Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

Authentication

450 bytes added, 08:26, 3 January 2019
no edit summary
= VTLUUG has been using Kerberos and LDAP for authentication since at least September 2012. Our realm is <code>VTLUUG.ORG</code> but may change in the future to something under the vt.edu domain.=
In April 2013VTLUUG uses [[Infrastructure:Chimera|chimera]] as it's FreeIPA server, and all VTLUUG hosts except [[Infrastructure:Joey|joey]], Kerberos authentication on acidburn was forced because a Debian bug had required passwords to be sent in plaintext to the LDAP server. If you router, are unable to login, you'll need to provide sufficient proof of your identity to an officer so your password can be resetin its domain.
==SSH Authentication with KerberosAccount maintenance instructions ==Put this in your ~/.ssh/config: # Kerberos Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Then you All users can just <code>kinit user@VTLUUG.ORG<log into [https://code> and you should be able to <code>ssh user@acidburnchimera.vtluug.org</code> without a password. You can also login Chimera's FreeIPA web GUI] to any machine on our cluster or most of the machines on woodedit their account. Note that IPv6 is currently required for getting Kerberos ticketsYes, it does have a self signed cert.Get over it /s
==Account maintenance instructions==These instructions are for people in For management of the "entire domain, officers" group; normal members aren't are able to mess with accounts.===New account creation===On acidburn:* <code>sudo kinit your_user@VTLUUG.ORG</code>* <code>ldapsearch | grep uidNumber | sort </code> (find the lowest unused uidNumber add, remove, or modify users in the 1000-range and use that)* <code>sudo /home/mutantmonkey/vtluug-scripts/ldap/adduserany way.py</code>
On blade:<code>* sudo kadmin.local** addprinc username@VTLUUG.ORG</code>== History ==
===Viewing user information===This could be useful VTLUUG has been was Kerberos and LDAP for debugging:* <code>kinit</code>* <code>ldapsearch uid=username</code>* <code>kadminauthentication until the [[CVL eviction]].local</code> (We then migrated to an LDAP only domain due to a lack of IPv6 on blade)** <code>getprinc username</code>behind router.ece.vt.edu. The old Kerberos server was configured to work on IPv6 only, therefore, we were required to migrate away from its use for authentication.
With the old deployment, [[Infrastructure:Acidburn|acidburn]] should be acceptable through normal password authentication over ssh. There is no need to configure tickets or anything else Kerberos related.  =CAS The '''Virginia Tech Central Authentication System''' or '''CAS''' is the Virginia Tech deployment of the [[Free software|open source]] [[w:Shibboleth (Internet2)|Shibboleth]] authentication system. Shibboleth can be thought of as an identity provider similar to [[w:OpenID|OpenID]], but more centralized, and thus well-liked by institutions such as universities. =Changing user shell=Scripted Login ==On acidburn or blade:The following is a work in progress. Eventually, the following commands should yield a login.* <codepre>kinit$ curl -s -c cookies https://auth.vt.edu/login?service=https://my.vt.edu/Login | sed -nrf sedconf | xargs curl</codepre>* The <code>ldapmodify <<EOF sedconf</code> and input this:file's contents are below.<pre>/name="lt"/s/.*value="([^"]*).*/-d "lt=\1"/p dn: uid/name="_eventId"/s/.*value="([^"]*).*/-d "eventId=username,ou\1"/p/name=People,dc"submit"/s/.*value=vtluug,dc"(^")*".*/-d "submit=org\1"/p changetype/action="/s/.*action="([^;]*)[^?]*(\??[^"]*).*/--url "https: modify\/\/auth.vt.edu\1\2"/p$a -d "username=bob"$a -d "password=bubba"$a -c cookies</pre> Refer to the [[sed]] and [[curl]] manual pages for details on the various commands that drive this script. replace=External Links=* [https: loginShell//auth.vt.edu VT CAS] loginShell* [http: /usr/binwww.computing.vt.edu/zshinfrastructure_services/cas/index.html Description of CAS] [[Category:Infrastructure]] -[[Category:Scripts]] EOF[[Category:Campus computing resources]]
Retrieved from "https://vtluug.org/wiki/Special:MobileDiff/5219...7312"