...
- DONE Any MIT user can log into cluster machines using their Kerberos passwords and their AFS home directories.
- DONE Root logins on cluster machines are not permitted, but users can su to root once they log in as themselves.
- DONE Users can change their Kerberos passwords with the passwd command.
- Private machine admins can configure who can log into machines remotely and locally with the /etc/athena/access file. They can also tag accounts as "local" and not part of the Hesiod/AFS namespace.
- Athena machines tagged as quickstations display a timer and nagging warnings to log out after a set period of time.
- DESUPPORT Users can temporarily enable and disable remote access daemons on Athena machines with the access_on and access_off commands, if the machine is configured to allow this.
...
Current solution: On cluster machines, the root password is set to a value which can be discovered by the tellme command (a symlink into AFS installed by athena-glue). To prohibit root logins, the athena-ws boot script in the athena-ws package creates /etc/noroot on machines which are part of the "cluster" Hesiod cluster. The athena-libal package denies root login access if this file exists.
Planned solution: The debathena-pam-config package will handle this by creating an /etc/pam.d/deny-root file which is included by the main system login configuration. A boot script in the debathena-pam-config package will populate this file with a PAM directive to deny root logins if the machine is part of the "cluster" cluster.
Status: Not done.
gdm already denies root logins by default. A new package debathena-cluster-login-config will remove the tty getty processes and set the root password.
Status: DoneMilestone: Cluster (one day).
...
| Anchor | ||||
|---|---|---|---|---|
|
Feature: Users can change their Kerberos passwords with the passwd command.
...
Planned solution: Remove the athena-xscreensaver package. A new debathena-xlock package will provide the xlock script, which will just be an alias for "gnome-screensaver-command -l". The debathena-pam-config package will configure the screensaver to unlock the screen with the user's Kerberos password. A new debathena-cluster-screensaverlogin-config package will set up system GConf defaults to configure gnome-screensaver to disable user switching and to allow the user to be logged out after the screen has been saved for a set length of time. All other special features of the Athena screensaver will be desupported as they would require local code modifications.
Status: Not doneDone except for xlock.
Milestone: Cluster (one day).
...
| Anchor | ||||
|---|---|---|---|---|
|
Feature: GNOME won't display a dialog about changes in X keyboard settings from one login to another, since the same account is used on multiple machines.
...