-Server side implementation of BMC config host based authentication

git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@2088 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd
This commit is contained in:
jbjohnso 2008-09-06 22:41:48 +00:00
parent 9c1ce3d91c
commit 45e3290cae

View File

@ -3,6 +3,7 @@ package xCAT_plugin::bmcconfig;
use Data::Dumper;
use xCAT::Table;
use xCAT::MsgUtils;
use IO::Select;
use Socket;
sub handled_commands {
@ -51,11 +52,42 @@ sub net_parms {
}
sub ok_with_node {
my $node = shift;
#Here we connect to the node on a privileged port (in the clear) and ask the
#node if it just asked us for credential. It's convoluted, but it is
#a convenient way to see if root on the ip has approved requests for
#credential retrieval. Given the nature of the situation, it is only ok
#to assent to such requests before users can log in. During postscripts
#stage in stateful nodes and during the rc scripts of stateless boot
my $select = new IO::Select;
#sleep 0.5; # gawk script race condition might exist, try to lose just in case
my $sock = new IO::Socket::INET(PeerAddr=>$node,
Proto => "tcp",
PeerPort => shift);
my $rsp;
unless ($sock) {return 0};
$select->add($sock);
print $sock "CREDOKBYYOU?\n";
unless ($select->can_read(5)) { #wait for data for up to five seconds
return 0;
}
my $response = <$sock>;
chomp($response);
if ($response eq "CREDOKBYME") {
return 1;
}
return 0;
}
sub process_request {
my $request = shift;
my $callback = shift;
my $node = $request->{'_xcat_clienthost'}->[0];
unless (ok_with_node($node,300)) {
$callback->({error=>["Unable to prove root on your IP approves of this request"],errorcode=>[1]});
return;
}
my $sitetable = xCAT::Table->new('site');
my $ipmitable = xCAT::Table->new('ipmi');
my $passtable = xCAT::Table->new('passwd');