Difference between revisions of "Authentication"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Mutantmonkey
(remove krb5.conf stuff because it's unnecessary)
imported>Mjh
(Added maintenance instructions for officers)
Line 11: Line 11:
  
 
Then you can just <code>kinit user@VTLUUG.ORG</code> and you should be able to <code>ssh user@acidburn.vtluug.org</code> without a password. You can also login to any machine on our cluster or most of the machines on wood. Note that IPv6 is currently required for getting Kerberos tickets.
 
Then you can just <code>kinit user@VTLUUG.ORG</code> and you should be able to <code>ssh user@acidburn.vtluug.org</code> without a password. You can also login to any machine on our cluster or most of the machines on wood. Note that IPv6 is currently required for getting Kerberos tickets.
 +
 +
==Account maintenance instructions==
 +
These instructions are for people in the "officers" group; normal members aren't able to mess with accounts.
 +
===New account creation===
 +
On acidburn:
 +
* <code>sudo kinit your_user@VTLUUG.ORG</code>
 +
* <code>ldapsearch | grep uidNumber | sort </code> (find the lowest unused uidNumber in the 1000-range and use that)
 +
* <code>sudo /home/mutantmonkey/vtluug-scripts/ldap/adduser.py</code>
 +
 +
On blade:
 +
<code>
 +
* sudo kadmin.local
 +
** addprinc username@VTLUUG.ORG
 +
</code>
 +
 +
===Viewing user information===
 +
This could be useful for debugging:
 +
* <code>kinit</code>
 +
* <code>ldapsearch uid=username</code>
 +
* <code>kadmin.local</code> (only on blade)
 +
** <code>getprinc username</code>
 +
 +
===Changing user shell===
 +
On acidburn or blade:
 +
* <code>kinit</code>
 +
* <code>ldapmodify <<EOF </code> and input this:
 +
dn: uid=username,ou=People,dc=vtluug,dc=org
 +
changetype: modify
 +
replace: loginShell
 +
loginShell: /usr/bin/zsh
 +
-
 +
EOF

Revision as of 01:48, 28 September 2013

VTLUUG has been using Kerberos and LDAP for authentication since at least September 2012. Our realm is VTLUUG.ORG but may change in the future to something under the vt.edu domain.

In April 2013, Kerberos authentication on acidburn was forced because a Debian bug had required passwords to be sent in plaintext to the LDAP server. If you are unable to login, you'll need to provide sufficient proof of your identity to an officer so your password can be reset.

SSH Authentication with Kerberos

Put this in your ~/.ssh/config:

# Kerberos
Host *
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

Then you can just kinit user@VTLUUG.ORG and you should be able to ssh user@acidburn.vtluug.org without a password. You can also login to any machine on our cluster or most of the machines on wood. Note that IPv6 is currently required for getting Kerberos tickets.

Account maintenance instructions

These instructions are for people in the "officers" group; normal members aren't able to mess with accounts.

New account creation

On acidburn:

  • sudo kinit your_user@VTLUUG.ORG
  • ldapsearch | grep uidNumber | sort (find the lowest unused uidNumber in the 1000-range and use that)
  • sudo /home/mutantmonkey/vtluug-scripts/ldap/adduser.py

On blade:

  • sudo kadmin.local
    • addprinc username@VTLUUG.ORG

Viewing user information

This could be useful for debugging:

  • kinit
  • ldapsearch uid=username
  • kadmin.local (only on blade)
    • getprinc username

Changing user shell

On acidburn or blade:

  • kinit
  • ldapmodify <<EOF and input this:
dn: uid=username,ou=People,dc=vtluug,dc=org
changetype: modify
replace: loginShell
loginShell: /usr/bin/zsh
-
EOF