Line 1: |
Line 1: |
− | Users normally do follow the [[Sysadmin/Shell account request]]. | + | '''Users looking for a Sugar Labs account should go to [[Service/Account]].''' |
− | The account requests arrive to a support queue on [[Machine/rt]].
| |
| | | |
| == Guidelines == | | == Guidelines == |
| | | |
− | Users should briefly motivate their request. "I'd like to distribute some
| + | Ask users to follow diligently the [[Service/shell#Requesting_a_shell_account]] procedure. |
− | Sugar-related files on people.sugarlabs.org" would suffice.
| |
| | | |
− | Shell accounts shouldn't be granted to untrusted individuals without
| + | Users should briefly motivate their request. A sufficient justification could be: |
− | referrals. Shell accounts that are known to be unused should be disabled.
| + | "I have these Sugar-related files that I'd like to distribute on people.sugarlabs.org". |
| | | |
− | == Account creation ==
| + | '''Shell accounts shouldn't be granted to untrusted individuals without referrals.''' |
| + | '''Shell accounts that are known to be unused should be disabled with <tt>system-userdel</tt>.''' |
| | | |
− | To create an account, become root on sunjammer and type: | + | == Account creation on shell.sugarlabs.org == |
| + | |
| + | To create an account, become root on [[Machine/sunjammer]] and type: |
| | | |
| system-useradd <username> <first_name> <last_name> <email> | | system-useradd <username> <first_name> <last_name> <email> |
| | | |
− | At some point, the script will prompt you to paste the user's ssh key. | + | * Note that accents in the first_name or last_name would break the script. |
| + | * '''NOTE: You have to become root with 'sudo -i'. Prefixing the command with sudo won't work because it doesn't switch $HOME to /root, which is necessary to make the ldap commands source <code>/root/.ldaprc</code>.''' |
| + | |
| + | At some point the script will prompt you to paste the user's ssh key. |
| You can skip this part and edit ~user/.ssh/authorized_keys manually. | | You can skip this part and edit ~user/.ssh/authorized_keys manually. |
| | | |
Line 23: |
Line 27: |
| original message. | | original message. |
| | | |
− | == Passwords == | + | == Adding accounts on other machines == |
− | | |
− | The users are supposed to update their password by going to
| |
− | | |
− | https://ldap.sugarlabs.org/passwd
| |
− | | |
− | Password logins are not permitted on any of our machines. The password
| |
− | is used by other authentication protocols: HTTP, IMAP, SMTP...
| |
− | | |
− | We currently don't have single-sign-on on most of our web applications,
| |
− | but users can use our OpenID provider (id.sugarlabs.org).
| |
− | | |
− | | |
− | == Removing shell accounts ==
| |
− | | |
− | Use:
| |
− | | |
− | system-userdel <user>
| |
− | | |
− | == Groups ==
| |
− | | |
− | To add groups:
| |
| | | |
− | system-groupadd
| + | Please '''do not create accounts directly with useradd!''' Instead, copy the existing credentials from sunjammer: |
| | | |
− | To remove groups, there's no script. Simply use "ldapvi" with no arguments.
| + | * Log into sunjammer, forwarding your ssh keys with the ssh-agent: |
| | | |
− | == User information changes ==
| + | ssh -A sunjammer |
| | | |
− | Use ldapvi directly
| + | * Run this shell script to create a user and copy the credentials from sunjammer: |
| | | |
| + | remote-useradd <remotehost> <user> <groups...> |
| | | |
− | == Password reset ==
| + | Needless to say, remote-useradd requires your ssh key to be already installed in the remote server. |
| | | |
− | If the users have forgotten their password, you can hack the password
| + | Typically, you'll want to add users to groups <tt>sudo</tt>, <tt>adm</tt>, <tt>libvirtd</tt> and <tt>docker</tt>. |
− | information manually with ldapvi. Alternatively, go to the password
| |
− | web form and type sunjammer's root password in place of the user's
| |
− | old password.
| |
| | | |
− | If the user knows how to use GPG, send them the new password
| + | == See also == |
− | encrypted. In any case, ask them to change it immediately.
| + | * [[Sysadmin/User_management]] -- all other operations on user accounts |
| + | * [[Service/Account]] -- Account information for users |
| + | * [[Service/shell]] -- ssh access to shell.sugarlabs.org |
| + | * [[Machine/sunjammer]] -- shell account server |