Kerberos on Linux
|Kerberos authentication system||
Kerberos is a single sign-on system, which means that using Kerberos you don't have to fill in your password with every login attempt.
Installation & configuration
1. Install Kerberos via terminal
#switch to root sudo su - #update repositories and upgrade your system (recommended) apt update apt upgrade #install kerberos apt install krb5-user
You can skip the configuration graphical wizard (click on next, next, ...), we will set up the environment in next steps.
2. Download the configuration file
Copy up-to-date Kerberos's config file from a Frontend, e.g. from skirit by following command.
scp META_USERNAME@skirit.ics.muni.cz:/etc/krb5.conf /etc/
Now you can switch from root to your normal user
3. Configure SSH
Open the ~/.ssh/config file in any text editor and set GSSAPIDelegateCredentials value to 'yes':
Add to the file these lines:
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes
You can also make the change of SSH client configuration in a file /etc/ssh/ssh_config, it affects settings of all users on your system.
4. Check if it works
Run these commands (replace META_USERNAME by your username in MetaCentrum):
kinit META_USERNAME@META #You will be asked to fill in password klist
You should get an output similar to this one:
Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: tomsvo@META Valid starting Expires Service principal 05/26/20 17:48:19 05/27/20 17:48:17 krbtgt/META@META
Simple gain of a ticket:
kinit META_USERNAME@META #You will be asked to fill in your password
Ticket with renew ability (maximum time in MetaCentrum is 7 days):
kinit -r 7d META_USERNAME@META #You will be asked to fill in password
You can log in to any node by command e.g.: