Installing Kerberos For Windows 3.2.x
- As of this comment (10 Dec 2012) MIT has released MIT Kerberos for Windows 4.x. This release of Kerberos does not contain an AFS plugin, and therefore will not automatically obtain AFS tokens. We are currently not recommending the installation or use of MIT Kerberos for Windows 4 until proper AFS support.
Kerberos Installation Instructions:
The contents of this .zip file contains a custom CSAIL kfw-3-2-x.msi package, as well as custom CSAIL:
The custom .msi package is intended for CSAIL members wishing to install Network Identity Manager with the proper CSAIL environment and realm variables set. Running the .msi will install Kerberos for Windows (Network Identity Manager) as well as copying krb5.ini, krb.con, krbrealm.con to your c:\%systemroot% (usually c:\windows) directory. If you have a previous version of KfW?
installed, it will not overwrite the existing copying krb5.ini, krb.con, krbrealm.con files.
- Before installation, it is necessary you uninstall any previous KfW? versions.
- Unzip the CSAIL_krb.zip package
- Run the kfw-3-2-x.msi installer(s)
- For 64-bit Windows operating systems, first install 64-bit Kerberos. Then install 32-bit Kerberos on top of 64-bit Kerberos, only after verifying that 64-bit Kerberos is working.
- Click next, accept the License Agreement, click next.
- Choose 'Typical' for Setup Type, click install, click finish.
- Launch the Network Identity Manager
-->Start-->Programs-->Kerberos for Windows-->Network Identity Manager
- Click on the 'Obtain New Credentials' button highlighted below
- Enter you CSAIL username, choose CSAIL.MIT.EDU as your domain, and password. When you have successfully entered your username and password, Network Identity Manager will automatically create a new identity for you (unless you have one already.)
Using Kerberos with SSH
Both PuTTY and SecureCRT can be used for connecting to CSAIL Debian?
hosts without passwords. Kerberos tickets allow passwordless logins, and assuming ticket delegation is turned on, also allow access to AFS files once logged in. PuTTY is recommended as a leaner, freer, and more reliable alternative, while SecureCRT has convenient integrated graphical file transfer.
For PuTTY, v.0.61 or later, create a Saved Session with CSAIL-specific settings. In PuTTY Configuration:
- Connection -> SSH -> Auth -> GSSAPI, set "Allow GSSAPI credential delegation" to
- in Connection -> Data, set "Auto-login username" to your CSAIL username
- in Session, leave Host Name blank and use
csail as the session name under "Saved Settings"
- Click "Save"
To connect manually, click
and Load, then enter a Host Name like
and click Open.
PuTTY is officially available only in 32-bit form. For 64-bit versions of Windows?
, this means you will need to have both
32-bit versions of Kerberos installed. See the top of this page.
- In either "Quick Connect" or Connection Properties -> SSH2, move
GSSAPI to be the top item in the "Authentication" list.
- If Kerberos allows you to connect but you can't see/edit AFS files and the output of
klist starts with "No credentials cache found", make sure that in the "Authentication" list, GSSAPI -> Properties -> Delegation is set to "Full"
- For automated connections like svn, use SecureCRT 5.1's vsh.exe. It may need a one-line batch file wrapper:
@VSH.EXE -kex Kerberos %*
WARNING: There is a poorly understood issue preventing delegation from completing successfully using SecureCRT on some Windows installations. Please run
after connecting to confirm that tickets made it to the remote system; if not, try PuTTY or email help@csail.
- Make sure you have non-expired Kerberos tickets before connecting (check using Network Identity Manager).
- If you want to use CSAIL Kerberos tickets to connect to ATHENA hosts (or vice versa), see CrossCellHowto#Using_SSH_cross_realm