First, note that none of this is necessary on TIG's supported flavor of Linux, CSAIL Debian, which comes with Kerberos and OpenAFS already configured and integrated with the system.

Installation on Debian or similar systems (Ubuntu, etc)

  • apt-get install krb5-user krb5-config If prompted for a default realm, enter CSAIL.MIT.EDU making sure to capitalize it as shown.
  • Run kinit <username>@CSAIL.MIT.EDU to authenticate. The authentication tickets obtained here will expire after 10 hours, at which point you'll no longer be authenticated. You may wish to investigate a tool like kredentials, or the longjob and authloop scripts (in /usr/local/csail/bin on CSAIL Debian machines) which will keep your authentication active longer.
  • Add the following to ~/.ssh/config (create the file if it doesn't already exist) for your user account only or to /etc/ssh/ssh_config for all users, so ssh will properly use your Kerberos tickets when logging in to CSAIL machines :

Host *
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    GSSAPIKeyExchange yes
    GSSAPITrustDNS yes
    # optional, if X forwarding is desired
    #ForwardX11 yes
    # optional, if your local username does not match YOUR_CSAIL_USERNAME

For ~/.ssh/config, make sure that you are its owner and no one else can write to it. For example:
$ chmod 600 config
$ chown $USER config

Installation on Fedora

These are based on earlier instructions for Fedora 9. I tested them on Fedora 14, but there's no reason these shouldn't work on any version on or after Fedora 9

1. Start by installing the krb5-workstation pam_krb5 krb5-auth-dialog You can do this by pasting su - c "yum install krb5-workstation pam_krb5 krb5-auth-dialog"

2. Edit your /etc/krb5.conf (this file may be named krb.conf in older versions of Fedora) changing the following lines:

               EXAMPLE.COM -> CSAIL.MIT.EDU

and this is what the [realms] section should look like:
  kdc =
  kdc =
  admin_server =
  default_domain =

3. (Optional) Change the default_realm line in the [libdefaults] section to read default_realm = CSAIL.MIT.EDU

4. Now do the kinit and editing .ssh/config steps mentioned in the debian part of the guide.
Topic revision: 16 May 2012, ArthurProkosch

MIT Computer Science and Artificial Intelligence Laboratory


  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology