163
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + − The account requests arrive to a support queue on our RT system ([[Machine/treehouse/rt]]). − Users should briefly motivate their request. "I'd like to distribute some+ − Sugar-related files on people.sugarlabs.org" would suffice. − Shell accounts shouldn't be granted to untrusted individuals without+ − referrals. Shell accounts that are known to be unused should be disabled.+ − == Account creation ==+ + − + + + − + + + + Line 23:
Line 27: − + − − The users are supposed to update their password by going to − − https://ldap.sugarlabs.org/passwd − − Password logins are not permitted on any of our machines. The password − is used by other authentication protocols: HTTP, IMAP, SMTP... − − We currently don't have single-sign-on on most of our web applications, − but users can use our OpenID provider (id.sugarlabs.org). − − − == Removing shell accounts == − − Use: − − system-userdel <user> − − == Groups == − − To add groups: − system-groupadd+ − To remove groups, there's no script. Simply use "ldapvi" with no arguments.+ − == User information changes ==+ − Use ldapvi directly+ + − == Password reset ==+ − If the users have forgotten their password, you can hack the password+ − information manually with ldapvi. Alternatively, go to the password − web form and type sunjammer's root password in place of the user's − old password. − If the user knows how to use GPG, send them the new password+ − encrypted. In any case, ask them to change it immediately.+ + + +
remote-useradd should no longer be run as root
Users normally do follow the [[Sysadmin/Shell account request]].
'''Users looking for a Sugar Labs account should go to [[Service/Account]].'''
== Guidelines ==
== Guidelines ==
Ask users to follow diligently the [[Service/shell#Requesting_a_shell_account]] procedure.
Users should briefly motivate their request. A sufficient justification could be:
"I have these Sugar-related files that I'd like to distribute on people.sugarlabs.org".
'''Shell accounts shouldn't be granted to untrusted individuals without referrals.'''
'''Shell accounts that are known to be unused should be disabled with <tt>system-userdel</tt>.'''
To create an account, become root on sunjammer and type:
== Account creation on shell.sugarlabs.org ==
To create an account, become root on [[Machine/sunjammer]] and type:
system-useradd <username> <first_name> <last_name> <email>
system-useradd <username> <first_name> <last_name> <email>
At some point, the script will prompt you to paste the user's ssh key.
* Note that accents in the first_name or last_name would break the script.
* '''NOTE: You have to become root with 'sudo -i'. Prefixing the command with sudo won't work because it doesn't switch $HOME to /root, which is necessary to make the ldap commands source <code>/root/.ldaprc</code>.'''
At some point the script will prompt you to paste the user's ssh key.
You can skip this part and edit ~user/.ssh/authorized_keys manually.
You can skip this part and edit ~user/.ssh/authorized_keys manually.
original message.
original message.
== Passwords ==
== Adding accounts on other machines ==
Please '''do not create accounts directly with useradd!''' Instead, copy the existing credentials from sunjammer:
* Log into sunjammer, forwarding your ssh keys with the ssh-agent:
ssh -A sunjammer
* Run this shell script to create a user and copy the credentials from sunjammer:
remote-useradd <remotehost> <user> <groups...>
Needless to say, remote-useradd requires your ssh key to be already installed in the remote server.
Typically, you'll want to add users to groups <tt>sudo</tt>, <tt>adm</tt>, <tt>libvirtd</tt> and <tt>docker</tt>.
== See also ==
* [[Sysadmin/User_management]] -- all other operations on user accounts
* [[Service/Account]] -- Account information for users
* [[Service/shell]] -- ssh access to shell.sugarlabs.org
* [[Machine/sunjammer]] -- shell account server