Ssh using kerberos

From CARMA
Revision as of 09:15, 12 July 2007 by Teuben (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

In the (simple) old-style ssh you would pass around your public key (from ~/.ssh: id_rsa.pub or id_dsa.pub as generated using the ssh-keygen program) and store it on the remote machine in a file ~/.ssh/authorized_keys. After this ssh would allow you to logon to that machine without the need to type your password.

Contents

System setup

Since GLUE is using kerberos, the old-style ssh authenticated access won't work anymore (you can of course just keep giving your LDAP password, it will still work). Your client machine will have to be modified to know about the GLUE kerberos system. On linux machines you should modify two files:

/etc/krb5.conf

   [libdefaults]
       default_realm = UMD.EDU
       dns_lookup_kdc = true
       dns_lookup_realm = true

If this file does not exist, you may have to install a package. On Fedora its called krb5-libs, on Mandrake it is called libkrb53 or something like it. On Ubuntu ....(TODO)

/etc/ssh/ssh_config

   GSSAPIAuthentication          yes
   GSSAPIDelegateCredentials     yes

If this file does not exist.... well, you probably did not install ssh, or the config files live in an odd place. Maybe the locate command will help you find them.


User setup

After this the kinit command is used to authenticate you, and whenever you logon to a GLUE machine, it will let you in. With one minor hickup: if you write shell scripts that do automated ssh logon, manually run it once, since you will see the usual question when it's a new machine and it be added to your ~/.ssh/known_hosts file.

Actually, isn't there another nuisance for classic ssh users. Once you run klist, it is only good for 24 hours. Or if you set another lifetime, e.g. 7 days using

   kinit -R 7d teuben

(like in ssh, you don't need your username if it is the same on client and server).

On glue machines there is a neat scrips called renew which is supposed to help with ticket renewals and how to get past the 1 day deadline? Once we figure out how it really works, it will be recorded here. This script is heavily dependant on glue, and isn't easily ported to non-glue machines. So, for laptop users, they will have to renew using ssh, e.g.

   ssh everto.astro.umd.edu renew -R

but you have to do this at least once every 24 hours.

Another nuisance is keeping yourself logged on. If authentication runs out, that shell will not have write permission to your glue space (your 100MB homedirectory!!) anymore. There is something about running xlock, but this can be some major nuisance for those who like persistent windows.

Some of the persistence problems can be elegantly solved using keytab's, Kevin tells me. More about that later.

Links

Just a few links on ssh/kerberos that may still be there when you reach them:

 * Kerberos and SSH
Personal tools