Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Procedures

note

This page is meant primarily for CSTAR members administering these machines.

Authentication Mechanisms

We are not able to tie into Kerberos for a 'proper' SSO. Instead, we run a combination of two mechanisms, both on Polly, to make sure that everything stays in sync and that users don't need to change their password on 7+ machines.

Authelia

Authelia is our OIDC provider. With minimal extra configuration, it can also run as part of a reverse proxy to provide authentication to web services which don't have OAuth/OIDC support. Authelia has a few other mechanisms available for serving auth, and should be able to integrate with most services.

It runs on Polly and keeps a list of users from a users.yml file which is autogenerated from /etc/shadow/.

warning

Authelia runs as a service called authelia-custom. Do not use authelia.service.

shadow-syncd

shadow-syncd is the name of a small Python script that runs on Polly and propagates all changes in /etc/shadow to the other machines. This keeps SSH and physical logins consistent without the complication of PAM for LDAP, OIDC, or anything of the sort.

Adding a New Machine

If the machine is owned by Reed (it should have an asset number and barcode; ask CUS in unclear cases), it needs to have an admin (sudo-capabale) account named for cus and for reedadmin. Additionally, it'll need to have Crowdstrike installed, so it should be running Ubuntu.

To set it up, make sure the MAC address isn't being blocked (i.e., that it has internet access over Ethernet). If there are problems here, the issue should be brought to CUS. Install Ubuntu and set up the polytopia admin account. Email CUS to ask them to set up their admin accounts and Crowdstrike. Then, add it to the inventory.yaml file and run any applicable Ansible playbooks.

If, on the other hand, the machine is not Reed-owned (e.g., Quail), CUS asks us to have it set up individually on Netreg. That is, you're meant to set it up in netreg as your own individual device. Then, you should install either NixOS or Ubuntu,1 set up the polytopia admin account, and get it set up with Ansible as per usual.

Updating the Machines

Major version updates will happen during school breaks.

  1. The account mechanisms as of now rely on a writable /etc. In particular, since Polly tries to copy its shadow into other machines, a NixOS machine meant to be accessed by all CSTAR-registered users will require some special treatment. My (Tali's) suggestion is to reserve personal machines for servers that don't require SSH access by individuals, where we can get away just with a Polytopia admin account.