Changes
Created page with "VTLUUG has been using Kerberos and LDAP for authentication since at least September 2012. Our realm is <code>VTLUUG.ORG</code> but may change in the future to something under ..."
VTLUUG has been using Kerberos and LDAP for authentication since at least September 2012. Our realm is <code>VTLUUG.ORG</code> but may change in the future to something under the vt.edu domain.
In April 2013, Kerberos authentication on acidburn was forced.
* If you haven't bothered to find an officer to Kerberize you in the past 6 months, you'll need to come to a meeting to set a new password.
* If your account got locked out and you have been Kerberized, email officers@vtluug.org to get it unlocked. We lock inactive accounts in order to reduce the likelihood of accounts with weak passwords getting compromised.
==MIT Kerberos Client Configuration==
For MIT Kerberos, put this in /etc/krb5.conf:
[libdefaults]
# default_realm = ATHENA.MIT.EDU
default_realm = ECE.VT.EDU
[realms]
# use "kdc = ..." if realm admins haven't put SRV records into DNS
ATHENA.MIT.EDU = {
admin_server = KERBEROS.MIT.EDU
default_domain = MIT.EDU
v4_instance_convert = {
mit = mit.edu
lithium = lithium.lcs.mit.edu
}
}
ANDREW.CMU.EDU = {
admin_server = vice28.fs.andrew.cmu.edu
}
ECE.VT.EDU = {
admin_server = auth.ece.vt.edu
default_domain = ece.vt.edu
kdc = auth.ece.vt.edu
}
VTLUUG.ORG = {
kdc = blade.vtluug.org
admin_server = blade.vtluug.org
}
[domain_realm]
ece.vt.edu = ECE.VT.EDU
.ece.vt.edu = ECE.VT.EDU
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.ucsc.edu = CATS.UCSC.EDU
andrew.cmu.edu = ANDREW.CMU.EDU
.andrew.cmu.edu = ANDREW.CMU.EDU
.vtluug.org = VTLUUG.ORG
vtluug.org = VTLUUG.ORG
.luug.ece.vt.edu = VTLUUG.ORG
luug.ece.vt.edu = VTLUUG.ORG
[logging]
# kdc = CONSOLE
==SSH Authentication with Kerberos==
Put this in your ~/.ssh/config:
# Kerberos
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
# GSSAPIStrictAcceptorCheck = no
ServerAliveInterval 60
Then you can just <code>kinit user@VTLUUG.ORG</code> and you should be able to <code>ssh user@acidburn.vtluug.org</code> without a password. You can also login to any machine on our cluster or most of the machines on wood. Note that IPv6 is currently required for getting Kerberos tickets.
In April 2013, Kerberos authentication on acidburn was forced.
* If you haven't bothered to find an officer to Kerberize you in the past 6 months, you'll need to come to a meeting to set a new password.
* If your account got locked out and you have been Kerberized, email officers@vtluug.org to get it unlocked. We lock inactive accounts in order to reduce the likelihood of accounts with weak passwords getting compromised.
==MIT Kerberos Client Configuration==
For MIT Kerberos, put this in /etc/krb5.conf:
[libdefaults]
# default_realm = ATHENA.MIT.EDU
default_realm = ECE.VT.EDU
[realms]
# use "kdc = ..." if realm admins haven't put SRV records into DNS
ATHENA.MIT.EDU = {
admin_server = KERBEROS.MIT.EDU
default_domain = MIT.EDU
v4_instance_convert = {
mit = mit.edu
lithium = lithium.lcs.mit.edu
}
}
ANDREW.CMU.EDU = {
admin_server = vice28.fs.andrew.cmu.edu
}
ECE.VT.EDU = {
admin_server = auth.ece.vt.edu
default_domain = ece.vt.edu
kdc = auth.ece.vt.edu
}
VTLUUG.ORG = {
kdc = blade.vtluug.org
admin_server = blade.vtluug.org
}
[domain_realm]
ece.vt.edu = ECE.VT.EDU
.ece.vt.edu = ECE.VT.EDU
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.ucsc.edu = CATS.UCSC.EDU
andrew.cmu.edu = ANDREW.CMU.EDU
.andrew.cmu.edu = ANDREW.CMU.EDU
.vtluug.org = VTLUUG.ORG
vtluug.org = VTLUUG.ORG
.luug.ece.vt.edu = VTLUUG.ORG
luug.ece.vt.edu = VTLUUG.ORG
[logging]
# kdc = CONSOLE
==SSH Authentication with Kerberos==
Put this in your ~/.ssh/config:
# Kerberos
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
# GSSAPIStrictAcceptorCheck = no
ServerAliveInterval 60
Then you can just <code>kinit user@VTLUUG.ORG</code> and you should be able to <code>ssh user@acidburn.vtluug.org</code> without a password. You can also login to any machine on our cluster or most of the machines on wood. Note that IPv6 is currently required for getting Kerberos tickets.
