Kerberos for Ubuntu
CSAIL Kerberos setup on Debian or similar non-CSAIL Ubuntu systems (Ubuntu, etc)
none of this is necessary on TIG’s supported flavor of Linux, [CSAIL Linux], which comes with Kerberos and OpenAFS already configured and integrated with the system.
apt-get install krb5-user krb5-config
If prompted for a default realm, enter CSAIL.MIT.EDU making sure to capitalize it as shown.- Run
kinit <username>@CSAIL.MIT.EDU
to authenticate. The authentication tickets obtained here will expire after 10 hours, at which point you’ll no longer be authenticated. You may wish to investigate a tool like [kredentials], or the longjob and authloop scripts (in /usr/local/csail/bin on CSAIL Debian machines) which will keep your authentication active longer. - Add the following to ~/.ssh/config (create the file if it doesn’t already exist) for your user account only or to /etc/ssh/ssh_config for all users, so ssh will properly use your Kerberos tickets when logging in to CSAIL machines :
Host jump.csail.mit.edu
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
VerifyHostKeyDNS yes
Host *.csail.mit.edu !jump.csail.mit.edu 128.52.* 128.30.* 128.31.*
ProxyCommand ssh -W %h:%p jump.csail.mit.edu
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
If your local username and your CSAIL username differ add User <your-csail-username>
to both sections.
VerifyHostKeyDNS
will check the presented host key against the
fingerprints we publish in DNS for this host and automatically accept
them if they match. You can alternatively set this ask
in which
case you will get the usual prompt to accept new keys but will have
the additional information that that Matching host key fingerprint found in DNS
if all is well.
(If you are using version 7.3 of OpenSSH or newer on Linux, you can optionally replace the ProxyCommand ssh -W %h:%p jump.csail.mit.edu
line with the simpler
ProxyJump jump.csail.mit.edu
But the full ProxyCommand
form should work with any modern version.)
For ~/.ssh/config, make sure that you are its owner and no one else can write to it. For example:
$ chmod 600 config
$ chown $USER config