CSAIL/Athena Cross-realm Authentication
CSAIL and Athena have implemented cross-realm authentication. This
means that authenticated CSAIL users can access some Athena services,
AFS cell, and vice versa, using their
existing Kerberos credentials. Here's how to make it work for you.
(In all of the instructions below, substitute your own login name for
Please note that there is no mapping between CSAIL and Athena user
identities; when using cross-realm authentication, you are
authenticated as a "foreign" user. Not all services are prepared to
deal with such users, and some services do not support them as a
matter of policy. AFS and SSH, however, do, and those are the
services for which it is the most useful.
Using AFS cross-realm (without SSH)
Let's say you want to access your CSAIL AFS files from an Athena
workstation. The first time you do it, there will be multiple setup
steps required; after that, it's just a single command to run. (The
process for accessing Athena AFS storage from CSAIL is the same; only
the names are different.)
First, log into any Athena machine. From the prompt, type:
athena% aklog -cell csail.mit.edu
If this is your first time issuing that command, it will respond:
created cross-cell entry for YOU@athena.mit.edu at csail.mit.edu
Now, log into a CSAIL machine, using your CSAIL name and password. To grant your Athena account access to your own home directory only,
$ fs setacl ~ YOU@athena.mit.edu all
For all subdirectories of your home directory,
$ fsr setacl ~ YOU@athena.mit.edu all
Or to grant yourself access to AFS directories that are restricted by group membership,
you or the group owner would type:
$ pts adduser -user YOU@athena.mit.edu -group GROUP
(If doing this in the opposite direction, giving your CSAIL identity access to Athena files, you'll need to run a similar step on an Athena workstation, running add consult
first to gain access to the
command. You'll also need to substitute
in the commands above.)
Once your Athena identity is configured in CSAIL AFS, you need only
repeat the first step to access CSAIL AFS files from Athena:
athena% aklog -cell csail.mit.edu
Note that if your AFS group memberships have changed, you may need to log out and log back in again before noticing changes.
Accessing both Athena and CSAIL AFS from Microsoft Windows
First, follow the instructions above under Setting Up. We assume Kerberos
are set up using their CSAIL defaults.
- Click once on the Network Identity Manager icon (cube with shadow of head) in the system tray
- If you see any tickets ending in @CSAIL.MIT.EDU, Destroy them. (Credential menu/Destroy.)
- Credential/New, then change Realm to ATHENA.MIT.EDU, and log in with your athena username and password
- Still within the Network Identity Manager window, right-click your @ATHENA.MIT.EDU ticket and select Set as Default.
- Open a command prompt (Start/Run/type "cmd" and press Enter)
- Enter the line "aklog -cell athena.mit.edu" (without quotes)
- Enter the line "aklog -cell csail.mit.edu"
You should now be logged in. You'll need to perform all of these steps (with the possible exception of 2 and 4) every time you wish to log into AFS on both systems. If desired, you can close the command prompt window and/or right-click the Lock icon in the system tray (AFS) to map drive letters (e.g.
, U: = CSAIL user directory, T: = Athena user directory).
Using SSH cross-realm
In order to make Kerberized SSH work, a few more steps are required.
Again, we'll cover the case of access from Athena to CSAIL. We assume
that you've already done the steps above. It is important, in
particular, that your Athena identity have read access to your home
directory, so that your startup files are accessible.
Log in to the target system using your password. Create a file called
, containing the following two lines:
Create two symbolic links from your home directory:
$ ln -s public/.k5login ~
$ ln -s public/.k5login ~/.klogin
(On Athena, the
directory is called
[with a capital
Now log in to the system on which you will be running the ssh program.
Create or edit a file called
. Add the following two
(You may want to use a specific host name instead of a wildcard; if
you do, you will need one such section for every host you ssh in to.)
as you normally would. So long as your tickets have not
expired, you should not be asked for a password. Remember that when
this way, you are authenticated using your foreign
identity; you will not be able to access resources to which you have
not been explicitly granted access.