So, we have had a number of folks recently come and tell us they are having trouble logging into fedorapeople.org and after troubleshooting we find that they are not in any non cla groups, so don't even have an account there.
I've tried to stress the requirements on the people page on the wiki, but I think some people are learning about it word of mouth and aren't finding out the requirements for accounts.
To help with this I setup a ssh Banner the other day.
So, every connection gets a short message:
---snip--- This system is for Fedora Contributors only!
You must be in at least one non cla group to have access.
See: https://fedoraproject.org/wiki/Infrastructure/fedorapeople.org ---snip---
There's however a few problems with this and I have reverted it for now. Problems include:
* Annoys people who do have accounts. * Breaks scripts that look for just specific content * Tells attackers if someone has an account or not.
So we could:
* Just keep it disabled and try and get people to read docs
* Re-enable it but make the message 1 line to be less anoying.
* Some other clever solution.
kevin
On Fri, 2014-09-26 at 16:26 -0600, Kevin Fenzi wrote:
- Just keep it disabled and try and get people to read docs
I think this would be the best way to go. I can ask a question on Ask Fedora, for example, and then folks from admin can just use that as a "sticky" for things to check when your login to fedorapeople fails - like a step by step troubleshoot:
- if your login fails - check your cla status (link to wiki page) - if you're in at least one non cla group and cannot login: - check your keys
etc.
On Fri, Sep 26, 2014 at 04:26:48PM -0600, Kevin Fenzi wrote:
- Some other clever solution.
Use pam_exec, check cla membership in the auth phase (after authentication).
On Tue, 30 Sep 2014 17:46:08 -0400 Matthew Miller mattdm@fedoraproject.org wrote:
On Fri, Sep 26, 2014 at 04:26:48PM -0600, Kevin Fenzi wrote:
- Some other clever solution.
Use pam_exec, check cla membership in the auth phase (after authentication).
Sadly that won't work. The only people who have accounts are those in cla_done + 1 group. So, the people without that don't even have an account, so they can't authenticate. ;(
kevin
"KF" == Kevin Fenzi kevin@scrye.com writes:
KF> Sadly that won't work. The only people who have accounts are those KF> in cla_done + 1 group. So, the people without that don't even have KF> an account, so they can't authenticate. ;(
Is it possible to give them accounts that have no permission to do anything? I used to change the shell to /usr/local/bin/terminated, which printed a message about the account being closed.
- J<
On Thu, Oct 02, 2014 at 02:05:59PM -0500, Jason L Tibbitts III wrote:
KF> Sadly that won't work. The only people who have accounts are those KF> in cla_done + 1 group. So, the people without that don't even have KF> an account, so they can't authenticate. ;( Is it possible to give them accounts that have no permission to do anything? I used to change the shell to /usr/local/bin/terminated, which printed a message about the account being closed.
Did it do that using bash, by any chance? :)
It's always better that people who shouldn't have accounts actually don't.
On 2 October 2014 13:05, Jason L Tibbitts III tibbs@math.uh.edu wrote:
"KF" == Kevin Fenzi kevin@scrye.com writes:
KF> Sadly that won't work. The only people who have accounts are those KF> in cla_done + 1 group. So, the people without that don't even have KF> an account, so they can't authenticate. ;(
Is it possible to give them accounts that have no permission to do anything? I used to change the shell to /usr/local/bin/terminated, which printed a message about the account being closed.
In this case that would be close to a hundred thousand accounts linked to /bin/noshellforyou for the 3200 that are cla+1. In the past that was a great way to DOS a machine.. just have a sshbot go by and get a bunch of nologins and the amount of cpu for login search/setup/deny was enough to DOS a box
The only solution I have seen in practice is having the ssh banner set, but everywhere I worked at previously was legally required to have messages in banners so my world view is biased.
- J<
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
"SJS" == Stephen John Smoogen smooge@gmail.com writes:
SJS> In this case that would be close to a hundred thousand accounts SJS> linked to /bin/noshellforyou for the 3200 that are cla+1.
Just stating a solution. It would actually work, after all. Whether it's worth the annoyance and any potential security exposure, I don't know. But if you want to display something to CLA+0 people but not CLA+1 people then, well, I believe that is the only way to do it.
SJS> In the past that was a great way to DOS a machine..
Maybe back in 1994 or something. I really doubt this is a consideration these days.
- J<
On 2 October 2014 16:19, Jason L Tibbitts III tibbs@math.uh.edu wrote:
"SJS" == Stephen John Smoogen smooge@gmail.com writes:
SJS> In this case that would be close to a hundred thousand accounts SJS> linked to /bin/noshellforyou for the 3200 that are cla+1.
Just stating a solution. It would actually work, after all. Whether it's worth the annoyance and any potential security exposure, I don't know. But if you want to display something to CLA+0 people but not CLA+1 people then, well, I believe that is the only way to do it.
SJS> In the past that was a great way to DOS a machine..
Maybe back in 1994 or something. I really doubt this is a consideration these days.
Well 2008. It was having too many unused accounts with too little memory to deal with having a good many of them looked up at the same time. In that case it was a ssh bot and then compounded by a student saying "hey let me go through ldap and login in and see how many people have the password password. And an account system which had accounts for students since 1980 in it (most of them set to /bin/nologin)
- J<
infrastructure@lists.fedoraproject.org