Authentication Task Group Meeting Minutes 2008/06/26

Agenda / Discussion

  • Date: 2008/06/26
  • Time: 10:00am-11:35am

  • Where are we going (and timing?)
    • single-secure authentication for all CS resources
      • Solaris
        • Solaris8
          • no AD support planned -> upgrade!
        • Solaris10 (some services machines for now, eg: maildir)
          • upgrade all CPU and services machines to Solaris10 * Core region by Jan. 2009 * Front-end (fe-solaris) by Sept. 2008 * student regions by Jan. 2009 * research regions - tbd
      • Windows
        • Windows XP/2003 Server
        • Windows Vista
      • Linux
        • Ubuntu8
          • services machines
            • Front-end (fe-linux) Walter/Clayton
          • grad PCs (by September 2008)
            • Walter/Clayton
            • MP: would like password complexity rules are enforced
      • Mac
        • Teaching region - authenticate off AD, management using OpenDirectory
          • "Golden Triangle"
      • cleaning up /etc/shells
      • Research regions

  • Where we are now?
    • passwd info (UID/GID/Gecos, etc.) is in the AD for the core region
    • shells/home directories, etc. assume homogeneous environment within a region
    • 8-character passwords will still be a problem in the CS core until core machines authenticate off AD

  • what needs to happen
    • updating AD when accounts info is updated
    • need to agree on what /etc/shells should contain
    • need to set up shells in a known location
    • need to populate the AD, changing users' current shell to closest standard shell
    • check with Ray why restricted shells are in /etc/shells Adrian
    • MFCF login will no longer be used
    • eliminate SetPW (See ST#...)
    • eliminate accounts* package except Adminmaster and ?
    • NFS-mounted /u - make core & student region the same
    • auto-lockout logins for 5 minutes after repeated (3?) failures

  • other issues
    • platform-specific mechanisms for managing admin info
    • short vs long userid directory
    • password change in the core truncates to 8 characters when sent to AD
      • when core machines use AD and MFCF passwd not used, then will be ok
      • in the meantime, what about a warning??

  • Specific projects
    • Clayton - authenticating Solaris machines against our AD
    • Walter/Clayton - authenticating Linux clients against AD?

  • Hurdles
    • shells are broken for Macs
    • group files - mapping logical unix group name to AD name
      • Mac groups
      • Group names and usernames can't be the same in AD * avoided by appending "_group" to group name * uses full name - length limits?
    • 8-character passwords

  • Next meeting (if needed)
    • 2nd week of August - go/no go re:gradPC clients
      • invite Phil

  • Future topics
    • Web authentications (Isaac)
      • needs "zillions" of groups for web applications/email mailing lists

  • Action items
    • Adrian: check with Ray why restricted shells are in /etc/shells
    • Dave: create an ST on maintaining system files everywhere
    • Adrian: NFS-mounted /u - make core like student region
    • Clayton: Windows auto-lockout logins for 5 minutes after repeated (3?) failures
    • MP: Linux auto-lockout logins for 5 minutes after repeated (3?) failures
    • Walter/Clayton - Linux AD authentication by Sept. 2008
Topic revision: r5 - 2013-07-30 - DrewPilcher
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback