Kerberos on Linux

From MetaCentrum
Jump to navigation Jump to search
Related topics
Kerberos authentication system

Kerberos is a single sign-on system, which means that using Kerberos you don't have to fill in your password with every login attempt.

Installation & configuration

1. Install Kerberos via terminal

#switch to root
sudo su -

#update repositories and upgrade your system (recommended)
apt update
apt upgrade

#install kerberos
apt install krb5-user

You can skip the configuration graphical wizard (click on next, next, ...), we will set up the environment in next steps.

2. Download the configuration file

Copy up-to-date Kerberos's config file from a Frontend, e.g. from skirit by following command.

scp META_USERNAME@skirit.ics.muni.cz:/etc/krb5.conf /etc/

Now you can switch from root to your normal user

exit

3. Configure SSH

ZarovkaMala.png Note: The tilde symbol (~) represents your home directory.

Open the ~/.ssh/config file in any text editor and set GSSAPIDelegateCredentials value to 'yes':

nano ~/.ssh/config

Add to the file these lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes

You can also make the change of SSH client configuration in a file /etc/ssh/ssh_config, it affects settings of all users on your system.

4. Check if it works

ZarovkaMala.png Note: If you cannot login try running command ntpdate tik.cesnet.cz

Run these commands (replace META_USERNAME by your username in MetaCentrum):

kinit META_USERNAME@META #You will be asked to fill in password
klist

You should get an output similar to this one:

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: tomsvo@META

Valid starting     Expires            Service principal
05/26/20 17:48:19  05/27/20 17:48:17  krbtgt/META@META

Usage

Simple gain of a ticket:

kinit META_USERNAME@META #You will be asked to fill in your password

Ticket with renew ability (maximum time in MetaCentrum is 7 days):

kinit -r 7d META_USERNAME@META #You will be asked to fill in password

You can log in to any node by command e.g.:

ssh META_USERNAME@skirit.ics.muni.cz