Linux/Unix

Describes how to get, install, and configure the Kerberos 5 software Heimdal on a Linux/Unix computer for secure access to PDC.

Kerberos enabled login at PDC

In order to access the computers at PDC in a secure way you have to install some variant of Kerberos binaries.

Download

Download the instructions appropriate for your particular operating system:

Ubuntu, Debian
Fedora ≥12, RedHat Enterprise Linux (RHEL) ≥6
SUSE
Fedora ≤11 or RHEL ≤5 : Upgrade to a newer distribution
Gentoo: Install app-crypt/heimdal and net-misc/openssh

Centos 5 and RHEL 5: Build rpm:s using the rpmbuild command from:

ftp://ftp.pdc.kth.se/pub/bambi/yum/centos/5/local/SRPMS/heimdal-1.1-1.src.rpm

FreeBSD: FreeBSD generally comes with Kerberos pre-installed (in ports).
Archlinux: Patch for OpenSSH needed (March 2012). Cf: http://www.sxw.org.uk/computing/patches/openssh.html
Solaris: At NADA/CSC: module add heimdal/latest, otherwise use the ssh shipped with Solaris.
SGI: Ask PDC
If you need support for a Unix dialect that is missing, please get in touch with PDC support
Or, compile the latest Heimdal release yourself from scratch and use OpenSSH with GSSAPI-keyExchange.

Install

Install the necessary files, configure Kerberos and ssh:

Use your OSes package manager to install Heimdal or MIT kerberos plus OpenSSH with GSSAPI-keyExchange.
You don't need a /etc/krb5.conf, but if you have one, you can check that it at least contains the following configuration options.
You need an SSH program which knows GSSAPI key exchange. OpenSSH can sometimes manage this. Configure SSH according to theses instructions.

Using Kerberos tickets

Get a Kerberos ticket for PDC:
Please note that you only will type your PDC password once - on your own local machine when you type ./kinit to get your Kerberos tickets. From then on you never type your password again - the Kerberos ticket will be used to give you access!
```
kinit --forwardable YourUsername@NADA.KTH.SE
```
Write ./kinit even if the programs are not installed in your current directory. You have to adjust your environment PATH to use the right kinit which was installed by the Heimdal package. If you get an error here (a warning message that kinit/kauth is using port 750 is not an error), you have problems contacting our authentication server. There may be several reasons for that. Make sure your domain name service (DNS) is configured correctly.

If you still can't get contact our authentication server, there may be a firewall between your and our machine. In that case read about NAT/firewall configuration.
Kerberos tickets and AFS tokens normally expire after 10 hours. If your job has not finished by then it won't be allowed to write to disk. It is possible to create tickets with longer lifetimes, like this :
```
 kinit -l 12 h --forwardable YourUsername@NADA.KTH.SE
```
to get a 12 hour ticket, and:
```
 kinit -l 10d --forwardable YourUsername@NADA.KTH.SE
```
to get a 10 day ticket. If the lifetime of the ticket is given as 1y then the ticket will get the maximum lifetime allowed (around one month).
Have a look at your local Kerberos tickets:
```
klist -Tf
```
or, if you have MIT Kerberos installed:
```
klist -f
```
You should at least have an output looking like this:
```
Credentials cache: FILE:/tmp/krb5cc_5208_uWn93p
        Principal: YourUsername@NADA.KTH.SE
  Issued           Expires        Flags    Principal
Apr 11 10:29:09  Apr 11 20:29:09  FI     krbtgt/NADA.KTH.SE@NADA.KTH.SE
```
Especially check that the flag F shows up! That indicates that you have a Kerberos ticket which is forwardable and can be taken with you (be forwarded) to other machines then your local computer where it was created.
Use your Kerberos ticket and SSH to connect to PDC:
```
ssh YourUsername@ferlin.pdc.kth.se
```
where YourUsername is your username at PDC and ferlin.pdc.kth.se is an example of a resource at PDC that you want to access. If you have problems here, take a look at your SSH configuration.
You may want to add X11 display forwarding (-Y command line option) if you trust PDC enough for that:
```
ssh -Y YourUsername@ferlin.pdc.kth.se
```
Once you have logged in to (for instance) ferlin.pdc.kth.se you should again check that you have both Kerberos tickets and AFS tokens to be able to start parallel programs and access your files. Execute on the computer you logged in to:
```
module add heimdal
klist -fT
```
or
```
module add heimdal
klist -f
```
When you log out from a PDC resource it is good practice to destroy your Kerberos ticket on that resource. Doing this does not destroy Kerberos tickets forwarded in a job you submitted or your local Kerberos ticket. Destroy your Kerberos ticket using:
```
kdestroy
```

How to transfer files

To transfer files to and from PDC there are several methods available. We recommend using an AFS client or scp.

Personal tools

Sections