Versions Compared

Old Version 1

changes.mady.by.user Matt Boyes

Saved on

compared with

New Version 2

changes.mady.by.user Ken Brobeck

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

Method 1: Using SSH2 Keys to gain access to a shared account

The command ssh-keygen should only be run once.  If your ~/.ssh/id_rsa.pub file is not empty then do not run this command.

STEP 1.
First you will need to generate a rsa publich key. To do this you will need to log into your afs account and issue the following command. Responds to all questions with a return.

ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/u/cd/luchini/.ssh/identity.pub): <return>
Enter passphrase (empty for no passphrase): <return>
Enter same passphrase again: <return>
Your identification has been saved in /u/cd/luchini/.ssh/identity.pub.
Your public key has been saved in /u/cd/luchini/.ssh/identity.pub.

STEP 2.
Send a request to the owner of the shared account, asking that they add your ssh key to that account.
In the exapmle below, to find out the owner of the the NIS group or netgroup is cdvx type the following from the Unix shell.

ypgroup examine -group cdvx
Group 'cdvx':
GID: 2127
Comment:
Last modified at Dec 10 16:21:19 2007 by luchini
Owners: luchini, jingchen, lazmo
Members: cddev, cdioc, cdvx, ernesto, frisch, jedu, jingchen, jrock, kek, lazmo, ljh, luchini, mjb, ronc, ronm, wcross, zelazny

To add the SSH2 Keys to the account authorization file the owner of the account will type the following from the Unix shell.

cat <username>/.ssh/identity.pub >> <shared_account>/.ssh/authorized_keys2

_Note: This leaves the shared account as the owner of authorized_keys but with changed contents. Also, the authorized_keys file will work only if it is owned by shared account. To determine the owner of an AFS "password-less" account group use the unix command _

$ ypmatch <shared_account> passwd

To determine the shared account groups, type the following. Note that the first group in the list is the primary group, and all others are considered secondary groups.

groups <shared_account>

To add a new user to an NIS group see the example below where the user "ernesto" is being added to the NIS group "cdvx".

ypgroup adduser -group cdvx -user enresto

To add the new user to the primary AFS Group:
pts adduser -user <username> -group <shared_account>:<shared_account>

If the new user needs to run cron jobs under shared account and wants to receive email regarding problems with any of these jobs, then add the email address of the new user to

<shared_account>/.forward

Add new user to the NIS Group
To find out the members in the <shared_account> NIS group use the following unix command

$ ypmatch <shared_account> group

Done. The user can now log into the shared account using ssh

...