= VTLUUG has been using Kerberos and LDAP for authentication since at least September 2012. Our realm is <code>VTLUUG.ORG</code> but may change in the future to something under the vt.edu domain.=
In April 2013, Kerberos authentication on acidburn was forced because a Debian bug required passwords to be sent in plaintext to the LDAP VTLUUG uses [[Infrastructure:Chimera|chimera]] as it's FreeIPA server.* If you haven't bothered to find an officer to Kerberize you in the past 6 months, you'll need to come to a meeting to set a new password.* If your account got locked out and you have been Kerberizedall VTLUUG hosts except [[Infrastructure:Joey|joey]], the router, email officers@vtluug.org to get it unlocked. We lock inactive accounts are in order to reduce the likelihood of accounts with weak passwords getting compromisedits domain.
==MIT Kerberos Client ConfigurationAccount maintenance instructions ==For MIT Kerberos, put this in /etc/krb5.conf:
All users can log into [libdefaults] # default_realm = ATHENA.MIT.EDU default_realm = ECE.VT.EDU [realms] # use "kdc = ..." if realm admins haven't put SRV records into DNS ATHENA.MIT.EDU = { admin_server = KERBEROS.MIT.EDU default_domain = MIT.EDU v4_instance_convert = { mit = mit.edu lithium = lithium.lcs.mit.edu } } ANDREW.CMU.EDU = { admin_server = vice28.fs.andrew.cmu.edu } ECE.VT.EDU = { admin_server = auth.ece.vt.edu default_domain = ece.vt.edu kdc = auth.ece.vt.edu } VTLUUG.ORG = { kdc = bladehttps://chimera.vtluug.org admin_server = blade.vtluug.org } [domain_realmChimera's FreeIPA web GUI] ece.vt.edu = ECE.VT.EDU to edit their account.eceYes, it does have a self signed cert.vt.edu = ECE.VT.EDU .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .ucsc.edu = CATS.UCSC.EDU andrew.cmu.edu = ANDREW.CMU.EDU .andrew.cmu.edu = ANDREW.CMU.EDU .vtluug.org = VTLUUG.ORG vtluug.org = VTLUUG.ORG .luug.ece.vt.edu = VTLUUG.ORG luug.ece.vt.edu = VTLUUG.ORG [logging] # kdc = CONSOLEGet over it /s
==SSH Authentication with Kerberos==Put this For management of the entire domain, officers are able to add, remove, or modify users in your ~/any way.ssh/config: # Kerberos Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes # GSSAPIStrictAcceptorCheck = no ServerAliveInterval 60
Then you == History == VTLUUG has been was Kerberos and LDAP for authentication until the [[CVL eviction]]. We then migrated to an LDAP only domain due to a lack of IPv6 on behind router.ece.vt.edu. The old Kerberos server was configured to work on IPv6 only, therefore, we were required to migrate away from its use for authentication. With the old deployment, [[Infrastructure:Acidburn|acidburn]] should be acceptable through normal password authentication over ssh. There is no need to configure tickets or anything else Kerberos related. = CAS = The '''Virginia Tech Central Authentication System''' or '''CAS''' is the Virginia Tech deployment of the [[Free software|open source]] [[w:Shibboleth (Internet2)|Shibboleth]] authentication system. Shibboleth can just be thought of as an identity provider similar to [[w:OpenID|OpenID]], but more centralized, and thus well-liked by institutions such as universities. == Scripted Login ==The following is a work in progress. Eventually, the following commands should yield a login.<codepre>kinit user@VTLUUG$ curl -s -c cookies https://auth.vt.edu/login?service=https://my.vt.ORGedu/Login | sed -nrf sedconf | xargs curl</pre> The <code> and you should be able to sedconf</code>ssh user@acidburnfile's contents are below.<pre>/name="lt"/s/.*value="([^"]*).*/-d "lt=\1"/p/name="_eventId"/s/.*value="([^"]*).*/-d "eventId=\1"/p/name="submit"/s/.*value="(^")*".*/-d "submit=\1"/p/action="/s/.*action="([^;]*)[^?]*(\??[^"]*).*/--url "https:\/\/auth.vtluugvt.orgedu\1\2"/p$a -d "username=bob"$a -d "password=bubba"$a -c cookies</codepre> without a password. You can also login Refer to any machine the [[sed]] and [[curl]] manual pages for details on our cluster or most of the machines on woodvarious commands that drive this script. =External Links=* [https://auth.vt.edu VT CAS]* [http://www.computing.vt. Note that IPv6 is currently required for getting Kerberos ticketsedu/infrastructure_services/cas/index.html Description of CAS] [[Category:Infrastructure]][[Category:Scripts]][[Category:Campus computing resources]]