Documentation:Kerberized SSH

From UGCS

Jump to: navigation, search

GSSAPI "passwordless" auth HOW-TO

This how-to details the necessary steps for "passwordless" GSSAPI authorization on the UGCS cluster.


First, install Kerberos for your system.

Next, you need to make sure that the appropriate options are set so that ssh will use GSSAPI correctly. If you do not add these lines (particularly GSSAPIDelegateCredentials), you will be unable to get AFS tokens and will not be able to access your home directory. Add these lines to ~/.ssh/config (or /etc/ssh/ssh_config): 

Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Use

  • After you get tokens with "kinit", you can log in to UGCS without a password until the ticket expires: 
% ssh to
Linux terpsichore 2.6.22 #1 SMP Tue Sep 11 15:35:40 PDT 2007 i686
Welcome to UGCS 4.0!

%
  • You can view active tickets with klist. UGCS tickets expire after ten hours unless renewed and can be renewed up to a week: 
% klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: user@UGCS.CALTECH.EDU

Valid Starting     Expires            Service Principal
10/23/07 23:13:17  10/24/07 09:13:17  krbtgt/UGCS.CALTECH.EDU@UGCS.CALTECH.EDU
        renew until 10/30/07 23:13:17

klist: No Kerberos 4 tickets in credentials cache
  • Tickets can be renewed by running kinit -R 
% kinit -R
%
  • Active tickets can be destroyed with kdestroy: 
% kdestroy
% klist
klist: No Kerberos 5 tickets in credentials cache
klist: No Kerberos 4 tickets in credentials cache

kinit automatically when necessary

The following Linux/Unix script will check if you're attempting to ssh to UGCS; if you are, it will then check if your tickets are present and up-to-date, and kinit if they are not. Drop this into a file named "ssh" in your ~/bin/ directory to use it instead of /usr/bin/ssh (or whatever) by default.

Also, make sure to replace the "3" in the "elif" line with the number of hours you are ahead of Pacific time (e.g., Central time zone users would place a 2 here, while Britons would use an 8). If you are already in the Pacific time zone, you can remove the whole "\- 3600 \* 3" segment. 

#!/bin/bash
if echo $@|grep -ie .\*ugcs\\\|to.\*>/dev/null; then
        if [ `klist 2>/dev/null|grep -i ugcs|wc -l` == 0 ]; then
                kinit;
        elif expr $(date -d "`klist|grep "renew until"|head -n 1|sed -e "s/\trenew\ until\ //"`" +%s) \- 3600 \* 3 \< $(date +%s)>/dev/null; then
                kinit;
        fi;
fi

/usr/bin/ssh $@

See Also

Retrieved from "http://www.ugcs.caltech.edu/wiki/Documentation:Kerberized_SSH"
Personal tools