On Mon, Mar 15, 2021 at 4:31 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Robert Kudyba wrote:
> I'd like to provide an update. I can get ssh -k to work but here's what
> I had to do:
> 1. I had to run ipa-client-install on another server/computer
> 2. I ran kinit ouruser(a)OURDOMAIN.EDU <mailto:ouruser@OURDOMAIN.EDU>
> 3. I could then run ssh -k ouruser(a)ourdomain.edu
> <mailto:ouruser@ourdomain.edu> and automatically logged in without
> needing to enter a password.
>
> My question is, how does this scale to users, i.e., in our case,
> students, who are all over the world using their own laptops? Does every
> user client, i.e., computer, need to run ipa-client-install? Am I
> missing something?
It depends on what the expectations are for these user-owned machines.
Only expectation is to be able to log in to a server, get access to their
home directory and be able to do their assignments, e.g., C++, Java or
Python programming.
If you don't need IPA identities and IPA users won't log into
them, then
they only need a working krb5.conf and DNS configured on them.
So each device needs to drop in the krb5.conf file from the FreeIPA server?
How does this work on a Windows client?
So your students would log into their own controlled machine using
their
own local account, kinit student123(a)univ.edu and ssh using their
credentials.
The krb5.conf will tell the student machine how to contact the KDC.
That's all that is necessary (beyond working DNS).
I just tried this on another Fedora 33 workstation, dropped in the
/etc/krb5.conf file and all I get is:
kinit: No KCM server found while getting default ccache
I'm puzzled as to what we'd need to tell/provide to a student, who is
enrolled remotely and can't come on campus, to be able to connect to our
server via their Windows or Mac laptop.