How to configure kerberos and SSH

This section describes how to configure kerberos.

Configure Kerberos

Next you need to configure Kerberos so we are able to find the PDC domain.

The configuration file for kerberos on linux and OSX that you need to edit is /etc/krb5.conf as root. If you are not able to become root on your machines you can create a file in your home directory called for example ~/pdckrb. After this you need to set the path for kerberos like

# For bash
export KRB5_CONFIG=~/pdckrb/krb5.conf
# For tcsh
setenv KRB5_CONFIG  ~/pdckrb/krb5.conf

For Windows instead the kerberos file should be located at

C:\ProgramData\krb5.conf

or

C:\ProgramData\Kerberos\krb5.conf

krb5.conf should be defined with the following entries

[domain_realm]
  .pdc.kth.se = NADA.KTH.SE

[appdefaults]
  forwardable = yes
  forward = yes
  krb4_get_tickets = no

[libdefaults]
  default_realm = NADA.KTH.SE
  dns_lookup_realm = true
  dns_lookup_kdc = true

Acquire kerberos tickets

In order to get a kerberos ticket you first need to startup your command shell. On Windows search for cmd.

To acquire tickets…

kinit -f <PDC username>@NADA.KTH.SE

You will be asked for your PDC password and then you have acquired your ticket.

On Windows it is important that you run the correct version of the software, since several version can be installed by default Windows. Execute…

where kinit
c:\windows\system32\kinit.exe
c:\program files\heimdal\bin\kinit.exe

…to find out which executable you are running. The heimdal kerberos in the program files folder or where you have installed it. In order to execute the heimdal version you have to enter the complete path.

c:\"program files"\heimdal\bin\kinit.exe

You can see what active tickets you have using

klist -f

Even regarding this command it is important that you do run the heimdal kerberos and should define the right path. (See instructions above)

where klist
c:\windows\system32\klist.exe
c:\program files\heimdal\bin\klist.exe

More information about kerberos can be found at http://web.mit.edu/kerberos/krb5-current/doc/user/index.html

SSH

This section describes how to configure SSH. This procedure does work only for Linux and Mac For Windows please read information at Setting up PuTTY

SSH without configuration

In order to login you need to supply these options directly to the ssh command.

ssh -o GSSAPIDelegateCredentials=yes -o GSSAPIKeyExchange=yes \
    -o GSSAPIAuthentication=yes <username>@<cluster>.pdc.kth.se

SSH with configuration

OpenSSH can be configured with command line arguments or a configuration file to simplify the login procedure. The options in the configuration file are parsed in order. Create or modify the file ~/.ssh/config

# Hosts we want to authenticate to with Kerberos
Host *.kth.se *.kth.se.
# User authentication based on GSSAPI is allowed
GSSAPIAuthentication yes
# Key exchange based on GSSAPI may be used for server authentication
GSSAPIKeyExchange yes
# Hosts to which we want to delegate credentials. Try to limit this to
# hosts you trust, and were you really have use for forwarded tickets.
Host *.csc.kth.se *.csc.kth.se. *.nada.kth.se *.nada.kth.se. *.pdc.kth.se *.pdc.kth.se.
# Forward (delegate) credentials (tickets) to the server.
GSSAPIDelegateCredentials yes
# Prefer GSSAPI key exchange
PreferredAuthentications gssapi-keyex,gssapi-with-mic
# All other hosts
Host *

The file can be downloaded from here. The file should be named config and if this is not the case, please rename it.

Do remember to set the right permission on the file

chmod 644 ~/.ssh/config

After this you can login by using

ssh <username>@<cluster>.pdc.kth.se

Firewalls and kerberos

When a firewall is installed between your workstation and the computers at PDC, the special configurations described below may be necessary to use Kerberos.

  1. Ports used by Kerberos. Contact your system administrators and make sure that a firewall is really the problem. Kerberos uses in its standard configuration the following ports for communication:

    Port name

    Port number

    Port type

    Comment

    kerberos

    88

    UDP

    Default configuration

    kerberos

    88

    TCP

    Alternative configurations for usage with firewalls (see below)

    http (used by kerberos)

    80

    TCP

    ssh

    22

    TCP

    Usually already open

    ftp-data

    20

    TCP

    ftp

    21

    TCP

    kpasswd

    464

    UDP

    Only for password change

    If possible, open UDP port 88 for bidirectional communication. This is the default (and preferred) mode of operation. Otherwise continue with the next step. After that, try to contact our authentication server with kinit as described before.

  2. If there is no contact through UDP port 88, open TCP port 88 for outgoing traffic instead (if possible), and try kinit again. If it still does not work, continue with the next step.

  3. The next thing to try is to get Kerberos to communicate via http over TCP port 80. This port is often open, since it is needed for surfing the web.

    1. Create the Kerberos configuration file. In addition you need to add the following

            [realms]
      NADA.KTH.SE = {
              kdc = kerberos.nada.kth.se
              kdc = http/kerberos.nada.kth.se
              kdc = kerberos-1.nada.kth.se
              kdc = http/kerberos-1.nada.kth.se
              kdc = kerberos-2.nada.kth.se
              kdc = http/kerberos-2.nada.kth.se
              admin_server = kerberos.nada.kth.se
              }
      

      If kinit <username>@NADA.KTH.SE succeeds but ssh <username>@hostname does not, then you might want to have a look at your crendential cache with klist. If it does not contain any rows that look like host/<something>@NADA.KTH.SE, you need to get host credentials manually. That can be done with the following command for a host named hostname:

      $ host hostname | awk '$3 == "address" {print "host "$4}' | bash \
      | awk '{sub(".$",""); print "kgetcred host/"$NF"@NADA.KTH.SE"}' | bash
      

      If hostname is beskow.pdc.kth.se, after that, the output from klist should contain something like

      Apr 14 16:33:11 2015  Apr 16 10:26:05 2015  host/beskow-login2.pdc.kth.se@NADA.KTH.SE
      
    2. In some systems, all http communication (i.e. web traffic) must go through a proxy. If that is the case, you can probably find out it’s address by looking at the settings of your web browser. If not, ask your system administrator.

      To instruct kerberos to go through the proxy, add the following line to the [libdefaults] section of krb5.conf:

      http_proxy = http://address.of.proxy:port