[debian-edu-commits] debian-edu/italc.git (#105) - master (branch) updated: debian/1_2.0.0-3-7-g78512f5

Mike Gabriel sunweaver at alioth.debian.org
Mon Aug 12 01:32:53 UTC 2013 

The branch, master has been updated
       via  78512f596ab40fa9c7647668a1e6f8318e83414f (commit)
      from  fa9cddf17e6333352a08c9cf868c8fab4096bd6e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 78512f596ab40fa9c7647668a1e6f8318e83414f
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Mon Aug 12 00:40:47 2013 +0200

    Update documentation file: README.setup

-----------------------------------------------------------------------

Summary of changes:
 debian/README.setup |   85 +++++++++++++++++++++++++++++++++------------------
 debian/changelog    |    1 +
 2 files changed, 56 insertions(+), 30 deletions(-)

The diff of changes is:
diff --git a/debian/README.setup b/debian/README.setup
index ae1d053..c078442 100644
--- a/debian/README.setup
+++ b/debian/README.setup
@@ -16,7 +16,7 @@ Debian Edu Profiles:
     -workstation
     -diskless workstation (DLWs)
 
-Short introduciton:
+Short introduction:
 
     - iTALC consists of three programs:
         1 - the client (called "ica"). It is a daemon that runs on the computers
@@ -25,39 +25,69 @@ Short introduciton:
             students.
         3 - Since iTALC version 2.0.0 there is a third component: imc (iTALC
             Management Console)
-    - iTALC uses keys to increase security.
+    - iTALC uses three SSL keypairs to increase security.
+    - iTALC works with a role model, known roles are: teacher, supporter and
+      admin. A fourth implicit role is the student role.
 
-The private keys have to be present on the computers where teachers
+The private SSL keys have to be present on the computers where teachers
 want to run the main application.
 
 Actually we don't know which computer the teachers will be using after all,
 so the recommendation is to make the private keys available on all
 computers/profiles and protect them via file permissions.
 
-The public keys, of course, have to be present on all computers and must be
-readable to anyone (or--at least--all students).
+The public SSL keys, of course, have to be present on all computers and must be
+readable to anyone (or--at least--all students). The italc-client Debian package
+assumes that there is a fourth role called student on every system. Users
+in the role of students get access to the public SSL keys, users that are
+in neither of those italc-* groups cannot use italc at all.
 
-The key creation is (since iTALC Debian package version 2.0.0-1) fully
-handled during package installation.
+(Make sure that teachers, supporters and administrators are also members in the group
+representing the role of a student).
 
-The Debian package italc-client adds three groups to the system:
+The SSL key creation is (since iTALC Debian package version 2.0.0-1) fully
+handled during package configuration.
+
+The Debian package italc-client adds four groups to the system. The default Posix
+group names are:
 
   italc-admin
-  italc-support
+  italc-supporter
   italc-teacher
+  italc-student
+
+The SSL keys then get created during package configuration via the
+imc -createkeypair command and the files get protected with appropriate
+file permissions. All steps are configurable through debconf or through
+preseeding. The key creation can also be deactivated completely if
+you prefer a manual setup.
+
+For Debian Edu / Skolelinux, a recommended preseeding set is recommended:
+
+italc-client/create-keypairs true
+italc-client/create-groups-for-roles false
+italc-client/use-existing-groups-for-roles true
+italc-client/group-italc-teacher teachers
+italc-client/group-italc-student students
+italc-client/group-italc-supporter admins
+italc-client/group-italc-admin admins
+italc-client/key-access-for-groups true
+
+If the package italc-client is preseeded while Debian Edu's LDAP is still
+down (during main-server installation), then use the numeric gidNumbers
+instead of group names.
 
-The keys then get created via the imc -createkeypair command and
-the files get protected with appropriate file permissions.
+So in Debian Edu the default italc-* Posix groups get overridden as shown
+below:
 
-# TODO: For Debian Edu / Skolelinux, the group names must be modifiable
-# via debconf templates and it must become possible to disable Posix group
-# creation during package installation. With preseeding, the installation
-# of the italc-client package can then be tweaked to cleanly match into
-# a Debian Edu automated installation.
+  italc-teacher -> teachers
+  italc-student -> student
+  italc-supporter -> admins
+  italc-admins -> admins
 
-Once, the italc-client package is installed and the groups are properly
-set up, the only thing left is launching the iTALC client (ica) in every
-machine the teacher shall be able to control.
+Once, the italc-client package is installed and configured, the only thing
+left is providing access to the iTALC SSL keys from every client machine
+on the Debian Edu network.
 
 
 ### THOUGHTS ON KEY GENERATION (Debian Edu specific) ###
@@ -76,12 +106,10 @@ During package installation keys will get created in the directory
 This folder contains subfolders of the names "public" and "private"
 containing the respective keys.
 
-FIXME: At the time of writing the file permissions (in our Debian Edu setup)
-of the private keys have to be assigned manually to the "teachers" group.
+The SSL key access is controlled via Posix file permissions. Just assign users
+in the different iTALC roles to the corresponding Posix groups.
 
-    $ chgrp -R teachers /etc/italc/private
-
-Then we have to make available the keys to the other hosts on the network,
+Then we have to make the keys available to the other hosts on the network,
 so we e.g. export them using NFSv4 with something like that in /etc/exports
 
     file=/etc/exports
@@ -142,7 +170,6 @@ we do not need to run the daemon here. None have to control this
 machine or use iTALC master on it (unless you run TJENER as a combi-server:
 main-server, ltsp-server, workstation).
 
-
 -- LTSP-SERVER PROFILE --
 
 Thin clients run on this machine so we have to launch ica to control them.
@@ -169,9 +196,8 @@ execute ica when the user logs in.
 
 -- DISKLESS WORKSTATION --
 
-the same as with workstations
+The same as with workstations.
 
------------------------
 
 
 ### iTALC MASTER CONFIGURATION ###
@@ -204,14 +230,13 @@ by adding
     [paths]
     globalconfig=/etc/italc/
 
-
-
 ###############################################################
 
+
 Thanks to Valerio for this great piece of initial documentation!!!!
 
 At the time of writing the whole setup is un-tested. This is on the Deban Edu
 team's (actually mine) todo list.
 
 light+love
-Mike Gabriel,Vaumarcus CH, 2013-08-10
+Mike Gabriel,Vaumarcus CH, 2013-08-11
diff --git a/debian/changelog b/debian/changelog
index 67da0d2..6609bd0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ italc (1:2.0.0-4) UNRELEASED; urgency=low
   * /debian/rules:
     + Now really fix the .ts file update and trigger the .qm build after
       configure of libitalccore.
+  * Update documentation file: README.setup.
 
  -- Mike Gabriel <sunweaver at debian.org>  Sun, 11 Aug 2013 03:20:31 +0200
 


hooks/post-receive
-- 
italc.git (Debian package italc)

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "italc.git" (Debian package italc).

More information about the debian-edu-commits mailing list