Warning: Undefined array key "DOKU_PREFS" in /usr/share/dokuwiki/inc/common.php on line 2082
cluster:157 [DokuWiki]

DokuWiki

User Tools

Site Tools

Trace:
cluster:157

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
cluster:157 [2017/03/29 09:52]
hmeij07 		cluster:157 [2017/04/06 11:44]
hmeij07
Line 14: Line 14:
  
 ** SSH public key authentication**  ** SSH public key authentication** 
- 
-[need a way to collect key files, push them out, and manage passwd/shadow/group unique UID/GID so they do clash, like weshmeij, lafjsimms] 
  
 In the ''/etc/ssh/sshd_config'' file, specify the path to user SSH public key files using a description like: In the ''/etc/ssh/sshd_config'' file, specify the path to user SSH public key files using a description like:
Line 21: Line 19:
   * ''AuthorizedKeysFile /etc/ssh/authorized_keys/%u''   * ''AuthorizedKeysFile /etc/ssh/authorized_keys/%u''
  
- For this example, the /etc, /etc/ssh, and /etc/ssh/authorized_keys are directories owned and only writable by root.+ For this example, the /etc, /etc/ssh, and /etc/ssh/authorized_keys are directories owned and only writable by root.  The sshd service interprets ''%u'' as the authenticated user's username on the system. So in this approach, every user has a file named after their username in the ''/etc/ssh/authorized_keys'' directory, root-owned.
  
 <code> <code>
Line 29: Line 27:
  drwxr-xr-x.   3 root root  4096 Nov  9 14:02 /etc/ssh  drwxr-xr-x.   3 root root  4096 Nov  9 14:02 /etc/ssh
  drwxr-xr-x    2 root root  4096 Nov  9 14:01 /etc/ssh/authorized_keys  drwxr-xr-x    2 root root  4096 Nov  9 14:01 /etc/ssh/authorized_keys
- -rwxr-xr-   2 root root  1024 Mar 29 11:01 /etc/ssh/authorized_keys/weshmeij+ -r--r--r--    2 root root  1024 Mar 29 11:01 /etc/ssh/authorized_keys/weshmeij
  
 </code> </code>
  
- The sshd service interprets ''%u'' as the authenticated user'username on the systemSo in this approachevery user has a file named after their username in the ''/etc/ssh/authorized_keys'' directory, root-owned.+Unique usernamaes and UID/GID need to be created. We need a simple web page where public keys ''ssh-keygen -t rsa'' can be uploaded with username requestedThe username will be prefixed by first 3 characters of College ('wes' for Wesleyan'laf' for Lafayette', etc). Script figures from passwd file which UID/GID is next, then 
 + 
 +<code> 
 +nid=15001 
 +pre=wes 
 +unm=hmeij 
 +[root@ ~]# echo "$pre$unm:x:$nid" >> /etc/group 
 +[root@ ~]# useradd -u $nid -g $nid $pre$unm 
 +[root@ ~]# echo "`date | md5sum | awk '{print $1}'`" | passwd $pre$unm --stdin 
 +[root@ ~]# cp /tmp/$upfile /etc/ssh/authorized_keys/$pre$unm 
 +[root@ ~]# chmod 0444 /etc/ssh/authorized_keys/$pre$unm 
 +</code> 
 + 
 +We need ''root'' authorized keys from each site so that from each college the respective block of UID/GID canbe grabbed and added to local passwd, shadow and group files.
  
-Use a secureautomated method to distribute the public key files to each login host's ''/etc/ssh/authorized_keys'' directory having them on a shared mounted filesystem introduces other potential security and availability issues, and is therefore not recommended.+Hmmthis requires that at CollegeA user hmeij can switch to weshmeij credentials before connecting to CollegeB (echo "$unm $localhost=/bin/su $pre$unm" >> /etc/sudoers"). Not pretty.
  
 +Ahh, since 
  
 **Kerberos & AD** **Kerberos & AD**
cluster/157.txt · Last modified: 2017/04/06 15:31 by hmeij07

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki