ESD Software Engineering
ESD iocConsole cdioc AFS and NFS Accounts
The cdioc ESD AFS and NFS shared account is used for iocConsole access. This account is "password-less" to prevent password-sharing; login access to the account is via SSH keys.
For more detail on SSH and AFS at SLAC, see Secure Shell (SSH) at SLAC and the SLAC AFS Users' Guide.
Adding a New User to the cdioc accountIf a user needs access but does not already have an SSH public/private key pair, the new user must first generate a public RSA key. From the user's AFS unix account, issue the following command and respond to all prompts with a return <CR>.ssh-keygen -t rsa1
Generating public/private rsa key pair.
Enter file in which to save the key:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
The resulting public key will be written to the file 'identity.pub' in the user's .ssh directory.
The resultant key in ~<user_name>/.ssh/identity.pub must be added to the ~cdioc/.ssh/authorized_keys files for both of its AFS and NFS accounts.
- Add the new users' "ssh-key" to the authorized key on cdioc nfs account as follows:
Copy the contents of your ~<user_name>/.ssh/identity.pub file on afs.
Paste the contents at the end of the ~cdioc/.ssh/authorized_keys file on nfs.
For AFS, the owner of the AFS cdioc account, Debbie, Jingchen, Terri, or Lazmo must:
- On an afs host, add the new users' "ssh-key" to the authorized key as follows:
cat ~<user_name>/.ssh/identity.pub >> ~cdioc/.ssh/authorized_keys
Note: Do not edit the cdioc/.ssh/authorized_keys file with emacs because the owner will most likely be modified by the editor. The authorized_keys file will only work if it is owned by cdioc (same with the other security-sensitive files of .forward and .procmailrc). The above cat command leaves cdioc as the owner of authorized_keys but with changed contents. To determine the owner of an AFS "password-less" account use the unix command:
$ ypmatch cdioc passwd
- If the owner needs to do something other than appending new keys to this file (e.g., remove a key), edit a temporary copy of the file and then overwrite the existing file with a command like this:
cat temp-file >! ~cdioc/.ssh/authorized_keys
The new user can now ssh into the cdioc account. From unix:
ssh -l cdioc slcsun1
If you are unable to ssh into the cdioc account check the following:
- Your ssh-key is listed in ~cdioc/.ssh/authorized_keys.
- Your AFS token is valid.
Note: To obtain an AFS token, type klog if it's been over 24 hours since the your last login. Also, once you ssh as cdioc, you retain your own token and not a cdioc token (ie, any files created in cdioc space will be owned by you, not cdioc).
- When adding new custodians, existing owner must:
pts adduser <user_custodian> cdioc:owner-cdioc
pts mem cdioc:owner-cdioc to verify
Make sure the new custodian starts a fresh login (or klog).
- When adding new users to cdioc:cdioc: pts adduser -user <user_name> -group cdioc:cdioc
Again, make sure the new user starts a fresh login (or klog).
- A password is only needed if the job needs to run trscrontab jobs, i.e., jobs that need AFS tokens. Regular cron jobs that only need write access to local or NFS file systems do not require AFS tokens and thus do not need passwords on the role accounts used to run the jobs.
[SLAC Author: Debbie Rogind, 23-Sept-2004
Last Modified: Debbie Rogind, 01-Sept-2005