Kerberos on Linux
Metacentrum wiki is deprecated after March 2023
Dear users, due to integration of Metacentrum into https://www.e-infra.cz/en (e-INFRA CZ service), the documentation for users will change format and site. The current wiki pages won't be updated after end of March 2023. They will, however, be kept for a few months for backwards reference. The new documentation resides at https://docs.metacentrum.cz. |
Related topics | |
---|---|
Kerberos authentication system |
|
Kerberos is a single sign-on system. Using Kerberos you don't have to fill in your password with every login attempt. You login only once, the Kerberos server issue a ticket which is stored in your computer. During the validity of the ticket you can log in to every frontend, compute node or storage without entering a password again.
Installation & configuration
1. Install Kerberos via terminal
On the Ubuntu or other Debian-like system, you can install Kerberos using apt command.
# update repositories and upgrade your system (recommended)
# you will need to enter your root password to your computer (because sudo)
sudo apt update && sudo apt upgrade
# install kerberos
# package ssh-krb5 may not be necessary
sudo apt install krb5-user ssh-krb5
You can skip the configuration graphical wizard (click on Ok, Next, ...), we will set up the environment in next steps.
On Mac, Kerberos is available as part of the MacOS.
2. Download the configuration file
Copy up-to-date Kerberos's config file from any frontend. You can copy it from skirit by following command. Replace META_USERNAME by your username in Metacentrum.
sudo scp META_USERNAME@skirit.ics.muni.cz:/etc/krb5.conf /etc/
MacOS version < 10.3 users: The location of the configuration file is different than the traditional Linux location. Instead of /etc/krb5.conf
, the Kerberos configuration file is located in /Library/Preferences/edu.mit.kerberos
, which follows more closely the naming conventions in Mac OS X.
3. Configure SSH
Open the ~/.ssh/config file in any text editor and set several GSSAPI values to 'yes':
nano ~/.ssh/config
These lines have to be added to the file:
# Kerberos access (Metacentrum)
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
You can also make the change of SSH client configuration in a file /etc/ssh/ssh_config
, it affects settings of all users on your system.
4. Usage
Run these commands (replace META_USERNAME by your username in Metacentrum):
# obtain ticket from Kerberos server
# You will be asked to fill in password
kinit META_USERNAME@META
# check valid tickets
klist
You should get an output similar to this one:
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: tomsvo@META
Valid starting Expires Service principal
05/26/21 17:48:19 05/27/21 17:48:17 krbtgt/META@META
It means that you have valid ticket for 24 hours to META (Metacentrum).
You can get a ticket with renew ability (maximum time in Metacentrum is 7 days):
# You will be asked to fill in password
kinit -r 7d META_USERNAME@META
Now, You can log in to any node by command e.g.:
ssh META_USERNAME@skirit.ics.muni.cz