CNS home 
News
Services
|
Contents:
1 - Description
1.1 - What is a group account?
Your group account is a front-end shell (command interpreter) which allows several users to share the same account using a shared userid and password. This includes allowing common access to all directories, files, mail, and web pages associated with the group userid. Sometimes a group account will be referred to as "groupsh" in this documentation.
1.2 - How does a group account work?
Your group account works in a straightforward manner and should be fairly transparent to its users. The group account (which uses groupsh) is set up nearly identically to a single-user account. It has a userid, a password, a home directory, mail, and files just like a "regular" account. To log into a shared account using your group account, you must type in the userid and password for the shared account. You must then type in the KSU/CNS Unix userid and password of the individual using the group account. This will be covered in more detail later.
1.3 - How is a group account different?
Your group account is different in several ways from traditional shells and shared environments.
Primarily, groupsh isn't actually a shell at all. It is simply an authentication agent for a group of users to share a common userid. Once authentication is complete, groupsh runs a regular shell (such as csh, tcsh, bash, ksh, etc) which is then used to conduct whatever business a group member wishes.
Groupsh differs from other sharing methods in several ways. Most importantly, it is more secure. When a user logs into the group account, the system keeps track of the actual user operating the account. This provides a way to identify the person using the account if an abuse occurs. By requiring both the group and personal passwords, groupsh also further ensures security in the event that either of these passwords is compromised.
The most beneficial aspect of using groupsh from a user's perspective is that of convenience. Using a common account allows seamless sharing of files and e-mail under the identity of a group rather than an individual. Further, it is possible for all group members to share group files with their own, individual, accounts.
2.1 - How do we manage a group account?
When a particular group of people wishes to use groupsh to share a group account, a few things need to be done. Beforehand, each person must have a unique KSU/CNS Unix userid to identify themselves. Then, the group must be given an additional account (the group account) to share among their group. The group account, like each of the other accounts, has a unique userid and password. It is important to note here the distinction between the two styles of accounts.
Each person in a group has his or her own userid. They each also have a password associated with his/her own, personal, userid. This personal password should be kept secret at all times and should be known only to the owner of the personal userid. In short: never tell anyone the password to your personal account, not even to your closest friends or other members of your group.
On the other hand, the password to the group account must be known by each person in the group. This group password allows authorized individuals to use the shared account. This password should be known only by legitimate members of the group.
2.2 - How to I log into the group account?
To log into the group account, you must do two things. First, you must log in as you would a regular account by typing in the username of the group account, and then the password for the group account at the appropriate prompts.
Secondly, assuming you typed the correct information, groupsh then asks for your personal userid and password to ensure that the person attempting to use the group account is authorized to do so.
If you typed in the correct userid and password for both the group and personal accounts, you will be logged into the group account. At this point, groupsh runs whatever shell the personal userid normally uses. This allows each user of the group account to customize the group environment to his or her preferences, much like the personal account.
2.3 - How do I customize the group account?
Using groupsh allows each user to change the group account environment to meet their personal preferences without changing the environments of other members of the group. Without any changes by the user, groupsh automatically runs the same shell that the user normally uses. This is done to help put each user in their familiar environment.
Groupsh also allows for further customization by referencing the environmental variable $REALNAME. While the usage of environmantal variables is beyond the scope of this documentation, anyone familiar with basic unix programming should be able to set up customized environments for group members using this variable. In short, $REALNAME is set to the userid of the individual, while $LOGNAME is set to the name of the group userid.
3.1 - How do I change the password for the group account?
Any group member can change the group account password via the eProfile page exactly as for any other eID. Remember that you have to change the group account password twice a year during the password change periods. If you don't do this the group account will be disabled, since we have no other way of knowing when you are finished using it. In addition, every time a group member is removed from the list of eligible group account members you should change the password.
3.2 - How do we manage our group e-mail?
One of the major conveniences of the group account is that it allows any of the members to read mail to, or write mail from, the shared userid. This can also be another possible cause of headaches for group members, and should be handled intelligently. Following are a few tips.
Perhaps the simplest method of managing group e-mail is to designate one member of the group to coordinate group mail among the group members. This designated person would then either personally handle each piece of mail to or from the group account, or dole out responsibilities for doing so to other members of the group.
This prevents accidental deletion of group mail, and helps eliminate confusion that may cause a particular piece of mail to be acted upon by more than one person.
Although common POP access to the group mail is possible, it is not recommended. Using POP, it is very easy to misplace or delete mail that other members may need access to. If a single person is designated to manage the group mail, only this person should use POP to access to the group mail.
3.3 - How do the group members share files?
It is possible for members of the group to share files between themselves and the group account. This is advantageous when users want to put files from elswhere (possibly their own account) into the group account, or retrive files from the group account. You can use almost any FTP client to transfer files in to or out of the group account.
Another method of sharing files with the group account or group members is to create a directory within a member's home directory that is readable by the group. While the technical details will not be explained here, the advantages to this should be clear. This allows group members, whether logged into the group account or not, to retrieve shared files from this directory as well.
The easiest and most obvious method of sharing files with the members of the group is inherent in the setup of the group account. When the group account is created, all members of the group are automatically able to read files within the group account directory while logged into their personal accounts. This makes copying and reading files from the group account fast and easy.
3.4 - Can I use the group account for evil purposes?
Probably, although you will not do so anonymously! Every time you log into the group account, you must identify yourself to groupsh, and the system logs this information. Should a malicious member of the group send nasty e-mail from the group account, he or she can be identified.
3.5 - Can I break the group account?
Yes. Take care not to "mess with" the group account in ways that might damage it or render it inaccessible to others in the group. Also, take care to only include people who you trust. Once a member is logged into the group account, he/she has full access to everything contained therein.
If you are reckless, you may accidentally alter the account in ways that hinder or annoy other members. As long as you stick to routine usage of the account, there should be no problems. If one of the group members is more familiar with the intricacies of Unix programming, it may be best to leave the tinkering to that person.
3.6 - How do group members ftp into the group account?
Ftp into the group account is allowed. However, due to the simple authentication methods built into ftp, logging in via ftp is different from logging in to Unix. When using ftp, use the group account as the username and your individual password for the password. See section 4 for an example ftp login.
Alice and Bob have userids "ali" and "bobcat", respectively. Alice's personal password is "blip72" which only Alice knows. Bob's password is "w00pie" which, of course, only he knows. Alice and Bob wish to share an account for their department, and choose "alnbob" for the group account name. They agree on "pos1tiv3" for the group account password.
Alice wishes to send mail to the appropriate mailing lists announcing a lunch for the department. She wishes to do this from the shared (alnbob) account. Here we see Alice logging into the group account. Note that when actually logging in, passwords are not shown. They are only shown here for clarity.
login: alnbobThe system now knows that Alice is using the group account called "alnbob" and allows her to continue. Since Alice's personal account (ali) uses tcsh as her normal shell, groupsh runs this for Alice when logged into the group account as well. Using this example, if Bob wishes to ftp into the group account, he would enter "alnbob" at the username prompt and "w00pie" at the password prompt. The system then knows Bob is the individual ftping into the group account.
Password: pos1tiv3Enter your personal username and password for group id authentication
Username: ali
Password: blip72
Groupsh is designed to maximize both ease of use and security. It is impossible to protect the group as a whole from any individual member who wishes to cause harm, but efforts have been made to make the group accounts as secure as possible.
By using both a personal and group password for authentication, we gain several comforts at the small inconvenience of having to take a few extra seconds to log in. Every member of the group is held accountable for his or her actions while using the group account. Each member of the group gains the flexibility to customize his or her environment.
Every effort is made within the actual groupsh program to assure that "everything is ok" before allowing a user access to the group account. This includes cross-checking several pieces of information about users and groups to make sure everything checks out. If anything seems out of place, groupsh will not allow access to the group account, and these errors are logged to be investigated by the systems administrators.
Should you spot any potentially dangerous or critical errors, please let your systems administrator know as soon as possible so that your group account may be kept secure.
