Website:Kerberized SSH
From UGCS
Revision as of 01:47, 24 August 2008 by Jdhutchin@ugcs.caltech.edu (Talk | contribs)
GSSAPI "passwordless" auth HOW-TO
This how-to details the necessary steps for "passwordless" GSSAPI authorization on the UGCS cluster.
Contents |
Software Installation
- Ensure that kerberos is installed on your system:
- Linux: The relevant packages generally contains
krb5, e.g.krb5-user,mit-krb5, orkrb5-workstation. - OS X: Version 10.4 comes with kerberos installed. There is even a kerberos gui front-end at
/System/Library/CoreServices/Kerberos.app.
- Linux: The relevant packages generally contains
Kerberos Configuration
- Create a kerberos configuration file:
- Linux:
/etc/krb5.conf - OS X:
/Library/Preferences/edu.mit.Kerberos
- Linux:
- Add the following to the configuration file and save it:
- If you do not have other Kerberos settings that you want to keep, you can replace the entire configuration file with http://www.ugcs.caltech.edu/kerberos/krb5.conf
[domain_realm]
.ugcs.caltech.edu = UGCS.CALTECH.EDU
ugcs.caltech.edu = UGCS.CALTECH.EDU
[libdefaults]
default_realm = UGCS.CALTECH.EDU
dns_fallback = yes
forwardable = true
proxiable = true
[realms]
UGCS.CALTECH.EDU = {
admin_server = krb-head.ugcs.caltech.edu:749
kdc = krb-head.ugcs.caltech.edu:88
kdc = krb-backup.ugcs.caltech.edu:88
}
[v4 domain_realm]
.ugcs.caltech.edu = UGCS.CALTECH.EDU
ugcs.caltech.edu = UGCS.CALTECH.EDU
- Run
kinitto fetch a kerberos ticket. You will be prompted for your UGCS password:
% kinit Please enter the password for user@UGCS.CALTECH.EDU: %
SSH Configuration
- You need to make sure that the appropriate options are set so that ssh will use GSSAPI correctly. Add these lines to ~/.ssh/config
Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPITrustDns yes
Use
- You can now log in to UGCS without a password until the ticket expires:
% ssh to Linux terpsichore 2.6.22 #1 SMP Tue Sep 11 15:35:40 PDT 2007 i686 Welcome to UGCS 4.0! %
- You can view active tickets with
klist. UGCS tickets expire after ten hours unless renewed and can be renewed up to a week:
% klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: user@UGCS.CALTECH.EDU
Valid Starting Expires Service Principal
10/23/07 23:13:17 10/24/07 09:13:17 krbtgt/UGCS.CALTECH.EDU@UGCS.CALTECH.EDU
renew until 10/30/07 23:13:17
klist: No Kerberos 4 tickets in credentials cache
- Tickets can be renewed by running
kinit -R
% kinit -R %
- Active tickets can be destroyed with
kdestroy:
% kdestroy % klist klist: No Kerberos 5 tickets in credentials cache klist: No Kerberos 4 tickets in credentials cache
kinit automatically when necessary
The following Linux/Unix script will check if you're attempting to ssh to UGCS; if you are, it will then check if your tickets are present and up-to-date, and kinit if they are not. Drop this into a file named "ssh" in your ~/bin/ directory to use it instead of /usr/bin/ssh (or whatever) by default.
Also, make sure to replace the "3" in the "elif" line with the number of hours you are ahead of Pacific time (e.g., Central time zone users would place a 2 here, while Britons would use an 8). If you are already in the Pacific time zone, you can remove the whole "\- 3600 \* 3" segment.
#!/bin/bash
if echo $@|grep -ie .\*ugcs\\\|to.\*>/dev/null; then
if [ `klist 2>/dev/null|grep -i ugcs|wc -l` == 0 ]; then
kinit;
elif expr $(date -d "`klist|grep "renew until"|head -n 1|sed -e "s/\trenew\ until\ //"`" +%s) \- 3600 \* 3 \< $(date +%s)>/dev/null; then
kinit;
fi;
fi
/usr/bin/ssh $@
