On 2011年11月17日 10:16, Lucas Meneghel Rodrigues wrote: > On 11/16/2011 11:50 PM, Wenyi Gao wrote: >> On 2011年11月16日 20:26, Lucas Meneghel Rodrigues wrote: >>> On 11/16/2011 07:20 AM, Wenyi Gao wrote: >>>> >>>> Currently, for ubuntu system, autotest.init will be used and start >>>> monitor_db_babysitter owned by user autotest, >>>> so when we use web front-end to create job, the autoserv also owned >>>> by user autotest runs ssh commands with default >>>> ssh user "root", known as "-l root", which causes the following >>>> permission problem on ubuntu. >>>> >>>> * Command: >>>> /usr/bin/ssh -a -x -o StrictHostKeyChecking=no -o >>>> UserKnownHostsFile=/tmp/tmpvUr_sL -o BatchMode=yes -o >>>> ConnectTimeout=60 -o >>>> ServerAliveInterval=300 -l root -p 22 172.16.3.130 " true" >>>> Exit status: 255 >>>> Duration: 0.342299938202 >>>> >>>> stderr: >>>> Permission denied (publickey,password). >>>> >>>> >>>> So the patch changes user from autotest to root when starting >>>> monitor_de_babysitter to keep consitent with ssh >>>> user "-l root". >>> >>> From the ssl man page >>> _make_ssh_cmd_default >>> -l login_name: Specifies the user to log in as on the remote machine. >>> This also may be specified on a per-host basis in the configuration >>> file. >>> >>> This is not a problem with the autotest user on your machine. What >>> probably happens is you do not have ssh key properly setup. >>> >>> https://github.com/autotest/autotest/wiki/KVMAutotest-GetStartedServer >>> >>> Host Installation Steps >>> Setup password-less ssh connection from the server to this host >>> On the server, create a DSA key in the following way: >>> >>> ssh-keygen -t dsa >>> Then, still on the server, copy it to the host: >>> >>> ssh-copy-id [email protected] >>> >>> I'm rejecting this patch. >>> >> >> In fact, I have setup the ssh key and both user "autotest" and user >> "root" can ssh target host without password. I have done the following >> test: >> >> Test 1: root user run ssh >> >> root@wayne-ThinkPad-T420:/home/wayne# ssh [email protected] >> Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic x86_64) >> >> * Documentation: https://help.ubuntu.com/ >> >> Last login: Thu Nov 17 09:24:07 2011 from wayne-thinkpad-t420.local >> root@ubuntu:~# >> >> >> Test 2: autotest user run ssh >> >> autotest@wayne-ThinkPad-T420:/home/wayne$ ssh [email protected] >> Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic x86_64) >> >> * Documentation: https://help.ubuntu.com/ >> >> Last login: Thu Nov 17 09:28:11 2011 from wayne-thinkpad-t420.local >> autotest@ubuntu:~$ >> >> >> Test 3: autotest user run ssh with "-l root" >> >> autotest@wayne-ThinkPad-T420:/home/wayne$ ssh -a -x 172.16.3.130 -l root >> "true" >> [email protected]'s password: >> >> >> The tests are done on Ubuntu 11.10 workstations. It is clear Test1 and >> Tes2 are okey, but Test 3 fails. However our autotest framework >> runs ssh as the same way to Test 3, which will fail. On the other side, >> if Test 3 is okey, there will be a security hole for ssh >> because a user can ssh a target host with another user's account without >> password. > > Well, I've checked once again the man page just to confirm > > """ > -l login_name > Specifies the user to log in as on the remote machine. > This also may be specified on a per-host basis in the configuration file. > """ > > "To log in as on the remote machine". This is the equivalent to using > root@ip. > > This works perfectly under Fedora, no need to run the scheduler as > root whatsoever, and there are no keys from the root user on our test > machines. I've looked the init script code and there's nothing > obviously wrong there. I need to set up an environment with Ubuntu VMs > to see what the heck is going on here. >
Yes, that's right, "-l root " is the equivalent to using root@ip. So when running Test 4, Test 4 autotest@wayne-ThinkPad-T420:/home/wayne$ ssh [email protected] [email protected]'s password: The root password is also required. _______________________________________________ Autotest mailing list [email protected] http://test.kernel.org/cgi-bin/mailman/listinfo/autotest
