Egg Shell (JHED AD Integration)

For Users

We run a special shell machine named “egg” (get it? get it? Ow! OK, you got it.) which allows anyone at JHU to avail themselves of our services, even if they are not members. It integrates with JHU’s JHED system, so there are no new passwords for you to memorize or anything.

Run ssh replacing YOURJHED with, well, your JHED ID. Once there, you will be able to browse /afs/ with whatever rights have been given to your JHED account.

You can directly copy files in or out by using scp myfile.txt, for example.

For Administrators

Thanks to some help from the wonderful folks at WSE IT, we now have a shell server that can authenticate users using their JHED passwords and get them AFS tokens in our cell.


Egg runs PowerBroker Identity Services Open “AD Bridge” . Roughly, this meant that we:

  • Grabbed

  • Ran it, letting it rain packages down from the sky.

  • Joined to the domain using a WSE IT admin account:

    domainjoin-cli join --ou WSE/Computers/CS/Servers rabakae1

    Note that WSE went and created a CS OU just for us. :) Cross-reference LDAP.

  • Ran some additional configuration commands:

    cd /opt/pbis/bin
    ./config LoginShellTemplate /bin/bash
    ./config Local_HomeDirTemplate "%H/JHED/%U"
    ./config HomeDirTemplate "%H/JHED/%U"
    ./config AssumeDefaultDomain
    ./config AssumeDefaultDomain "true"

That was astoundingly painless.

Note that PBIS Open is, in fact, open source – has the details and the URL for git clone.


While the machine was being set up, it was in the default security group. Subsequently, I have created the “eggish” security group which permits only:

  • DNS access to openstack’s resolver
  • Egress to TCP and UDP
  • Egress to TCP and UDP
  • Arbitrary egress to UDP ports 7000-7010
  • Arbitrary egress to TCP ports 80 and 443
  • Arbitrary ingress on UDP 7001
  • Arbitrary ingress on TCP 22


Just installed libpam-afs-session and set up AFS as usual. Everything seems fine.