Navigation :

Kerberos for Ubuntu

CSAIL Kerberos setup on Debian or similar non-CSAIL Ubuntu systems (Ubuntu, etc)

none of this is necessary on TIG’s supported flavor of Linux, [CSAIL Linux], which comes with Kerberos and OpenAFS already configured and integrated with the system.

apt-get install krb5-user krb5-config If prompted for a default realm, enter CSAIL.MIT.EDU making sure to capitalize it as shown.
Run kinit <username>@CSAIL.MIT.EDU to authenticate. The authentication tickets obtained here will expire after 10 hours, at which point you’ll no longer be authenticated. You may wish to investigate a tool like [kredentials], or the longjob and authloop scripts (in /usr/local/csail/bin on CSAIL Debian machines) which will keep your authentication active longer.
Create the control socket directory fro multiplexing ssh conenctions mkdir ~/.ssh/cm_socket
Add the following to ~/.ssh/config (create the file if it doesn’t already exist) for your user account only or to /etc/ssh/ssh_config for all users, so ssh will properly use your Kerberos tickets when logging in to CSAIL machines :

Up Coming Change:

To test your readiness for upcoming ssh changes replace jump.csail.mit.edu in the configuration example with mfa-jump.csail.mit.edu

If you had previously configured using a jump host note that this configuration has recently changed and creating the control socket directory with `mkdir ~/.ssh/cm_socket above is also new

HashKnownHosts yes
VerifyHostKeyDNS ask
CanonicalizeHostname always
CanonicalDomains csail.mit.edu

# all  CSAIL hosts use GSSAPI
Host *.csail.mit.edu 128.52.* 128.30.*
  GSSAPIAuthentication yes
  GSSAPIKeyExchange yes
  # If you have a different local username uncomment the following line
  # and fill in your CSAIL UserName
  # User <CSAIL UserName>


# jumps reuse existing connections to minimise DUO prompts
# "ControlPath" must exist and cannot be in AFS
#
# NOTE: if you are on a laptop or other systems that switches 
# networks the Control Socket will need to be manually removed
# in order for it to get recreated on the new network:
#
# rm ~/.ssh/cm_socket/*
#
# The symptom is new ssh session hanging prior to connection
# It is always safe to run this command though it will require 
# Duo auth on re-establish the connection.

Host mfa-jump.csail.mit.edu jump.csail.mit.edu
  ControlMaster auto
  ControlPersist 1800

  ### This directory must be manually created! ###
  ControlPath ~/.ssh/cm_socket/%C

# CSAIL hosts except jumphosts get GSSAPIDelegateCredentials for AFS
Host *.csail.mit.edu  !mfa-jump.csail.mit.edu !jump.csail.mit.edu 128.52.* 128.30.* 128.31.*
  ProxyJump mfa-jump.csail.mit.edu
  GSSAPIDelegateCredentials yes
  ForwardAgent yes

# if you ssh to ATHENA systems
# uncomment the lines below
# and edit to include your ATHENA Username
#Host !*.csail.mit.edu *.mit.edu
#  User <ATHENA UserName>
#  GSSAPIAuthentication yes
#  GSSAPIDelegateCredentials yes
#  GSSAPIKeyExchange yes

VerifyHostKeyDNS will check the presented host key against the fingerprints we publish in DNS for this host and automatically accept them if they match. You can alternatively set this ask in which case you will get the usual prompt to accept new keys but will have the additional information that that Matching host key fingerprint found in DNS if all is well.

For ~/.ssh/config, make sure that you are its owner and no one else can write to it. For example:

$ chmod 600 config
$ chown $USER config