Kerberos for Ubuntu

CSAIL Kerberos setup on Debian or similar non-CSAIL Ubuntu systems (Ubuntu, etc)

• apt-get install krb5-user krb5-config If prompted for a default realm, enter CSAIL.MIT.EDU making sure to capitalize it as shown.
• Run kinit <username>@CSAIL.MIT.EDU to authenticate. The authentication tickets obtained here will expire after 10 hours, at which point you’ll no longer be authenticated. You may wish to investigate a tool like [kredentials], or the longjob and authloop scripts (in /usr/local/csail/bin on CSAIL Debian machines) which will keep your authentication active longer.
• Add the following to ~/.ssh/config (create the file if it doesn’t already exist) for your user account only or to /etc/ssh/ssh_config for all users, so ssh will properly use your Kerberos tickets when logging in to CSAIL machines :

CanonicalizeHostname always
CanonicalDomains csail.mit.edu

Host jump.csail.mit.edu
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  VerifyHostKeyDNS yes
  # optional: uncomment and edit if your CSAIL username doesn't match your local username
  #User <CSAIL username>
  # optional: uncomment if you need X11 forwarding
  #ForwardX11 yes
  
Host *.csail.mit.edu !jump.csail.mit.edu !login.csail.mit.edu 128.52.* 128.30.* 128.31.*
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  ProxyJump jump.csail.mit.edu
  # optional: uncomment and edit if your CSAIL username doesn't match your local username
  #User <CSAIL username>
  # optional: uncomment if you need X11 forwarding
  #ForwardX11 yes

VerifyHostKeyDNS will check the presented host key against the fingerprints we publish in DNS for this host and automatically accept them if they match. You can alternatively set this ask in which case you will get the usual prompt to accept new keys but will have the additional information that that Matching host key fingerprint found in DNS if all is well.

For ~/.ssh/config, make sure that you are its owner and no one else can write to it. For example:

$ chmod 600 config
$ chown $USER config