Robert Kudyba wrote:
> I'd like to provide an update. I can get ssh -k to work but here's what
> I had to do:
> 1. I had to run ipa-client-install on another server/computer
> 2. I ran kinit ouruser@OURDOMAIN.EDU <mailto:ouruser@OURDOMAIN.EDU>
> 3. I could then run ssh -k ouruser@ourdomain.edu
> <mailto:ouruser@ourdomain.edu> and automatically logged in without
> needing to enter a password.
>
> My question is, how does this scale to users, i.e., in our case,
> students, who are all over the world using their own laptops? Does every
> user client, i.e., computer, need to run ipa-client-install? Am I
> missing something?
It depends on what the expectations are for these user-owned machines.
Only expectation is to be able to log in to a server, get access to their home directory and be able to do their assignments, e.g., C++, Java or Python programming.
If you don't need IPA identities and IPA users won't log into them, then
they only need a working krb5.conf and DNS configured on them.
So each device needs to drop in the krb5.conf file from the FreeIPA server? How does this work on a Windows client?
So your students would log into their own controlled machine using their
own local account, kinit student123@univ.edu and ssh using their
credentials.
The krb5.conf will tell the student machine how to contact the KDC.
That's all that is necessary (beyond working DNS).
I just tried this on another Fedora 33 workstation, dropped in the /etc/krb5.conf file and all I get is:
kinit: No KCM server found while getting default ccache
I'm puzzled as to what we'd need to tell/provide to a student, who is enrolled remotely and can't come on campus, to be able to connect to our server via their Windows or Mac laptop.