Top

DNDLinuxLogin

Project to make it possible to have a DND-login on linux computers (specifically public machines).

What have we got so far?

Okay, we just have some basic ideas, and I'm going to be playing around with my home machine and some of the Student Assembly's iMacs (both running debian).

There might be some really cool/beautiful ways to do this which we MIGHT NOT CONSIDER if they are just too time-intensive (I'm taking 4 classes, ok? :)

How in the heck are we going to do this?

• A geek of a much higher rank has suggested that we create a Plugable Authentication Module? (PAM) for Linux. I have no idea how much work this is, but it sounds like the cleanest method, and would work with multiple architectures....

• We could just do a straight lookup with the DND, but we have Kerberos Tickets, and Sidecar for Linux (isn't it cool how all of these projects come together? :) So the plan right now is to just do a check on the DND and get a kerberos ticket for that user.

• AFS for the DND is basically the idea of having disk space for all of the users who login. This obviously brings in a host of issues:
  • Where do we store the user data? -- That's simple: on a genuine Joe Hill Raid Box?.
  • How do we store accounts? -- AFS and NFS spring to mind. Any other ideas? Not sure how well that will interoperate with the version 4 kerberos used by the DND. We should not that the NorthStar AFS (version4) can't really talk with the DND, so we might have some major problems.
  • How do we create accounts? -- very valid question: at least right now we don't want to create an account for each name in the DND. I'm thinking that we have the login process create new user accounts (if the user is in the DND, but has no account, then adduser....)

• There might be two different methods. PAM modules exist for both Kerberos4 and LDAP.
  • LDAP - The thing is that the DND actually sits on top of an LDAP server (for those who didn't know already), so it might be easier for us to just communicate with the LDAP directly.
  • Kerberos4 - Even though the kerberos4 module is probably much suckier than the kerberos5 module, the quick online notes seemed to indicate that it was pretty robust. It even seemed to say that it could use MIT kerberos and AFS kerberos, so that someone could log-in using MIT kerberos, then get an AFS session token (which is exactly what we want to do!). This is a lot more doable, because we don't have to write all of the darn code ourselves!

Why?

• Promote linux, ensure domestic prosperity, provide for the common defense against aliens (c'mon sing along with Schoolhouse Rock! :)

• The real reason? --> basically to make public linux computers work out. We could have a 'guest' login for everyone, which is something that we might do at first. See below for more reasons why DND-authenticated logins are cool.

• personal computers? -- people could use it there if they wanted to.... especially if they like the idea of storing all of their personal data on a networked file system (but we'll want to get someone else to manage this file system if tons of people start using it... :)

Considerations

• Diplomacy: try to avoid stepping on the toes of other people.

• Speed:
  • How long does it take to log in? -- needs to be lightning-fast!
  • How long to create a new user account? -- needs to be fast and/or have some message on the screen explaining the wait time.

• Non-DND users: Tons of them on campus: visitors, parents, even alums -- (unless we authenticate off of the alumni servers as well).
  • Guest account -- it makes sense to have a guest account available on these computers. We could encourage students to authenticate with the DND by putting at time limit (say 5min) on the guest account. We could also promote the use of DND-auth login benefits (easy to log into BlitzMail, onto the DartMOO, access to personal files on the AFS for the DND, etc..

Coolness factor

• medium -- it shouldn't take too much effort, but if we do use kerberos tickets (as I'm planning), then we can have a Single Login?, i.e. you only enter your password once, and you get access to all kinds of stuff...

• OTOH (on the other hand), this will open the possibility for people to have preferences and shared space on the AFS-like space we're setting up (see AFS for the DND), and create a system like the linux/athena terminals down at MIT. Anyhow, you can be the judge of how cool it is for YOU! :)

RobinsonTryon - 26 Oct 2002