Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ENH: prepare PLC for pmpsdb_client #19

Merged
merged 1 commit into from
Mar 26, 2024
Merged

ENH: prepare PLC for pmpsdb_client #19

merged 1 commit into from
Mar 26, 2024

Conversation

ZLLentz
Copy link
Member

@ZLLentz ZLLentz commented Mar 19, 2024
edited
Loading

Description

Adds in four ansible tasks intended for making PLCs ready for use by the pmpsdb_client.
The tasks are as follows:

  • Create the non-admin "ecs-user" user
  • Configure sshd for password access
  • Reload the sshd service to pick up the new config
  • Verify that ssh still works

Creating this user can be disabled (and is disabled by default for vms), and it can also be customized to create a different user. The user can be removed later.

Even if the user is created, there must be a manual step to set its password, which ansible does not let you set via file-based plaintext. So, in no cases is a usable automatic extra login created.

This is related to:
pcdshub/lcls-twincat-motion#215
pcdshub/pmpsdb_client#25

Motivation and Context

  • The non-admin user will be used for PLC configuration tasks that do not need elevated permissions.
  • Reading and writing the PMPS database file does not need elevated permissions, allowing non-experts to be able to do it without needing access to the admin password and through application software.
  • Python's ssh libraries (fabric/paramiko/intake) behave much better with "password" auth enabled (as opposed to only "KeyboardInteractive" (password) auth, which is what is enabled by default). Functionally, the two of these are the same from the user perspective as implement by the TcBSD OS.

How Has This Been Tested?

Interactively with my test PLC

Where Has This Been Documented?

https://confluence.slac.stanford.edu/display/PCDS/TcBSD+Ansible+Workflows#TcBSDAnsibleWorkflows-Playbook.1

Pre-merge checklist

@ZLLentz ZLLentz mentioned this pull request Mar 22, 2024
Merged
5 tasks
@ZLLentz ZLLentz changed the title WIP: various steps to prepare PLC for pmpsdb_client ENH: prepare PLC for pmpsdb_client Mar 22, 2024
@ZLLentz ZLLentz mentioned this pull request Mar 22, 2024
Merged
6 tasks
@ZLLentz
Copy link
Member Author

ZLLentz commented Mar 22, 2024

This also is ready for review, will ask for reviewers on Monday

@ZLLentz ZLLentz marked this pull request as ready for review March 22, 2024 23:15
@ZLLentz ZLLentz requested review from ghalym and nrwslac March 25, 2024 16:56
nrwslac
nrwslac reviewed Mar 25, 2024
View reviewed changes
tcbsd-provision-playbook.yaml
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
line: "PasswordAuthentication yes"
insertafter: "^#PasswordAuthentication"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the carrot here in on purpose? @ZLLentz

Copy link
Member Author

@ZLLentz ZLLentz Mar 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field is actually a regex, and the ^ indicates the start of a line.
So, ansible reads this as "find a line that starts with #PasswordAuthentication, then put PasswordAuthentication yes on the next line if it isn't already there."

The context is that the sshd config file looks like this, with all default values included as comments, and I wanted to put this new config line in a reasonable/known place instead of just at the end of the file.

<snip>
# Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#KbdInteractiveAuthentication yes
<snip>

And then, after ansible runs here:

<snip>
# Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
#PasswordAuthentication no
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#KbdInteractiveAuthentication yes
<snip>

When doing this interactively you'd usually uncomment the line and and change "no" to "yes" but doing it like I've done here is simpler for the script and is easier to revert.

nrwslac
nrwslac approved these changes Mar 25, 2024
View reviewed changes
Copy link

@nrwslac nrwslac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left one comment. If that's normal lgtm.

@ZLLentz ZLLentz merged commit 8496758 into pcdshub:master Mar 26, 2024
1 check passed
@ZLLentz ZLLentz deleted the enh_pmpsdb_client branch March 26, 2024 20:02
@ZLLentz ZLLentz mentioned this pull request Mar 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nrwslac nrwslac nrwslac approved these changes

@ghalym ghalym Awaiting requested review from ghalym

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ZLLentz @nrwslac