Difference between revisions of "Authentication"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Mutantmonkey
imported>Mutantmonkey
(remove krb5.conf stuff because it's unnecessary)
Line 2: Line 2:
  
 
In April 2013, Kerberos authentication on acidburn was forced because a Debian bug had required passwords to be sent in plaintext to the LDAP server. If you are unable to login, you'll need to provide sufficient proof of your identity to an officer so your password can be reset.
 
In April 2013, Kerberos authentication on acidburn was forced because a Debian bug had required passwords to be sent in plaintext to the LDAP server. If you are unable to login, you'll need to provide sufficient proof of your identity to an officer so your password can be reset.
 
==MIT Kerberos Client Configuration==
 
For MIT Kerberos, put this in /etc/krb5.conf:
 
 
[libdefaults]
 
# default_realm = ATHENA.MIT.EDU
 
default_realm = ECE.VT.EDU
 
 
[realms]
 
# use "kdc = ..." if realm admins haven't put SRV records into DNS
 
ATHENA.MIT.EDU = {
 
admin_server = KERBEROS.MIT.EDU
 
default_domain = MIT.EDU
 
v4_instance_convert = {
 
mit = mit.edu
 
lithium = lithium.lcs.mit.edu
 
}
 
}
 
ANDREW.CMU.EDU = {
 
admin_server = vice28.fs.andrew.cmu.edu
 
}
 
ECE.VT.EDU = {
 
admin_server = auth.ece.vt.edu
 
default_domain = ece.vt.edu
 
kdc = auth.ece.vt.edu
 
}
 
VTLUUG.ORG = {
 
kdc = blade.vtluug.org
 
admin_server = blade.vtluug.org
 
}
 
 
[domain_realm]
 
ece.vt.edu = ECE.VT.EDU
 
.ece.vt.edu = ECE.VT.EDU
 
.mit.edu = ATHENA.MIT.EDU
 
mit.edu = ATHENA.MIT.EDU
 
.media.mit.edu = MEDIA-LAB.MIT.EDU
 
media.mit.edu = MEDIA-LAB.MIT.EDU
 
.ucsc.edu = CATS.UCSC.EDU
 
andrew.cmu.edu = ANDREW.CMU.EDU
 
.andrew.cmu.edu = ANDREW.CMU.EDU
 
.vtluug.org = VTLUUG.ORG
 
vtluug.org = VTLUUG.ORG
 
.luug.ece.vt.edu = VTLUUG.ORG
 
luug.ece.vt.edu = VTLUUG.ORG
 
 
[logging]
 
# kdc = CONSOLE
 
  
 
==SSH Authentication with Kerberos==
 
==SSH Authentication with Kerberos==

Revision as of 05:31, 2 May 2013

VTLUUG has been using Kerberos and LDAP for authentication since at least September 2012. Our realm is VTLUUG.ORG but may change in the future to something under the vt.edu domain.

In April 2013, Kerberos authentication on acidburn was forced because a Debian bug had required passwords to be sent in plaintext to the LDAP server. If you are unable to login, you'll need to provide sufficient proof of your identity to an officer so your password can be reset.

SSH Authentication with Kerberos

Put this in your ~/.ssh/config:

# Kerberos
Host *
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

Then you can just kinit user@VTLUUG.ORG and you should be able to ssh user@acidburn.vtluug.org without a password. You can also login to any machine on our cluster or most of the machines on wood. Note that IPv6 is currently required for getting Kerberos tickets.