You are here: Foswiki>TIG Web>FileSystemsAndBackups>CrossCellHowto (revision 16)EditAttach

CSAIL/Athena Cross-realm Authentication

CSAIL and Athena have implemented cross-realm authentication. This means that authenticated CSAIL users can access some Athena services, including the athena.mit.edu AFS cell, and vice versa, using their existing Kerberos credentials. Here's how to make it work for you. (In all of the instructions below, substitute your own login name for YOU.)

Please note that there is no mapping between CSAIL and Athena user identities; when using cross-realm authentication, you are authenticated as a "foreign" user. Not all services are prepared to deal with such users, and some services do not support them as a matter of policy. AFS and SSH, however, do, and those are the services for which it is the most useful.

Using AFS cross-realm (without SSH)

Let's say you want to access your CSAIL AFS files from an Athena workstation. The first time you do it, there will be multiple setup steps required; after that, it's just a single command to run. (The process for accessing Athena AFS storage from CSAIL is the same; only the names are different.)

Setting up

First, log into any Athena machine. From the prompt, type:

athena% aklog -cell csail.mit.edu

If this is your first time issuing that command, it will respond:

 created cross-cell entry for YOU@athena.mit.edu at csail.mit.edu

Now, log into a CSAIL machine, using your CSAIL name and password. At the prompt, type:

$ fs setacl ~ YOU@athena.mit.edu all

This allows your Athena identity full access to your CSAIL home directory. You will also want to change the ACLs on any other private or shared directories. To change all your directories instead of just your home directory, do

$ fsr setacl ~ YOU@athena.mit.edu all

This command will take some time, and will not generate any output if successful.

(If doing this in the opposite direction, giving your CSAIL identity access to Athena files, you'll need to run a similar step on an Athena workstation, running add consult first to gain access to the fsr command. You'll also need to substitute csail for athena in the command above If you own any AFS protection groups, you may add your Athena identity (or someone else's) to those groups as well.

Now you may return to your Athena environment and access your CSAIL files at /afs/csail.mit.edu/.

Subsequent uses

Once your Athena identity is configured in CSAIL AFS, you need only repeat the first step:

athena% aklog -cell csail.mit.edu

The aklog command will not generate any output if it succeeds.

Accessing both Athena and CSAIL AFS from Microsoft Windows

First, follow the instructions above under Setting Up. We assume Kerberos and AFS are set up using their CSAIL defaults.

  1. Click once on the Network Identity Manager icon (cube with shadow of head) in the system tray
  2. If you see any tickets ending in @CSAIL.MIT.EDU, Destroy them. (Credential menu/Destroy.)
  3. Credential/New, then change Realm to ATHENA.MIT.EDU, and log in with your athena username and password
  4. Still within the Network Identity Manager window, right-click your @ATHENA.MIT.EDU ticket and select Set as Default.
  5. Open a command prompt (Start/Run/type "cmd" and press Enter)
  6. Enter the line "aklog -cell athena.mit.edu" (without quotes)
  7. Enter the line "aklog -cell csail.mit.edu"

You should now be logged in. You'll need to perform all of these steps (with the possible exception of 2 and 4) every time you wish to log into AFS on both systems. If desired, you can close the command prompt window and/or right-click the Lock icon in the system tray (AFS) to map drive letters (e.g., U: = CSAIL user directory, T: = Athena user directory).

Using SSH cross-realm

In order to make Kerberized SSH work, a few more steps are required. Again, we'll cover the case of access from Athena to CSAIL. We assume that you've already done the steps above. It is important, in particular, that your Athena identity have read access to your home directory, so that your startup files are accessible.

Setting up

Log in to the target system using your password. Create a file called ~/public/.k5login, containing the following two lines:

YOU@CSAIL.MIT.EDU
YOU@ATHENA.MIT.EDU

Create two symbolic links from your home directory:

$ ln -s public/.k5login ~
$ ln -s public/.k5login ~/.klogin

(On Athena, the ~/public directory is called ~/Public [with a capital "=P="].)

Now log in to the system on which you will be running the ssh program. Create or edit a file called ~/.ssh/config. Add the following two lines:

Host *.csail.mit.edu
GSSAPIDelegateCredentials yes

(You may want to use a specific host name instead of a wildcard; if you do, you will need one such section for every host you ssh in to.)

Using it

Just use ssh as you normally would. So long as your tickets have not expired, you should not be asked for a password. Remember that when you use ssh this way, you are authenticated using your foreign user identity; you will not be able to access resources to which you have not been explicitly granted access.
Edit | Attach | Print version | History: r18 | r17 < r16 < r15 < r14 | Backlinks | View wiki text | Edit WikiText | More topic actions...
Topic revision: 01 Dec 2009, ArthurProkosch
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology