reshuffle images

admin-guide/deployment/rhel8/installation.md

@@ -20,10 +20,10 @@ bob node set-attr $FQDN ipxe_installer=rhel8install
 
 ### Installation with UEFI
 Start the machine and select network boot (if not already the default), then you get following menu:  
-![Grub default menu](installation/grub_default.png)
+![Grub default menu](_static/installation_grub_default.png)
 
 There select "Install Red Hat Enterprise Linux 8.7"
-![Grub menu selection for iPXE](installation/grub_select.png)  
+![Grub menu selection for iPXE](_static/installation_grub_select.png)  
 
 
 __NOTE:__ After the installation the boot order will be changed to localboot again! So if you reinstall make sure that you re-set the bootorder via the efi menu or the commandline: https://linux.die.net/man/8/efibootmgr
@@ -44,5 +44,5 @@ Boot0004* Red Hat Enterprise Linux
 ### Installation with Legacy BIOS 
 Start the machine and select network boot (if not already the default), then you get following menu, where the default depends on the `sysdb` configuration, but you may override it manualy:
 
-![select RHEL 8 installation](installation/ipxe_select_rhel8.png)
+![select RHEL 8 installation](_static/installation_ipxe_select_rhel8.png)
 

admin-guide/deployment/rhel8/kerberos.md

@@ -302,12 +302,12 @@ The code is publicly available on [Github](https://github.com/paulscherrerinstit
 Below diagrams show how PAM and especially `pam_single_kcm_cache.so` interact with the KCM in different use cases.
 
 ### Login with SSH using Password Authentication
-![Login with SSH and Password Authentication](kerberos/kerberos_sshd_password_only.png)
+![Login with SSH and Password Authentication](_static/kerberos_sshd_password_only.png)
 
 That is kind of the "common" authentication case where all important work is done in PAM. This is the same for login on the virtual console or when using `su` with password. At the end there is an shell session with a credential cache which is not used by any other session (unless the user shares it somehow manually). Like this session isolation is achieved.
 
 ### Login with SSH using Kerberos Authentication and TGT Delegation
-![Login with SSH and Password Authentication](kerberos/kerberos_sshd_tgt_delegation.png)
+![Login with SSH and Password Authentication](_static/kerberos_sshd_tgt_delegation.png)
 
 This is a bit simpler as all the authentication is done in `sshd` and only the session setup is done by PAM. Note that `sshd` does not use the default cache, but instead creates always a new one with the delegated TGT.
 
@@ -315,7 +315,7 @@ This is a bit simpler as all the authentication is done in `sshd` and only the s
 
 In above diagrams we see how `systemd --user` is being started. It is also using PAM to setup its own session, but it does not do any authentication.
 
-![Login with SSH and Password Authentication](kerberos/kerberos_systemd_user.png)
+![Login with SSH and Password Authentication](_static/kerberos_systemd_user.png)
 
 Here we use a predefined name for the credential cache so it can be shared with the desktop sessions. The next diagram shows more in detail how `systemd --user` and the Gnome desktop interact.
 
@@ -323,7 +323,7 @@ Here we use a predefined name for the credential cache so it can be shared with
 
 This is the most complex use case:
 
-![Gnome Desktop](kerberos/kerberos_desktop.png)
+![Gnome Desktop](_static/kerberos_desktop.png)
 
 At the end we have a well known shared credential cache between Gnome and `systemd --user`. This is needed `systemd --user` is used extensively by Gnome. Important is that the Kerberos setup already happens at authentication phase as there is no session setup phase for screen unlock as the user returns there to an already existing session.