Kerberos on Linux

Z MetaCentrum
Skočit na navigaci Skočit na vyhledávání
Metacentrum wiki is deprecated after March 2023
Dear users, due to integration of Metacentrum into https://www.e-infra.cz/en (e-INFRA CZ service), the documentation for users will change format and site.
The current wiki pages won't be updated after end of March 2023. They will, however, be kept for a few months for backwards reference.
The new documentation resides at https://docs.metacentrum.cz.
Related topics
Kerberos authentication system

Kerberos is a single sign-on system. Using Kerberos you don't have to fill in your password with every login attempt. You login only once, the Kerberos server issue a ticket which is stored in your computer. During the validity of the ticket you can log in to every frontend, compute node or storage without entering a password again.

Installation & configuration

1. Install Kerberos via terminal

On the Ubuntu or other Debian-like system, you can install Kerberos using apt command. 

# update repositories and upgrade your system (recommended)
# you will need to enter your root password to your computer (because sudo)
sudo apt update && sudo apt upgrade

# install kerberos
# package ssh-krb5 may not be necessary
sudo apt install krb5-user ssh-krb5

You can skip the configuration graphical wizard (click on Ok, Next, ...), we will set up the environment in next steps.

On Mac, Kerberos is available as part of the MacOS.

2. Download the configuration file

Copy up-to-date Kerberos's config file from any frontend. You can copy it from skirit by following command. Replace META_USERNAME by your username in Metacentrum. 

sudo scp META_USERNAME@skirit.ics.muni.cz:/etc/krb5.conf /etc/

MacOS version < 10.3 users: The location of the configuration file is different than the traditional Linux location. Instead of /etc/krb5.conf, the Kerberos configuration file is located in /Library/Preferences/edu.mit.kerberos, which follows more closely the naming conventions in Mac OS X.

3. Configure SSH

ZarovkaMala.png Note: The tilde symbol (~) represents your home directory.

Open the ~/.ssh/config file in any text editor and set several GSSAPI values to 'yes': 

nano ~/.ssh/config

These lines have to be added to the file: 

# Kerberos access (Metacentrum)
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes

You can also make the change of SSH client configuration in a file /etc/ssh/ssh_config, it affects settings of all users on your system.

4. Usage

ZarovkaMala.png Note: If you cannot login try running command ntpdate tik.cesnet.cz to synchronize clock.

Run these commands (replace META_USERNAME by your username in Metacentrum): 

# obtain ticket from Kerberos server
# You will be asked to fill in password
kinit META_USERNAME@META 

# check valid tickets
klist

You should get an output similar to this one: 

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: tomsvo@META

Valid starting     Expires            Service principal
05/26/21 17:48:19  05/27/21 17:48:17  krbtgt/META@META

It means that you have valid ticket for 24 hours to META (Metacentrum).

You can get a ticket with renew ability (maximum time in Metacentrum is 7 days): 

# You will be asked to fill in password
kinit -r 7d META_USERNAME@META

Now, You can log in to any node by command e.g.: 

ssh META_USERNAME@skirit.ics.muni.cz
Citováno z „https://wiki.metacentrum.cz/w/index.php?title=Kerberos_on_Linux&oldid=13476