addcvsuser
script fails:
/etc/passwd
, increment the uid field by one:
a7prakas:x:40121:416:Aayush Prakash:/home/a7prakas:/bin/rksh rvndrn:x:40122:416:Kashik Ravndran:/home/rvndrn:/bin/rksh
/etc/shadow
by copying the previous entry:
a7prakas:xOj926MXHsCEg:14924::::::and then changing the login
rvndrn:xOj926MXHsCEg:14924::::::so that the end of the file looks like
cardoso:02DtsDhjArMbU:14922:::::: a7prakas:xOj926MXHsCEg:14924:::::: rvndrn:xOj926MXHsCEg:14924::::::
passwd rvndrn
/usr/local/bin/mkcvsuserdir rvndrn kaushik.ravindran@ni.com
cvs -d :ext:rvndrn@source.eecs.berkeley.edu:/home/cvs_chess co ptpapers
Hi Kashik
Your username on source.eecs.berkeley.edu is rvndrn Apologies about the short login, but we are limited to 8 characters.Your password is
change;me
To change your password, use ssh to connect to source.eecs.berkeley.edu and run the "passwd" command.
To check out the repository:cvs -d :ext:rvndrn@source.eecs.berkeley.edu:/home/cvs_chess co ptpapers/10
php/subpages/options.request.php3
is run and email is sent to webmaster asking that
/usr/local/bin/addcvsuser
be run.
(If you want to create a general account, see
How do I create an account under Solaris?)
The account that is created by The path is set by having Each user has a One workaround is to remove the An important thing to note is that sshd runs xauth only to add the proxy display key if it doesn't run an rc program. If it does run an rc program, it feeds the key type and data to the program on a single line to its standard input, and it is up to the rc program to store the display key. This feature provides a way to customize handling the display key, in case just running xauth isn't the right thing to do in your situation.
The restricted users do have enough access to set up ssh access
though.
We don't want people using source.eecs as a general
purpose server, we just want to provide cvs (and subversion) access.
By having source be very secure, we increase reliablity
and availability. source.eecs is our most reliable machine. Until
we put a web server on to support Subversion, it was very resistant
to attack. source.eecs does not have NFS running or sendmail (there is
a MX record set up to bennett). Scanning the ports on source.eecs
reveals many fewer open ports than are on andrews, which has mysql
and sendmail. I've been meaning to tighten up the firewalls on
the servers, but have not gotten around to it in awhile.
source.eecs does not mount user file systems for security reasons.
NFS is a security hole. In the 'real world' machines on the outside
of the firewall such as web servers and cvs servers usually do
not have user accounts. If user accounts are to be made available,
usually there would be a VPN hole or else a login server.
source: As of 2/06, we are not adding cvs only
users to the departmental database. This is partly in
preparation for the uid unification with campus, where we
won't be able to add users to the database at all.
The addcvsuser
uses a restricted shell
(under Unix, /bin/rksh
) so that users can only do things like change
their passwords and use cvs. The shells are restricted for security
reasons. Also, we provide dot files for each user.
/etc/default/login
have
# LOCAL change, cvs rksh users need to have the PATH here
PATH=/home/cvsusers/bin
When a user logs in via ssh and their shell is set to /bin/rksh
in
/etc/passwd, then their path is set to include just /home/cvsusers/bin
.
~/.ssh/rc
file that contains:
# It should not be necessary to have any sort of shell mentioned in the topline
# as this script gets run with the user's shell, which should be rksh
# See the sshd manpage for more info
# This file does nothing, it is to avoid problems with
# .Xauthentication files
However, after we patched in 2/2012, then ssh connections started getting:
/bin/rksh: /bin/sh: restricted
~/.ssh/rc
file. The problem
occurs because ssh invokes that file with /bin/sh
. See
http://comments.gmane.org/gmane.network.openssh.devel/12155.
The book "SSH Secure Shell" athttp://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch09_03.htm
says:
9.3.5.2. xauth and the SSH rc files
SSH has startup files that can be set to execute on the server side when a client logs in. These are the systemwide /etc/sshrc and the per-account ~/.ssh/rc. These can be shell scripts or any kind of executable program.
addcvsuser
script
on source looks in /etc/passwd
for the
last uid in the range 40000 to 50000 and uses the next UID. For example, then
next uid might be 400012 or something.
Adding a user to the UID database
This is obsolete 9/2011
The primary interface is
https://iris.eecs.berkeley.edu/db/roster/
You might find it easier to use the web interface
to add the user to the uid database
and then rerun addcvsuser
with the same command line arguments from the email
that was sent to you requesting the account.
To use the Web Interface
https://iris.eecs.berkeley.edu/db/roster/
Create a new user account
UIDs
j_ludvig
416
Jozsef Ludvig
Insert
button
/home/j_ludvig
/bin/rksh
/usr/local/bin/tcsh
GSRC Guest, CVS only
The Departmental UID database can be accessed at
https://iris.eecs.berkeley.edu/db/roster/
http://www.eecs.berkeley.edu/~tmaher/dw/DW_UID.pm
is a DW_UID download that contains perl
scripts that can be used to add and delete users in
the departmental user database.
Locally, those scripts are installed in
/usr/local/dw_uid
on gigasource.
http://www.eecs.berkeley.edu/~tmaher/dw/DW_UID.pm
ftp://mirrors.xmission.com/sunfreeware
,
gunzipping and running pkgadd -d perl*
.
perl -version
http://www.openssl.org
perl -MCPAN -e shell install Net::SSLeay install MIME::Base64Note that CPAN can use ftp or http to download files.
Also, for Net::SSLeay, I had problems with the test hanging when it tried to connect to www.openssl.org, so I had to download it from ftp://cpan.valueclick.com//perl/CPAN/modules/by-module/Net and do
tar -zxf downloads/Net* cd Net* perl Makefile.PL make make test make install
cd /usr/local/dw_uid/DW_UID add.pl
gigasource:root: %C2> ./add.pl Enter your login name to EECS DataWarehouse: cxh Enter password: XXX Checking authorization... ok Enter search criterion. press enter for none login > cxh name > hylands Are any of these guys your man? (press enter for no) 1) cxh (6269) Christopher Hylands 2) basil (8164) Basil Hylands 3) hxc (6349) Christopher Hylands Please select an entry and/or press enter: 1 error:Database e rror An error occured
Error: Cannot insert new into u nix_uids
line 990 in /usr/netscape/server4/docs/dw/user/unix_uids_manage .cgidatabase error: ERROR: Cannot insert a duplicate key into uniq ue index unix_uids_login_key
attempted: INSERT INTO unix_uids ( uid, login, gid, name, gecos, homed ir, shell, sid, created, pin, comment ) VALUES ( gfu( 200 ), 'cxh', '30', 'Chri stopher Hylands', '406 Cory,2-2716', '/home/argon3/lab/staff/cxh', '/bin/csh', NULL, 'now', NULL, 'imported from uid db' )
If you see this message, please get either a hardcopy or email a copy of the page to
Infrastructure Development and Support Group
Room 325, Soda Hall gigasource:root: %C2>
Ok, I hacked (major emphasis on hacked) up add.pl and created getuid.pl which prints all the status messages to STDERR and the passwd line to stdout so that you can get the line with something like:set pwent = "`/usr/local/dw_uid/dw_uid/getuid.pl $last_name`"This will be useful for anyone who is using the csh based adduser script that is based on the one from ftp://account.eecs.berkeley.edu/pub/adduser that was initially written in '92I modified DW_UID.pm so that it prints its messages to STDERR, and I cleaned it up slightly so that it does not take a command line argument as the login name to use with the EECS Data Warehouse
Saving /etc/passwd and /etc/shadow before messing around with adduser is strongly recommended.
My hacks can be found at http://ptolemy.eecs.berkeley.edu/~cxh/tmp/dw_uid-1.0p1.tar.gz