GSSAPI "passwordless" auth HOW-TO

This how-to details the necessary steps for "passwordless" GSSAPI authorization on the UGCS cluster.

Software Installation

• Ensure that kerberos is installed on your system:
  • Linux: The relevant packages generally contains krb5, e.g. krb5-user, mit-krb5, or krb5-workstation.
  • OS X: Version 10.4 comes with kerberos installed. There is even a kerberos gui front-end at /System/Library/CoreServices/Kerberos.app.

Kerberos Configuration

• Create a kerberos configuration file:
  • Linux: /etc/krb5.conf
  • OS X: /Library/Preferences/edu.mit.Kerberos
• Add the following to the configuration file and save it:
  • If you do not have other Kerberos settings that you want to keep, you can replace the entire configuration file with http://www.ugcs.caltech.edu/kerberos/krb5.conf

[domain_realm]
        .ugcs.caltech.edu = UGCS.CALTECH.EDU
        ugcs.caltech.edu = UGCS.CALTECH.EDU

[libdefaults]
        default_realm = UGCS.CALTECH.EDU
        dns_fallback = yes
        forwardable = true
        proxiable = true

[realms]
        UGCS.CALTECH.EDU = {
                admin_server = krb-head.ugcs.caltech.edu:749
                kdc = krb-head.ugcs.caltech.edu:88
                kdc = krb-backup.ugcs.caltech.edu:88
        }

[v4 domain_realm]
        .ugcs.caltech.edu = UGCS.CALTECH.EDU
        ugcs.caltech.edu = UGCS.CALTECH.EDU

• Run kinit to fetch a kerberos ticket. You will be prompted for your UGCS password:

% kinit
Please enter the password for user@UGCS.CALTECH.EDU:
%

SSH Configuration

• Run man ssh_config to see if your version of openssh has the GSSAPITrustDns option. If it does, add the following to your .ssh/config file and save it:

Host to
  HostName to.ugcs.caltech.edu 
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPITrustDns yes

• If your version of openssh does not support the GSSAPITrustDns option, you cannot use to.ugcs.caltech.edu for GSSAPI authentication. You will need to choose a specific UGCS host, e.g.:

Host lara
  HostName lara.ugcs.caltech.edu 
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Use

• You can now log in to UGCS without a password until the ticket expires:

% ssh to
Linux terpsichore 2.6.22 #1 SMP Tue Sep 11 15:35:40 PDT 2007 i686
Welcome to UGCS 4.0!

%

• You can view active tickets with klist. UGCS tickets expire after ten hours unless renewed and can be renewed up to a week:

% klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: user@UGCS.CALTECH.EDU

Valid Starting     Expires            Service Principal
10/23/07 23:13:17  10/24/07 09:13:17  krbtgt/UGCS.CALTECH.EDU@UGCS.CALTECH.EDU
        renew until 10/30/07 23:13:17

klist: No Kerberos 4 tickets in credentials cache

• Tickets can be renewed by running kinit -R

% kinit -R
% 

• Active tickets can be destroyed with kdestroy:

% kdestroy
% klist
klist: No Kerberos 5 tickets in credentials cache
klist: No Kerberos 4 tickets in credentials cache