Documentation:Kerberized SSH

From UGCS
Jump to: navigation, search

Kerberized SSH HOW-TO

This how-to details the necessary steps for "passwordless" GSSAPI authorization on the UGCS cluster.


First, install Kerberos for your system.

Next, you need to make sure that the appropriate options are set so that ssh will use GSSAPI correctly. If you do not add these lines (particularly GSSAPIDelegateCredentials), you will be unable to get AFS tokens and will not be able to access your home directory. Add these lines to ~/.ssh/config (or /etc/ssh/ssh_config): 

Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Use

  • After you get tokens with "kinit", you can log in to UGCS without a password until the ticket expires: 
% ssh to
Linux terpsichore 2.6.22 #1 SMP Tue Sep 11 15:35:40 PDT 2007 i686
Welcome to UGCS 4.0!

%
  • You can view active tickets with klist. UGCS tickets expire after a year and cannot be renewed 
% klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: user@UGCS.CALTECH.EDU

Valid Starting     Expires            Service Principal
10/23/07 23:13:17  10/24/07 09:13:17  krbtgt/UGCS.CALTECH.EDU@UGCS.CALTECH.EDU
        renew until 10/30/07 23:13:17

klist: No Kerberos 4 tickets in credentials cache
  • Although your main kerberos ticket lasts a long time, AFS tokens do not. You can renew them with 
% aklog
  • Active tickets can be destroyed with kdestroy: 
% kdestroy
% klist
klist: No Kerberos 5 tickets in credentials cache
klist: No Kerberos 4 tickets in credentials cache

Notes

  • Do not add UGCS hosts to your /etc/hosts file. This can play tricks with Kerberos's reverse hostname looks and break passwordless authentication. If you want to use a shortcut to refer to a machine, add the following lines to ~/.ssh/config: 
Host shortname
Hostname fullname.ugcs.caltech.edu

kinit automatically when necessary

The following Linux/Unix script will check if you're attempting to ssh to UGCS; if you are, it will then check if your tickets are present and up-to-date, and kinit if they are not. Drop this into a file named "ssh" in your ~/bin/ directory to use it instead of /usr/bin/ssh (or whatever) by default.

Also, make sure to replace the "3" in the "elif" line with the number of hours you are ahead of Pacific time (e.g., Central time zone users would place a 2 here, while Britons would use an 8). If you are already in the Pacific time zone, you can remove the whole "\- 3600 \* 3" segment. 

#!/bin/bash
if echo $@|grep -ie .\*ugcs\\\|to.\*>/dev/null; then
        if [ `klist 2>/dev/null|grep -i ugcs|wc -l` == 0 ]; then
                kinit;
        elif expr $(date -d "`klist|grep "renew until"|head -n 1|sed -e "s/\trenew\ until\ //"`" +%s) \- 3600 \* 3 \< $(date +%s)>/dev/null; then
                kinit;
        fi;
fi

/usr/bin/ssh $@

See Also

Retrieved from "http://www.ugcs.caltech.edu/wiki/Documentation:Kerberized_SSH"
Personal tools