Robert Kudyba wrote:
On Mon, Mar 15, 2021 at 4:31 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Robert Kudyba wrote:
> I'd like to provide an update. I can get ssh -k to work but here's
what
> I had to do:
> 1. I had to run ipa-client-install on another server/computer
> 2. I ran kinit ouruser(a)OURDOMAIN.EDU
<mailto:ouruser@OURDOMAIN.EDU> <mailto:ouruser@OURDOMAIN.EDU
<mailto:ouruser@OURDOMAIN.EDU>>
> 3. I could then run ssh -k ouruser(a)ourdomain.edu
<mailto:ouruser@ourdomain.edu>
> <mailto:ouruser@ourdomain.edu <mailto:ouruser@ourdomain.edu>> and
automatically logged in without
> needing to enter a password.
>
> My question is, how does this scale to users, i.e., in our case,
> students, who are all over the world using their own laptops? Does
every
> user client, i.e., computer, need to run ipa-client-install? Am I
> missing something?
It depends on what the expectations are for these user-owned machines.
Only expectation is to be able to log in to a server, get access to
their home directory and be able to do their assignments, e.g., C++,
Java or Python programming.
If you don't need IPA identities and IPA users won't log into them, then
they only need a working krb5.conf and DNS configured on them.
So each device needs to drop in the krb5.conf file from the FreeIPA
server? How does this work on a Windows client?
From the server? I wouldn't. It is likely going to need some hand-tuning
depending on your configuration. For example the server is going to have
a hardcoded KDC in it. You may or may not want that.
So your students would log into their own controlled machine using their
own local account, kinit student123(a)univ.edu
<mailto:student123@univ.edu> and ssh using their
credentials.
The krb5.conf will tell the student machine how to contact the KDC.
That's all that is necessary (beyond working DNS).
I just tried this on another Fedora 33 workstation, dropped in the
/etc/krb5.conf file and all I get is:
kinit: No KCM server found while getting default ccache
You can comment the values out in /etc/krb5.conf.d/kcm_default_ccache to
change the default ccache type, or comment out the includes in krb5.conf
(probably easier).
I'm puzzled as to what we'd need to tell/provide to a
student, who is
enrolled remotely and can't come on campus, to be able to connect to our
server via their Windows or Mac laptop.
I don't know about Windows. I used the Windows MIT Kerberos packages a
decade or more ago and they worked fine with PuTTY (and IPA with
discovery) but whether that applies now or not I have no idea.
Mac I think should work similar to Linux: provide a krb5.conf and things
should just work. Again, you'll likely have to tweak the configuration
depending on what version of MIT Mac ships these days.
We mostly got out of the "here is how you configure all possible
clients" game quite a long time ago because it was just unsupportable.
We couldn't keep up with all the different *nix versions much less Mac
and Windows.
You're talking pure Kerberos from some client to an IPA server. The fact
that it is IPA should be irrelevant other than maybe some server-side
configuration. So the documentation for that given OS should provide
reasonable guidance.
rob