Egg Shell (JHED AD Integration)

For Users

We run a special shell machine named “egg” (get it? get it? Ow! OK, you got it.) which allows anyone at JHU to avail themselves of our services, even if they are not members. It integrates with JHU’s JHED system, so there are no new passwords for you to memorize or anything.

Run ssh YOURJHED@egg.acm.jhu.edu replacing YOURJHED with, well, your JHED ID. Once there, you will be able to browse /afs/acm.jhu.edu with whatever rights have been given to your JHED account.

You can directly copy files in or out by using scp myfile.txt YOURJHED@egg.acm.jhu.edu:/afs/acm.jhu.edu/group/foo/, for example.

For Administrators

Thanks to some help from the wonderful folks at WSE IT, we now have a shell server that can authenticate users using their JHED passwords and get them AFS tokens in our cell.

Likewise

Egg runs http://www.beyondtrust.com/ PowerBroker Identity Services Open “AD Bridge” http://www.powerbrokeropen.org/ . Roughly, this meant that we:

  • Grabbed http://download.beyondtrust.com/PBISO/8.2.2/linux.deb.x64/pbis-open-8.2.2.2993.linux.x86_64.deb.sh

  • Ran it, letting it rain packages down from the sky.

  • Joined to the domain using a WSE IT admin account:

    domainjoin-cli join --ou WSE/Computers/CS/Servers win.ad.jhu.edu rabakae1

    Note that WSE went and created a CS OU just for us. :) Cross-reference LDAP.

  • Ran some additional configuration commands:

    cd /opt/pbis/bin
./config LoginShellTemplate /bin/bash
./config Local_HomeDirTemplate "%H/JHED/%U"
./config HomeDirTemplate "%H/JHED/%U"
./config AssumeDefaultDomain
./config AssumeDefaultDomain "true"

That was astoundingly painless.

Note that PBIS Open is, in fact, open source – http://www.powerbrokeropen.org/licensing/ has the details and the URL for git clone.

OpenStack

While the machine was being set up, it was in the default security group. Subsequently, I have created the “eggish” security group which permits only:

  • DNS access to openstack’s resolver
  • Egress to 128.220.70.0/24 TCP and UDP
  • Egress to 10.0.0.0/8 TCP and UDP
  • Arbitrary egress to UDP ports 7000-7010
  • Arbitrary egress to TCP ports 80 and 443
  • Arbitrary ingress on UDP 7001
  • Arbitrary ingress on TCP 22

Other

Just installed libpam-afs-session and set up AFS as usual. Everything seems fine.