The Zone Cell Challenge by Evan B. '10

There are lots of things I should have been doing this weekend. There’s the 8 page draft paper that was due today. Or the 6.004 lab where I have to program a Turing machine – it’s due Thursday. Or the revision of my design project which is due on Thursday (I actually still don’t know what design I’m going to write up). Or either of the psets in my other two classes which are both due on Friday.

Yes, the weeks before Spring Break tend to suck. Like, not just your average suck. They tend to really suck. And with that much suck, I should have spent all weekend tooling and doing nothing else.

But of course that’s never how it works.

Last weekend, I took the Zone Cell Challenge.

Now, this is going to require a little background. Actually, there’s quite a bit of background. Back In The Day, the MIT I/S Department (now IS&T) hired student developers to basically help build Athena. They were called the Watchmakers, based on a book by Niven & Pournell (there’s a page that explains the metaphor). The Watchmakers worked in the Watchmaker Zone, and to help them test, debug, and generally try to break the technologies they were developing, I/S donated three servers, which formed the ZONE Kerberos realm and the zone AFS cell.

Ok…I guess I should take another step back and quickly explain Kerberos and AFS. Kerberos, named after the three-headed dog guard of Hades (usually seen as the Latin Cerberus), is a protocol for mutual authentication of a client and server through a trusted third party. Basically, you can prove who you are to other computers on the network, and your password never has to cross the network unencrypted. This works because there’s a single machine that all other computers on the network trust, called the KDC. Kerberos is broken up into “realms,” which represent distinct sets of users and servers. The normal realm here on campus is the ATHENA.MIT.EDU realm, but there are also the CSAIL.MIT.EDU, MEDIA-LAB.MIT.EDU, and NUMENOR.MIT.EDU realms.

AFS is the Andrew File System. Developed at Carnegie Mellon, AFS is a network accessible file system. It’s a way of accessing your files from any computer on the Athena network. AFS is broken up into “cells,” and there are many more AFS cells than there are Kerberos realms. Like Kerberos, there is an athena.mit.edu cell. There are also csail.mit.edu and numenor.mit.edu cells. However, there is additionally, for example, the sipb.mit.edu cell, run by the SIPB. This allows SIPB to maintain its own servers and software and allocate quotas without having to go through the Athena maintainers.

So…in addition to all of those cells and realms, there’s the lesser known Zone Cell, made up of three servers (remember – they’re for the Watchmakers): casio, seiko, and timex. If you look in the Zone Cell, you’ll see a series of very explicit rules. I’ll copy some of the better ones:

1. The Zone Cell is not for reliable data storage.
2. The Zone Cell is not for reliable data storage. (in case you missed it the first time)
9. ASO reserves the right to remove someone’s zone cell bits. Reasons
   this may be done include: […] gratuitously compromising the security of the zone cell
   or zone kerberos realm, or intentionally causing Rule 1, 2, or 10 to
   become relevant. […]
10. The zone cell is not for reliable data storage.
11. The zone cell is not for reliable data access.

So…now that we’ve established the reliability of the Zone Cell, what is the Zone Cell Challenge?

The Zone Cell Challenge is an event that is usually for people interested in becoming SIPB AFS administrators. It’s designed to help people become more familiar with how AFS and Kerberos work.

In the Zone Cell Challenge, you start with root access to one of the three Zone Cell servers, and you have to accomplish three things. First, you have to give yourself root access to the other two Zone Cell servers. Second, you have to make yourself an administrator of the Zone AFS Cell (which is different from having root access on the servers!). Finally, you have to make yourself an admin of the Zone Kerberos Realm, which gives you permission to change other people’s passwords or create new accounts.

It actually turns out that none of these tasks are particularly challenging if you read the right documentation. And since I was interested in learning more about how to administer AFS, I signed up for the Challenge on Friday night. And at about 3:45 AM, I actually started trying to hack the Zone Cell in earnest.

The first part is easy, once you find the right command. It took me about 30 minutes to gain root access on all three servers.

And then, almost immediately after I had logged in to all three to make sure it worked, all of them froze. And they stopped pinging.

Well…crud. What did I screw up?

Well, fortunately, I didn’t screw anything up. The Zone Cell servers had been moved to virtual machines, and all of the virtual machines on one server froze, including casio, seiko, and timex. Fortunately, there were other VMs on that machine that people cared about, and one of the Athena server maintainers brought the servers back up.

One task down, two to go.

Before about 6 AM I managed to finish the second task – making myself an administrator of the Kerberos realm. I went to sleep, and when I woke up, I spent a couple of hours on the last task. The last task was also a little entertaining. I had a theory of how to make myself an AFS administrator, but I was worried that I would screw up the AFS users database. So I asked on the zone-cell zephyr class (kind of like a chatroom)

Me: Ok. I think I know what I want to do […], but I’d like to check and make sure I’m not going to screw it up before I try. Anyone around?

Someone from Athena server ops: I think you should just risk breaking it. At worse, you’ll just have to fix it after the fact

Well…ok? I guess I’ll just back up the files I’m modifying…

Anyway, I can’t really say much more, because where’s the fun in saying what I did? But in any case, hacking other people’s servers with permission is a really fun way to spend a weekend.

But I guess I should go back to tooling now…