Sysadmin/Add shell account: Difference between revisions

Retrieved from "https://wiki.sugarlabs.org/go/Sysadmin/Add_shell_account"

@@ Line 1: / Line 1: @@
-Users normally do follow the [[Sysadmin/Shell account request]].
+'''Users looking for a Sugar Labs account should go to [[Service/Account]].'''
-The account requests arrive to a support queue on [[Machine/rt]].
 == Guidelines ==
-Users should briefly motivate their request. "I'd like to distribute some
+Ask users to follow diligently the [[Service/shell#Requesting_a_shell_account]] procedure.
-Sugar-related files on people.sugarlabs.org" would suffice.
-Shell accounts shouldn't be granted to untrusted individuals without
+Users should briefly motivate their request. A sufficient justification could be:
-referrals. Shell accounts that are known to be unused should be disabled.
+"I have these Sugar-related files that I'd like to distribute on people.sugarlabs.org".
-== Account creation ==
+'''Shell accounts shouldn't be granted to untrusted individuals without referrals.'''
+'''Shell accounts that are known to be unused should be disabled with <tt>system-userdel</tt>.'''
-To create an account, become root on sunjammer and type:
+== Account creation on shell.sugarlabs.org ==
+To create an account, become root on [[Machine/sunjammer]] and type:
   system-useradd <username> <first_name> <last_name> <email>
-At some point, the script will prompt you to paste the user's ssh key.
+* Note that accents in the first_name or last_name would break the script.
+* '''NOTE: You have to become root with 'sudo -i'. Prefixing the command with sudo won't work because it doesn't switch $HOME to /root, which is necessary to make the ldap commands source <code>/root/.ldaprc</code>.'''
+At some point the script will prompt you to paste the user's ssh key.
 You can skip this part and edit ~user/.ssh/authorized_keys manually.
@@ Line 23: / Line 27: @@
 original message.
-== Passwords ==
+== Adding accounts on other machines ==
-The users are supposed to update their password by going to
- https://ldap.sugarlabs.org/passwd
-Password logins are not permitted on any of our machines. The password
-is used by other authentication protocols: HTTP, IMAP, SMTP...
-We currently don't have single-sign-on on most of our web applications,
-but users can use our OpenID provider (id.sugarlabs.org).
-== Removing shell accounts ==
-Use:
- system-userdel <user>
-== Groups ==
-To add groups:
- system-groupadd
+Please '''do not create accounts directly with useradd!''' Instead, copy the existing credentials from sunjammer:
-To remove groups, there's no script. Simply use "ldapvi" with no arguments.
+* Log into sunjammer, forwarding your ssh keys with the ssh-agent:
-== User information changes ==
+ ssh -A sunjammer
-Use ldapvi directly
+* Run this shell script to create a user and copy the credentials from sunjammer:
+ remote-useradd <remotehost> <user> <groups...>
-== Password reset ==
+Needless to say, remote-useradd requires your ssh key to be already installed in the remote server.
-If the users have forgotten their password, you can hack the password
+Typically, you'll want to add users to groups <tt>sudo</tt>, <tt>adm</tt>, <tt>libvirtd</tt> and <tt>docker</tt>.
-information manually with ldapvi. Alternatively, go to the password
-web form and type sunjammer's root password in place of the user's
-old password.
-If the user knows how to use GPG, send them the new password
+== See also ==
-encrypted. In any case, ask them to change it immediately.
+* [[Sysadmin/User_management]] -- all other operations on user accounts
+* [[Service/Account]] -- Account information for users
+* [[Service/shell]] -- ssh access to shell.sugarlabs.org
+* [[Machine/sunjammer]] -- shell account server