Difference between revisions of "Authentication"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Mutantmonkey
(SSH Authentication with Kerberos)
 
(16 intermediate revisions by 6 users not shown)
Line 1: Line 1:
VTLUUG has been using Kerberos and LDAP for authentication since at least September 2012. Our realm is <code>VTLUUG.ORG</code> but may change in the future to something under the vt.edu domain.
+
= VTLUUG =
  
In April 2013, Kerberos authentication on acidburn was forced because a Debian bug required passwords to be sent in plaintext to the LDAP server.
+
VTLUUG uses [[Infrastructure:Chimera|chimera]] as it's FreeIPA server, and all VTLUUG hosts except [[Infrastructure:Joey|joey]], the router, are in its domain.
* If you haven't bothered to find an officer to Kerberize you in the past 6 months, you'll need to come to a meeting to set a new password.
 
* If your account got locked out and you have been Kerberized, email officers@vtluug.org to get it unlocked. We lock inactive accounts in order to reduce the likelihood of accounts with weak passwords getting compromised.
 
  
==MIT Kerberos Client Configuration==
+
== Account maintenance instructions ==
For MIT Kerberos, put this in /etc/krb5.conf:
 
  
[libdefaults]
+
All users can log into [https://chimera.vtluug.org Chimera's FreeIPA web GUI] to edit their account. Yes, it does have a self signed cert. Get over it /s
# default_realm = ATHENA.MIT.EDU
 
default_realm = ECE.VT.EDU
 
 
[realms]
 
# use "kdc = ..." if realm admins haven't put SRV records into DNS
 
ATHENA.MIT.EDU = {
 
admin_server = KERBEROS.MIT.EDU
 
default_domain = MIT.EDU
 
v4_instance_convert = {
 
mit = mit.edu
 
lithium = lithium.lcs.mit.edu
 
}
 
}
 
ANDREW.CMU.EDU = {
 
admin_server = vice28.fs.andrew.cmu.edu
 
}
 
ECE.VT.EDU = {
 
admin_server = auth.ece.vt.edu
 
default_domain = ece.vt.edu
 
kdc = auth.ece.vt.edu
 
}
 
VTLUUG.ORG = {
 
kdc = blade.vtluug.org
 
admin_server = blade.vtluug.org
 
}
 
 
[domain_realm]
 
ece.vt.edu = ECE.VT.EDU
 
.ece.vt.edu = ECE.VT.EDU
 
.mit.edu = ATHENA.MIT.EDU
 
mit.edu = ATHENA.MIT.EDU
 
.media.mit.edu = MEDIA-LAB.MIT.EDU
 
media.mit.edu = MEDIA-LAB.MIT.EDU
 
.ucsc.edu = CATS.UCSC.EDU
 
andrew.cmu.edu = ANDREW.CMU.EDU
 
.andrew.cmu.edu = ANDREW.CMU.EDU
 
.vtluug.org = VTLUUG.ORG
 
vtluug.org = VTLUUG.ORG
 
.luug.ece.vt.edu = VTLUUG.ORG
 
luug.ece.vt.edu = VTLUUG.ORG
 
 
[logging]
 
# kdc = CONSOLE
 
  
==SSH Authentication with Kerberos==
+
For management of the entire domain, officers are able to add, remove, or modify users in any way.
Put this in your ~/.ssh/config:
 
# Kerberos
 
Host *
 
    GSSAPIAuthentication yes
 
    GSSAPIDelegateCredentials yes
 
  
Then you can just <code>kinit user@VTLUUG.ORG</code> and you should be able to <code>ssh user@acidburn.vtluug.org</code> without a password. You can also login to any machine on our cluster or most of the machines on wood. Note that IPv6 is currently required for getting Kerberos tickets.
+
== History ==
 +
 
 +
VTLUUG has been was Kerberos and LDAP for authentication until the [[CVL eviction]]. We then migrated to an LDAP only domain due to a lack of IPv6 on behind router.ece.vt.edu. The old Kerberos server was configured to work on IPv6 only, therefore, we were required to migrate away from its use for authentication.
 +
 
 +
With the old deployment, [[Infrastructure:Acidburn|acidburn]] should be acceptable through normal password authentication over ssh. There is no need to configure tickets or anything else Kerberos related.
 +
 
 +
 
 +
= CAS =
 +
 
 +
The '''Virginia Tech Central Authentication System''' or '''CAS''' is the Virginia Tech deployment of the [[Free software|open source]] [[w:Shibboleth (Internet2)|Shibboleth]] authentication system. Shibboleth can be thought of as an identity provider similar to [[w:OpenID|OpenID]], but more centralized, and thus well-liked by institutions such as universities.
 +
 
 +
== Scripted Login ==
 +
The following is a work in progress. Eventually, the following commands should yield a login.
 +
<pre>
 +
$ curl -s -c cookies https://auth.vt.edu/login?service=https://my.vt.edu/Login | sed -nrf sedconf | xargs curl
 +
</pre>
 +
 
 +
The <code>sedconf</code> file's contents are below.
 +
<pre>
 +
/name="lt"/s/.*value="([^"]*).*/-d "lt=\1"/p
 +
/name="_eventId"/s/.*value="([^"]*).*/-d "eventId=\1"/p
 +
/name="submit"/s/.*value="(^")*".*/-d "submit=\1"/p
 +
/action="/s/.*action="([^;]*)[^?]*(\??[^"]*).*/--url "https:\/\/auth.vt.edu\1\2"/p
 +
$a -d "username=bob"
 +
$a -d "password=bubba"
 +
$a -c cookies
 +
</pre>
 +
 
 +
Refer to the [[sed]] and [[curl]] manual pages for details on the various commands that drive this script.
 +
 
 +
=External Links=
 +
* [https://auth.vt.edu VT CAS]
 +
* [http://www.computing.vt.edu/infrastructure_services/cas/index.html Description of CAS]
 +
 
 +
[[Category:Infrastructure]]
 +
[[Category:Scripts]]
 +
[[Category:Campus computing resources]]

Latest revision as of 08:26, 3 January 2019

VTLUUG

VTLUUG uses chimera as it's FreeIPA server, and all VTLUUG hosts except joey, the router, are in its domain.

Account maintenance instructions

All users can log into Chimera's FreeIPA web GUI to edit their account. Yes, it does have a self signed cert. Get over it /s

For management of the entire domain, officers are able to add, remove, or modify users in any way.

History

VTLUUG has been was Kerberos and LDAP for authentication until the CVL eviction. We then migrated to an LDAP only domain due to a lack of IPv6 on behind router.ece.vt.edu. The old Kerberos server was configured to work on IPv6 only, therefore, we were required to migrate away from its use for authentication.

With the old deployment, acidburn should be acceptable through normal password authentication over ssh. There is no need to configure tickets or anything else Kerberos related.


CAS

The Virginia Tech Central Authentication System or CAS is the Virginia Tech deployment of the open source Shibboleth authentication system. Shibboleth can be thought of as an identity provider similar to OpenID, but more centralized, and thus well-liked by institutions such as universities.

Scripted Login

The following is a work in progress. Eventually, the following commands should yield a login.

$ curl -s -c cookies https://auth.vt.edu/login?service=https://my.vt.edu/Login | sed -nrf sedconf | xargs curl

The sedconf file's contents are below.

/name="lt"/s/.*value="([^"]*).*/-d "lt=\1"/p
/name="_eventId"/s/.*value="([^"]*).*/-d "eventId=\1"/p
/name="submit"/s/.*value="(^")*".*/-d "submit=\1"/p
/action="/s/.*action="([^;]*)[^?]*(\??[^"]*).*/--url "https:\/\/auth.vt.edu\1\2"/p
$a -d "username=bob"
$a -d "password=bubba"
$a -c cookies

Refer to the sed and curl manual pages for details on the various commands that drive this script.

External Links