CSAIL/Athena Cross-realm Authentication

CSAIL/Athena Cross-realm Authentication

CSAIL and Athena have implemented cross-realm authentication. This means that authenticated CSAIL users can access some Athena services, including the athena.mit.edu AFS cell, and vice versa, using their existing Kerberos credentials. Here’s how to make it work for you. (In all of the instructions below, substitute your own login name for YOU.)

Please note that there is no mapping between CSAIL and Athena user identities; when using cross-realm authentication, you are authenticated as a “foreign” user. Not all services are prepared to deal with such users, and some services do not support them as a matter of policy. AFS and SSH, however, do, and those are the services for which it is the most useful.

Using AFS cross-realm (without SSH)

Let’s say you want to access your CSAIL AFS files from an Athena workstation. The first time you do it, there will be multiple setup steps required; after that, it’s just a single command to run. (The process for accessing Athena AFS storage from CSAIL is the same; only the names are different.)

Setting up

First, log into any Athena machine. From the prompt, type:

athena% aklog -cell csail.mit.edu

If this is your first time issuing that command, it will respond:

 created cross-cell entry for YOU@athena.mit.edu at csail.mit.edu

Now, log into a CSAIL machine, using your CSAIL name and password. To grant your Athena account access to your own home directory only, type:

$ fs setacl ~ YOU@athena.mit.edu all

For all subdirectories of your home directory, type:

$ fsr setacl ~ YOU@athena.mit.edu all

Or to grant yourself access to AFS directories that are restricted by group membership, you or the group owner would type:

$ pts adduser -user YOU@athena.mit.edu -group GROUP

(If doing this in the opposite direction, giving your CSAIL identity access to Athena files, you’ll need to run a similar step on an Athena workstation, running add consult first to gain access to the fsr command. You’ll also need to substitute csail for athena in the commands above.)

Subsequent uses

Once your Athena identity is configured in CSAIL AFS, you need only repeat the first step to access CSAIL AFS files from Athena:

athena% aklog -cell csail.mit.edu

Note that if your AFS group memberships have changed, you may need to log out and log back in again before noticing changes.

Accessing both Athena and CSAIL AFS from Microsoft Windows

First, follow the instructions above under Setting Up. We assume Kerberos and AFS are set up using their CSAIL defaults.

  1. Click once on the Network Identity Manager icon (cube with shadow of head) in the system tray
  2. If you see any tickets ending in @CSAIL.MIT.EDU, Destroy them. (Credential menu/Destroy.)
  3. Credential/New, then change Realm to ATHENA.MIT.EDU, and log in with your athena username and password
  4. Still within the Network Identity Manager window, right-click your @ATHENA.MIT.EDU ticket and select Set as Default.
  5. Open a command prompt (Start/Run/type “cmd” and press Enter)
  6. Enter the line “aklog -cell athena.mit.edu” (without quotes)
  7. Enter the line “aklog -cell csail.mit.edu”

You should now be logged in. You’ll need to perform all of these steps (with the possible exception of 2 and 4) every time you wish to log into AFS on both systems. If desired, you can close the command prompt window and/or right-click the Lock icon in the system tray (AFS) to map drive letters (e.g., U: = CSAIL user directory, T: = Athena user directory).

Using SSH cross-realm

In order to make Kerberized SSH work, a few more steps are required. Again, we’ll cover the case of access from Athena to CSAIL. We assume that you’ve already done the steps above. It is important, in particular, that your Athena identity have read access to your home directory, so that your startup files are accessible.

Setting up

Log in to the target system using your password. Create a file called ~/public/.k5login, containing the following two lines:

YOU@CSAIL.MIT.EDU
YOU@ATHENA.MIT.EDU

Create two symbolic links from your home directory:

$ ln -s public/.k5login ~
$ ln -s public/.k5login ~/.klogin

(On Athena, the ~/public directory is called ~/Public [with a capital “=P=”].)

Now log in to the system on which you will be running the ssh program. Create or edit a file called ~/.ssh/config. Add the following two lines:

Host *.csail.mit.edu
GSSAPIDelegateCredentials yes

(You may want to use a specific host name instead of a wildcard; if you do, you will need one such section for every host you ssh in to.)

Using it

Just use ssh as you normally would. So long as your tickets have not expired, you should not be asked for a password. Remember that when you use ssh this way, you are authenticated using your foreign user identity; you will not be able to access resources to which you have not been explicitly granted access.