| Table of Contents |
|---|
| Include Page | ||||
|---|---|---|---|---|
|
| Include Page | ||||
|---|---|---|---|---|
|
| Include Page | ||||
|---|---|---|---|---|
|
| Include Page | ||||
|---|---|---|---|---|
|
| Include Page | ||||
|---|---|---|---|---|
|
VPN access
See How to Connect to SLAC VPN
Note you will need to request VPN Usage access.
| Include Page | ||||
|---|---|---|---|---|
|
| Include Page | ||||
|---|---|---|---|---|
|
| Include Page | ||||
|---|---|---|---|---|
|
| Include Page | ||||
|---|---|---|---|---|
|
Getting an account
For our NNIT collaborators, it's a 2 step process.
- You have to be registered as a SLAC user. To do this go to https://www-sslonly.slac.stanford.edu/slacuserinfo/SLACformI.asp
- You are NOT a SLAC employee, use your home institution as your employer.
- Your work type is computing. SLAC will not be paying you. You will be using SLAC computing resources.
- The experiment is Computing. I am your sponsor. Your SLAC group department is
- SCCS. You will spend < 10% time at SLAC. Please be careful to
- use the recommended date format dd-mon-yyyy.T
- this will get you a SLAC ID. It may take a couple work days.
- Once you have a SLAC ID then you will be able to apply for a SLAC computer account. For this you will need to go to http://www2.slac.stanford.edu/comp/slacwide/account/account.html Fill out this form, sign it, and FAX it to the attention of Les Cottrell at +1-650-926-3329.
Unix/NFS group iepm
File used to keep track of NFS network group privs. It use the ypgroup Unix databases
To see who is in a group use the command*
| Code Block |
|---|
netgroup <group_name>, e.g.
36cottrell@pinger:~>netgroup u-network-management
u-network-management
(-,antony,)
(-,cal,)
(-,cottrell,)
(-,cxg,)
(-,jerrodw,)
(-,kmartell,)
|
The above group is the one to enable users to logon to the special iepm hosts. It can only be updated by unix-admin.
The groups below are Unix groups (not netgroup) which was made available over the network by NIS (formerly YP). Les can manage unix groups via the ypgroup command.
| Code Block |
|---|
ypmatch <group_name> group
ypmatch <group_name> netgroup, e.g.
35cottrell@pinger:~>ypmatch u-network-management netgroup
(-,antony,) (-,cal,) (-,cottrell,) (-,cxg,) (-,jerrodw,) (-,kmartell,)
|
or
| Code Block |
|---|
ypgroup exam -group iepm
Group 'iepm':
GID: 2087
Comment:
Last modified at Aug 2 15:20:42 2006 by jonl
Owners: cal
Members: akbar, cal, cottrell, cxg, fawad, hasan, iepm,
jerrodw, jiri, maheshkc, rich, ytl
|
To add someone to a group use (Les can execute this command):
| Code Block |
|---|
ypgroup adduser -group iepm -user pinger
|
# Please keep unix-admin & security notified when changes are needed, e.g. people changing function or moving etc.
#Note that people with privileges need to change their passwords at least every 9 months.
To see which hosts use a netgroup
grep the files at /afs/slac.stanford.edu/g/scs/systems/system.info/<machine>/taylor.opts.expanded looking for the group, e.g.
| Code Block |
|---|
6cottrell@pinger:/afs/slac/g/scs/systems/system.info>grep u-iepm /afs/slac/g/scs/systems/system.info/i*/taylor.opts.expanded
/afs/slac/g/scs/systems/system.info/iepm-bw/taylor.opts.expanded:limit_login=u-iepm
/afs/slac/g/scs/systems/system.info/iepm-resp/taylor.opts.expanded:limit_login=u-iepm
|
N.b. replacing i* with * will probably result in /bin/grep: Argument list too long. Also note that as of 12/31/06 the hosts whose access is controlled by u-iepm are: iepm-bw, iepm-resp, monalisa, nettest5, and pinger
NFS file access
NFS file systems such as /nfs/slac/g/net/pinger are exported to netgroup from netfs02, so it is available on all machines in that group. To see the full list of machines that can access these files, you can type:
| Code Block |
|---|
119cottrell@pinger:~>netgroup slac > ! /tmp/junk
|
and edit the file (/tmp/junk). The amd mountpoints are transient....they timeout when not in use. So sometimes it will work to cd to /nfs/slac/g and you will see an entry for net/pinger, but if it has timed out you may not, even on pinger (unless something runs there that keeps it constantly available). Once the mountpoint has timed out you will have to cd to the full amd mount path which in this case is /nfs/slac/g/net/pinger to get amd to remount the space. AS a rule it is always a good idea to use the full path to the nfs space, especially in scripts.
Unix/AFS groups
Purpose | afs path | contact(s) |
|---|---|---|
SVN access | /afs/slac/g/scs/net/netmon/repo/svn | Cottrell |
|
|
|
|
|
|
To see the names of groups and privileges on a particular directory, issue the command
| Code Block |
|---|
fs la <directory>, e.g.
fs la .
|
or
| Code Block |
|---|
fs la /afs/slac/g/scs/net/pinger
jerrodw@pinger $ fs la /afs/slac/g/scs/net/pinger/
Access list for /afs/slac/g/scs/net/pinger/ is
Normal rights:
maint-pkg-netmon rlidwk
g-scs rlidwka
system:slac rl
system:administrators rlidwka
system:authuser rl
|
To view members of a particular group listed from 'fs la', issue the command:
| Code Block |
|---|
pts mem <group_name>, e.g.
jerrodw@pinger $ pts mem maint-pkg-netmon
Members of maint-pkg-netmon (id: \-4786) are:
<list of user_id's belonging to this group>
|
To add users to a particular group (only if you have privileges of course), issue the command
| Code Block |
|---|
pts adduser \-group <group_name> \-user <user_id>
|
Network Test hosts
Please note that we would like to see network testing, especially WAN testing, done primarily and by convention from machines set aside for that purpose
(e.g. iepm-bw, iepm-resp, pinger), the list of network machines is kept at http://www-iepm.slac.stanford.edu/about/nodes.html
To find out who can logon to a specified host look at the /etc/passwd file on that host, look towards the end for things like
+@u-iepm
and use the netgroup u-iepm command to see who is in the group.
To find out what hosts u-iepm can logon to use:
| Code Block |
|---|
#65cottrell@pinger:/afs/slac/g/scs/systems/system.info>grep u-iepm \*/passwd
#bping/passwd:+@u-iepm
#iepm-bw/passwd:+@u-iepm
#iepm-resp/passwd:+@u-iepm
#iepm-sol/passwd:+@u-iepm
#monalisa/passwd:+@u-iepm
#...
|
To logon to account iepm
Account iepm (typically on iepm-bw.slac.stanford.edu) is used to work on the iepm-bw project. Password logon to this account is to first order blocked. To access this account one has to have one's ssh public keys installed in ~iepm/.ssh/.public/authorized_keys. The first thing for the new person wishing to run unnder the account iepm is to create her/his ssh key pairs. To create the ssh key pairs use the commands:
| Code Block |
|---|
ssh-keygen -t dsassh-keygen -t rsassh-keygen -t rsa1
|
It will also ask you for a pass phrase, just enter a carriage return. If it asks where to save the keys just take the default (carriage return). Another used can verify that the public keys are created as follows:
| Code Block |
|---|
3cottrell@pinger:~>more ~tanzeel/.ssh/.public/identity.pub
1024 35 146653454394770889044623166877077310614501899921965775234647207308036879
63750413852009080539737126752412601088856837707997231429818026234620137964285189
90916139217247252465554635868080863595598499677410533321491762163027007069491891
43405873785518703883968259344869429208971927599722736690422112709006735867357 ta
nzeel@iepm-bw
|
Someone who can already logon to account iepm will then need to copy the new person's (in the example above tanzeel) public keys into ~iepm/.ssh/.public/authorized_keys:
| Code Block |
|---|
2iepm@iepm-bw:~>cat ~tanzeel/.ssh/identity.pub >> ~/.ssh/authorized_keys
3iepm@iepm-bw:~>cat ~tanzeel/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
4iepm@iepm-bw:~>cat ~tanzeel/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
5iepm@iepm-bw:~>cat ~tanzeel/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys2
|
One can then check that the new person's public ssh keys are available in the iepm account as follows:
| Code Block |
|---|
9iepm@iepm-bw:~>tail -3 ~/.ssh/authorized_keys
1024 35 146653454394770889044623166877077310614501899921965775234647207308036879637504138520
09080539737126752412601088856837707997231429818026234620137964285189909161392172472524655546
35868080863595598499677410533321491762163027007069491891434058737855187038839682593448694292
08971927599722736690422112709006735867357 tanzeel@iepm-bw
ssh-dss AAAAB3NzaC1kc3MAAACBAIEC24o7qaGXu7BhvDEyVLfbtNCyHDqsW5N7urvW2DLKam7MMyZmnAqpQh1X7j8L
U+DAy6eX50ToychvrwDA8pmA45Hbf61dnoSc/yfd1sM8fC1x0faWvglf/PNT5EfQzwPKEEzIeTieNRL9OTNr4ZS7WjXJ
+i+bvc/a6bq+6Rj1AAAAFQCWTL/9FG3xCJ3nKwRg/g5cduZ9BwAAAIA8N63JWBa+xr2I4ylDaaONQNfVP9ODNMvtSBSj
OlEK7YD4oDd/ZZPLEdW+mcHGTbEgwBB15acl+4PdpGBy5HCGsA7xXJPEPGnjNHRcsfRCdAuyQiaUKfJLfPPvdAAlKxO+
DGJCItlsE8hyf+vbDJGxoa4nOqm2aQ6XneXhWhJuwAAAAIAXJMhOKrGAYBn72q+IbwM2c33bXLDnTTlGo7WKlzeBpLas
jnt79E10TZEX6h0WDYuK0Ymdjy8XEoaStpF/bH+TxXclLNCAhjeWVf/FJI1neDhvhfrLHV3rOVEgH+d9Wka7Q+e2RPYY
8WJOx/eh7vW21LwqmnfLK/h0lyxJ3/EX9w== tanzeel@iepm-bw
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4uzuhQTykqyFHpEayNxTz0HC951ynsxxT2ltHXzjdTbudozvtXEnCYGe
hXVoog4wS2yhwXskRZj8mKyoa/ZtPOd2fXZgQs+zJB5SrDN7jf2aWt5A1a2VynVAFPor4Vu/Yh79dAkj3zN3ojcoelqt
wFheKhmPRh1cxNIpNyPmelE= tanzeel@iepm-bw
|
and the new user should be able to logon to the iepm account using:
| Code Block |
|---|
~tanzeel@iepm-bw.slac.stanford.edu>ssh -v iepm@iepm-bw.slac.stanford.edu if that does not work then try:
~tanzeel@iepm-bw.slac.stanford.edu>ssh -v -1 iepm@iepm-bw.slac.stanford.edu
and
~tanzeel@iepm-bw.slac.stanford.edu>ssh -v -2 iepm@iepm-bw.slac.stanford.edu
|
Sudo
The sudoers file can be found at:
| Code Block |
|---|
/afs/slac/package/taylor/prod/base/sudoers
|
The following lines are in the sudoers file:
| Code Block |
|---|
# NB: The following two aliases define collections of commands for use
# by members of the IEPM group on all machines and on the network
# trouble-shooting machine, pharlap, respectively. In this context,
# "IEPM group" is not necessarily the same as the NIS group named
# "iepm"; changes to the commands in the two aliases, or to the users
# who should be authorized to use the commands, still need the usual
# approvals.
# Commands authorized for members of the IEPM group on all machines:
Cmnd_Alias IEPM_ALL = NIKHEF_PING,PATHCHAR,PCHAR,PIPECHAR
# Commands authorized for members of the IEPM group on pharlap:
# The addition of PIPECHAR to this list of commands is granted for
# six months only and should be revisted May 28, 2002.
Cmnd_Alias IEPM_PHARLAP = SNOOP,TCPDUMP,NDD,PIPECHAR,KILL
|
The people in the sudoers file with privileges assigned by these two Cmnd_Alias-es are: cal, cottrell, cxg.
| Code Block |
|---|
iepm group: cottrell, warrenm, cal, dougc, cxg, grosso
Pathchar All sudo /afs/slac/g/scs/bin/pathchar
Pchar All sudo /afs/slac/package/netperf/bin/@sys/pchar
Pipechar All sudo /afs/slac.stanford.edu/package/netperf/bin/@sys/pipechar
NIKHEF ping All sudo /afs/slac/package/nikhef/@sys/ping
#Snoop and tcpdump are big security exposures, so please be careful with their use.
#Probably a good idea to notify security (email just before you start) if you are
#going to use snoop and/or tcpdump
Snoop Pharlap sudo snoop
Tcpdump Pharlap sudo /afs/slac/package/netperf/bin/@sys/tcpdump
u-network-management: warrenm, cottrell, kmartell, cal, cxg, grosso, janewei, gtb
ssh All
maint-pkg-nikhef: cxg, warrenm, dougc
|
The following have /usr/sbin/ndd -set privs and sudo kill (via cmd macro IEPM_PHARLAP) on pharlap (7/19/01):
cal, cottrell, cxg
Account iepm has sudo kill with no password on pharlap (12/14/01)
cottrell also has ndd -set for evagore (11/21/01)
iepm has pipechar with no password on pharlap and antonia (11/28/01)
Mailing lists
The main mailing list is iepm-group. To get added to this list contact Les Cottrell. To see who is in the group etc. go to majordomo