Difference between revisions of "Authentication"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Mjh
(Added maintenance instructions for officers)
imported>Uncurlhalo
Line 1: Line 1:
VTLUUG has been using Kerberos and LDAP for authentication since at least September 2012. Our realm is <code>VTLUUG.ORG</code> but may change in the future to something under the vt.edu domain.
+
VTLUUG has been was Kerberos and LDAP for authentication until the [[CVL eviction]]. We have now migrated to an LDAP only domain due to a lack of IPv6 on behind router.ece.vt.edu. The old Kerberos server was configured to work on IPv6 only therefore we were required to migrate away from its use for authentication.
  
In April 2013, Kerberos authentication on acidburn was forced because a Debian bug had required passwords to be sent in plaintext to the LDAP server. If you are unable to login, you'll need to provide sufficient proof of your identity to an officer so your password can be reset.
+
With the current deployment acidburn should be acceptable through normal password authentication over ssh. There is no need to configure tickets or anything else Kerberos related.
 
 
==SSH Authentication with Kerberos==
 
Put this in your ~/.ssh/config:
 
# Kerberos
 
Host *
 
    GSSAPIAuthentication yes
 
    GSSAPIDelegateCredentials yes
 
 
 
Then you can just <code>kinit user@VTLUUG.ORG</code> and you should be able to <code>ssh user@acidburn.vtluug.org</code> without a password. You can also login to any machine on our cluster or most of the machines on wood. Note that IPv6 is currently required for getting Kerberos tickets.
 
  
 
==Account maintenance instructions==
 
==Account maintenance instructions==
These instructions are for people in the "officers" group; normal members aren't able to mess with accounts.
+
All users will be able to use standard shell commands (such as chsh) to change attributes of their own account. Additionally they can make direct requests to the LDAP server (razor.vtluug.org) using ldapmodify and .ldif files to change attributes as well. Explaining .ldif files and ldapmodify is beyond the scope of this article.
===New account creation===
 
On acidburn:
 
* <code>sudo kinit your_user@VTLUUG.ORG</code>
 
* <code>ldapsearch | grep uidNumber | sort </code> (find the lowest unused uidNumber in the 1000-range and use that)
 
* <code>sudo /home/mutantmonkey/vtluug-scripts/ldap/adduser.py</code>
 
 
 
On blade:
 
<code>
 
* sudo kadmin.local
 
** addprinc username@VTLUUG.ORG
 
</code>
 
 
 
===Viewing user information===
 
This could be useful for debugging:
 
* <code>kinit</code>
 
* <code>ldapsearch uid=username</code>
 
* <code>kadmin.local</code> (only on blade)
 
** <code>getprinc username</code>
 
  
===Changing user shell===
+
For management of the entire domain officers who know the LDAP root users credentials will be able to log in to the LDAP Administrator web application running on razor.vtluug.org. Information on this is really only shared on a need to know basis between officers, and the content is not entirely appropriate for a public wiki.
On acidburn or blade:
 
* <code>kinit</code>
 
* <code>ldapmodify <<EOF </code> and input this:
 
dn: uid=username,ou=People,dc=vtluug,dc=org
 
changetype: modify
 
replace: loginShell
 
loginShell: /usr/bin/zsh
 
-
 
EOF
 

Revision as of 02:20, 10 February 2016

VTLUUG has been was Kerberos and LDAP for authentication until the CVL eviction. We have now migrated to an LDAP only domain due to a lack of IPv6 on behind router.ece.vt.edu. The old Kerberos server was configured to work on IPv6 only therefore we were required to migrate away from its use for authentication.

With the current deployment acidburn should be acceptable through normal password authentication over ssh. There is no need to configure tickets or anything else Kerberos related.

Account maintenance instructions

All users will be able to use standard shell commands (such as chsh) to change attributes of their own account. Additionally they can make direct requests to the LDAP server (razor.vtluug.org) using ldapmodify and .ldif files to change attributes as well. Explaining .ldif files and ldapmodify is beyond the scope of this article.

For management of the entire domain officers who know the LDAP root users credentials will be able to log in to the LDAP Administrator web application running on razor.vtluug.org. Information on this is really only shared on a need to know basis between officers, and the content is not entirely appropriate for a public wiki.