1348
Comment:
|
3318
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
== How to log in to mire without typing your password | #pragma section-numbers off |
Line 3: | Line 3: |
Zeroth, you must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. | This page explains how to log in to our servers without having to type in a password. We use kerberos for this rather than RSA/DSA public keys. |
Line 5: | Line 5: |
First, you must make sure that your krb5.conf (or, on MacOS, your edu.mit.Kerberos file) is sane. All you need to do is make sure that there are NOT entries in there which disable the dns_lookup_kdc or dns_lookup_realm options (unfortunately I think Fedora ships with these crippled). If you don't see those options in the file, you're fine. | An extra benefit is that passwordless logins using kerberos are noticably faster than passwordless logins using public key authentication. This is because kerberos uses symmetric cryptography (which is faster) and requires fewer round-trips during the authentication process. |
Line 7: | Line 7: |
Then, you must obtain kerberos tickets. If your username is "fred", you would do this by typing | These instructions have been tested with the major unix variants (Debian, RedHat, Fedora, Ubuntu, MacOSX, etc). There are reports that the ssh client in certain minor distributions (ArchLinux, for one) does not support this. |
Line 9: | Line 9: |
kinit fred@HCOOP.NET | <<TableOfContents>> |
Line 11: | Line 11: |
Then type your password. | = Prerequisites = You must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the {{{krb5-user}}} package if you are using Debian or Ubuntu. For Mac OS X 10.5 and later no additional software is required for the instructions below to work; earlier versions of Mac OS X might work if you install the MacPorts version of kerberos+ssh (but no guarantees!). For further details, check out [[MemberManual/TransferringFiles/OpenAFS]], and follow just the Kerberos instructions. = Instructions = Once a Kerberos client hsa been installed, you must obtain Kerberos tickets. If your username is "fred", you would do this by typing: {{{ kinit fred@HCOOP.NET }}} Then type your password when prompted. Note that you '''must''' capitalize HCOOP.NET and you '''must not''' capitalize your user name. This is important. |
Line 15: | Line 27: |
klist | {{{ klist }}} |
Line 19: | Line 33: |
Last, depending on what version of ssh you have, type | Last, type |
Line 21: | Line 35: |
ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' mire.hcoop.net | {{{ ssh -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes fred@mire.hcoop.net }}} |
Line 23: | Line 39: |
If that doesn't work, add "-vvv" to the command line and copy and paste the ENTIRE output into an email to hcoop-discuss and we'll tell you what's up. | {{{GSSAPI}}} is the "generic name" for Kerberos-like authentication protocols. |
Line 25: | Line 41: |
If you do this a lot, you can include the GSSAPIAuthentication and GSSAPIDelegateCredentials options in your .ssh/config file. But you should NOT turn on GSSAPIDelegateCredentials for arbitrary hosts (make sure you only enable it for HCOOP hosts). | = Automating things = If you do this a lot, you can include the `GSSAPIAuthentication` and `GSSAPIDelegateCredentials` options in your `~/.ssh/config` file. But you should NOT turn on `GSSAPIDelegateCredentials` for arbitrary hosts (make sure you only enable it for HCOOP hosts). Here is an example entry for `~/.ssh/config`: {{{ Host hcoop HostName mire.hcoop.net GSSAPIAuthentication yes GSSAPIDelegateCredentials yes User fred }}} This will allow you to type the following, instead of the longer command above. {{{ ssh hcoop }}} = Troubleshooting = Adding "-vvv" to the ssh command line makes it spit out lots of useful debugging information. If you see something like the following in the output: {{{ debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database }}} check to see if you have an /etc/hosts file with the host that you're trying to reach in it. If there is an entry for this host, make sure that the fully-qualified domain name is listed first, before any aliases that you may be using. == If it still doesn't work == See the [[MemberManual/ShellAccess/TroubleshootingKerberos|Troubleshooting Kerberos]] page for more diagnostics. You may also send the output of your ssh command with the "'-vvv'" to hcoop-help and we'll try to figure things out from there. |
This page explains how to log in to our servers without having to type in a password. We use kerberos for this rather than RSA/DSA public keys.
An extra benefit is that passwordless logins using kerberos are noticably faster than passwordless logins using public key authentication. This is because kerberos uses symmetric cryptography (which is faster) and requires fewer round-trips during the authentication process.
These instructions have been tested with the major unix variants (Debian, RedHat, Fedora, Ubuntu, MacOSX, etc). There are reports that the ssh client in certain minor distributions (ArchLinux, for one) does not support this.
Prerequisites
You must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the krb5-user package if you are using Debian or Ubuntu. For Mac OS X 10.5 and later no additional software is required for the instructions below to work; earlier versions of Mac OS X might work if you install the MacPorts version of kerberos+ssh (but no guarantees!). For further details, check out MemberManual/TransferringFiles/OpenAFS, and follow just the Kerberos instructions.
Instructions
Once a Kerberos client hsa been installed, you must obtain Kerberos tickets. If your username is "fred", you would do this by typing:
kinit fred@HCOOP.NET
Then type your password when prompted. Note that you must capitalize HCOOP.NET and you must not capitalize your user name. This is important.
Next, make sure you have your tickets. To do this, type
klist
You should see your tickets and their expiration dates.
Last, type
ssh -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes fred@mire.hcoop.net
GSSAPI is the "generic name" for Kerberos-like authentication protocols.
Automating things
If you do this a lot, you can include the GSSAPIAuthentication and GSSAPIDelegateCredentials options in your ~/.ssh/config file. But you should NOT turn on GSSAPIDelegateCredentials for arbitrary hosts (make sure you only enable it for HCOOP hosts).
Here is an example entry for ~/.ssh/config:
Host hcoop HostName mire.hcoop.net GSSAPIAuthentication yes GSSAPIDelegateCredentials yes User fred
This will allow you to type the following, instead of the longer command above.
ssh hcoop
Troubleshooting
Adding "-vvv" to the ssh command line makes it spit out lots of useful debugging information.
If you see something like the following in the output:
debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database
check to see if you have an /etc/hosts file with the host that you're trying to reach in it. If there is an entry for this host, make sure that the fully-qualified domain name is listed first, before any aliases that you may be using.
If it still doesn't work
See the Troubleshooting Kerberos page for more diagnostics. You may also send the output of your ssh command with the "'-vvv'" to hcoop-help and we'll try to figure things out from there.