Kerberos for Ubuntu

CSAIL Kerberos setup on Debian or similar non-CSAIL Ubuntu systems (Ubuntu, etc)

none of this is necessary on TIG’s supported flavor of Linux, CSAIL Ubuntu, which comes with Kerberos and OpenAFS already configured and integrated with the system.

Host jump.csail.mit.edu
  GSSAPIAuthentication yes
  GSSAPIKeyExchange yes
  VerifyHostKeyDNS yes
Host *.csail.mit.edu !jump.csail.mit.edu 128.52.* 128.30.* 128.31.*
  ProxyCommand ssh -W %h:%p jump.csail.mit.edu
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPIKeyExchange yes

If your local username and your CSAIL username differ add User <your-csail-username> to both sections.

VerifyHostKeyDNS will check the presented host key against the fingerprints we publish in DNS for this host and automatically accept them if they match. You can alternatively set this ask in which case you will get the usual prompt to accept new keys but will have the additional information that that Matching host key fingerprint found in DNS if all is well.

(If you are using version 7.3 of OpenSSH or newer on Linux, you can optionally replace the ProxyCommand ssh -W %h:%p jump.csail.mit.edu line with the simpler

  ProxyJump jump.csail.mit.edu

But the full ProxyCommand form should work with any modern version.)

For ~/.ssh/config, make sure that you are its owner and no one else can write to it. For example:

$ chmod 600 config
$ chown $USER config