-ssh](XCAT_2_Security/#restricting-node-to-node-ssh). 
+Nodes cannot ssh back to the Management Node or Service Nodes without a password by default. 

 xCAT generates, on the MN, a new set of ssh hostkeys for the nodes to share, which are distributed to all the nodes during install. If ssh keys do not already exist for root on the MN, it will generate an id_rsa public and private key pair.

XCAT_2_Security modified by Lissa Valletta

Lissa Valletta — Thu, 24 Jul 2014 17:18:03 -0000

--- v45
+++ v46
@@ -12,7 +12,7 @@

 The xCAT Home Page: http://xcat.sourceforge.net/ 

-xCAT Architecture: https://sourceforge.net/apps/mediawiki/xcat/index.php?title=XCAT_2_Architecture 
+xCAT Architecture: [XCAT_2_Architecture] 

 ### Some Requirements (need more)

@@ -27,7 +27,8 @@
 xCAT logs xCAT commands run by the xcatd daemon to both the syslog and the auditlog table in the xCAT database. The commands that are audited can be “ALL” xCAT commands or a list provided by the admin. The auditlog table allows the admin to monitor any attacks against the system or simply over use of resources. The auditlog table is store in the xCAT database ( sqlite,MySQL, Postgresql, DB2) and contains the following record. 

 recid: The record id. 
-    
+ 
+~~~~   
       audittime:     The timestamp for the audit entry.
       userid:        The user running the command.
       clientname:    The client machine, where the command originated.
@@ -36,7 +37,7 @@
       noderange:     The noderange on which the command was run.
       args:          The command argument list.
       status:        Allowed or Denied.
-    
+~~~~    

 For more information about auditing, refer to the following documentation: 

@@ -91,26 +92,30 @@
 The password for root could be stored MD5 encrypted in the passwd table, here is an example on how to use this in Linux cluster. 

 1\. Change the password in passwd table as MD5 encrypted 
-    
+  
+~~~~  
     tabch key=system passwd.username=root passwd.password=`openssl passwd -1 passw0rd`
-    
+~~~~    

 2\. Use the encrypted password for node provisioning: 

 For diskful: 
-    
-     nodeset <noderange> osimage=<osimage_name>
-    
+ 
+~~~~   
+     nodeset <noderange> osimage=<osimage_name>
+~~~~    

 For stateless: 
-    
-     packimg <osimage_name>
-    
+
+~~~~    
+     packimg <osimage_name>
+~~~~    

 For statelite: 
-    
-     liteimg <osimage_name>
-    
+  
+~~~~  
+     liteimg <osimage_name>
+~~~~    

 ## Certificates

@@ -135,7 +140,8 @@

 ### Restricting node to node ssh

-As of xCAT 2.6, xcat provides a way to limit which nodes are setup to ssh without password to other nodes. See [Disable_node_to_node_root_passwordless_access] 
+As of xCAT 2.6, xcat provides a way to limit which nodes are setup to ssh without password to other nodes. 
+See [Disable_node_to_node_root_passwordless_access] 

@@ -187,9 +193,7 @@

 xCAT needs to integrate with or support a secure Identity Management protocol. This include User id management and machine management. 

-Some of the options being considered are: 
-
-  
+Some of the options being considered are:   

 #### Active Directory
@@ -206,7 +210,7 @@

 #### LDAP

-Better integration with LDAP. Right now xCAT only has a documented procedure to follow: [Setting_up_LDAP_in_xCAT]. 
+Better integration with LDAP. Right now xCAT only has a documented procedure to follow:[Setting_up_LDAP_in_xCAT]. 

 ### Safe-Guarding Passwords in xCAT

@@ -223,5 +227,4 @@
 [XCAT_Port_Usage] 

 ## Notes
-
-  * Latest release of GPFS only requires root ssh on nodes that will be used to manage GPFS 
+Latest release of GPFS only requires root ssh on nodes that will be used to manage GPFS

XCAT_2_Security modified by Lissa Valletta

Lissa Valletta — Mon, 23 Jun 2014 17:58:30 -0000

--- v44
+++ v45
@@ -74,7 +74,7 @@

 During installation, xCAT gives only root userid the authority to run xCAT commands including accessing the database. 

-The policy table in the xCAT database controls who has authority to run specific xCAT operations. It is basically the Access Control List (ACL) for xCAT. The admin ( running as root) may change the policy table to allow other userids to run some or all commands based on configurable restrictions. 
+The policy table in the xCAT database controls who has authority to run specific xCAT operations. It is basically the Access Control List (ACL) for xCAT. The admin ( running as root) may change the policy table to allow other userids to run some or all commands based on configurable restrictions. As of xCAT release 2.8.3 or later, the policy table is first sorted by the priority field, before it is checked. 

 For more information about the policy Table, refer to the following documentation:

XCAT_2_Security modified by Bruce

Bruce — Mon, 23 Jun 2014 17:58:29 -0000

--- v43
+++ v44
@@ -1,3 +1,5 @@
+[[img src=Official-xcat-doc.png]] 
+
 [TOC]

 ## Overview

XCAT_2_Security modified by Guang Cheng Li

Guang Cheng Li — Mon, 23 Jun 2014 17:58:26 -0000

--- v42
+++ v43
@@ -86,28 +86,14 @@

 In the table you can set the password for root, to be set during the install of the node. This protects the node from any window of time where root is not assigned a password. 

-The password for root could be stored MD5, SHA256 or SHA512 encrypted in the passwd table, here is an example on how to use this in Linux cluster. 
-
-If MD5 is used as the encrypt method, the steps 1,2,3 below could be replaced with one command. 
-    
-     tabch key=system passwd.username=root passwd.password=`openssl passwd -1 passw0rd`
-    
-
-1\. Create a new user on the management node 
-
-2\. Change the password of this new user as MD5, SHA256 or SHA512 encrypted 
-    
-     echo passw0rd | chpasswd -c <encrypt_method>
-    
-
-where the <encrypt_method> could be MD5, SHA256 or SHA512 
-
-3\. Copy the encrypted user password to passwd table 
-    
-    tabch key=system passwd.username=root passwd.password=`cat /etc/shadow | grep <new_user> | awk -F ':' '{print $2}'`
-    
-
-4\. Use the encrypted password for node provisioning: 
+The password for root could be stored MD5 encrypted in the passwd table, here is an example on how to use this in Linux cluster. 
+
+1\. Change the password in passwd table as MD5 encrypted 
+    
+    tabch key=system passwd.username=root passwd.password=`openssl passwd -1 passw0rd`
+    
+
+2\. Use the encrypted password for node provisioning: 

 For diskful:

XCAT_2_Security modified by Guang Cheng Li

Guang Cheng Li — Mon, 23 Jun 2014 17:58:25 -0000

--- v41
+++ v42
@@ -86,14 +86,28 @@

 In the table you can set the password for root, to be set during the install of the node. This protects the node from any window of time where root is not assigned a password. 

-The password for root could be stored MD5 encrypted in the passwd table, here is an example on how to use this in Linux cluster. 
-
-1\. Change the password in passwd table as MD5 encrypted 
-    
-    tabch key=system passwd.username=root passwd.password=`openssl passwd -1 passw0rd`
-    
-
-2\. Use the encrypted password for node provisioning: 
+The password for root could be stored MD5, SHA256 or SHA512 encrypted in the passwd table, here is an example on how to use this in Linux cluster. 
+
+If MD5 is used as the encrypt method, the steps 1,2,3 below could be replaced with one command. 
+    
+     tabch key=system passwd.username=root passwd.password=`openssl passwd -1 passw0rd`
+    
+
+1\. Create a new user on the management node 
+
+2\. Change the password of this new user as MD5, SHA256 or SHA512 encrypted 
+    
+     echo passw0rd | chpasswd -c <encrypt_method>
+    
+
+where the <encrypt_method> could be MD5, SHA256 or SHA512 
+
+3\. Copy the encrypted user password to passwd table 
+    
+    tabch key=system passwd.username=root passwd.password=`cat /etc/shadow | grep <new_user> | awk -F ':' '{print $2}'`
+    
+
+4\. Use the encrypted password for node provisioning: 

 For diskful:

XCAT_2_Security modified by Guang Cheng Li

Guang Cheng Li — Mon, 23 Jun 2014 17:58:24 -0000

--- v40
+++ v41
@@ -86,6 +86,30 @@

 In the table you can set the password for root, to be set during the install of the node. This protects the node from any window of time where root is not assigned a password. 

+The password for root could be stored MD5 encrypted in the passwd table, here is an example on how to use this in Linux cluster. 
+
+1\. Change the password in passwd table as MD5 encrypted 
+    
+    tabch key=system passwd.username=root passwd.password=`openssl passwd -1 passw0rd`
+    
+
+2\. Use the encrypted password for node provisioning: 
+
+For diskful: 
+    
+     nodeset <noderange> osimage=<osimage_name>
+    
+
+For stateless: 
+    
+     packimg <osimage_name>
+    
+
+For statelite: 
+    
+     liteimg <osimage_name>
+    
+
 ## Certificates

 xCAT generates X.509 (SSL) certificates which it installs on nodes, such as the Service Nodes, where it needs to ensure a secure connection using the SSL/TLS protocol.