#6731 BLOC Never A: School server admin access needs improving

Zarro Boogs per Child bugtracker at laptop.org
Thu Mar 20 18:25:29 EDT 2008 

#6731: School server admin access needs improving
---------------------------+------------------------------------------------
 Reporter:  wad            |       Owner:  jg            
     Type:  task           |      Status:  new           
 Priority:  blocker        |   Milestone:  Never Assigned
Component:  distro         |     Version:                
 Keywords:  school server  |    Verified:  0             
 Blocking:                 |   Blockedby:                
---------------------------+------------------------------------------------
 The plan of record to provide admin access to the school server is to have
 the school server automatically generate a number of admin passwords, and
 place them in a file.  This file is encrypted with two different public
 keys, an installer person key and a regional key, and published (in a
 number of ways).

 The idea is that the installer and regional public keys are provided to
 the system in the configuration information, and the generated passwords,
 encrypted with those keys, are placed on the same USB key and also
 published on the schoolserver http server in a well known location.

 Eventually, each generated password will only be usable one time.  To
 begin with, they might be long-lived.

 In conjuction with making this change, we need to clean up the sudo file,
 and enable remote root login.

 The pieces are a config file loading mechanism.  This is a script, run at
 first boot, which looks in fixed location (USB key, file on CD, file on
 disk image, HTTP server on LAN) for the config file.  It parses the config
 file and places the obtained information in the right places (running
 additional scripts as needed.)

 The other piece is a script, olpc-generate-passwords, which is run later
 in the first boot.  This script generates the xsroot passwords, encrypts
 and publishes them (twice, once with the regional key and once with the
 installer person key).  The publishing is to any mounted USB files, a well
 known location served by apache on the local server (possibly only
 available to the LAN/WLAN), and a push upstream to a well-known server.
 Finally, the script sets up an xsroot account on the school server, and
 provides PAM with the one time password list.

 PAM on the XS needs to be configured to use one of the one-time password
 mechanisms.

-- 
Ticket URL: <http://dev.laptop.org/ticket/6731>
One Laptop Per Child <http://dev.laptop.org>
OLPC bug tracking system

More information about the Bugs mailing list