welcome: please sign in

Diff for "MemberManual/ShellAccess/PasswordlessLogin"

Differences between revisions 2 and 37 (spanning 35 versions)
Revision 2 as of 2007-06-03 01:08:33
Size: 1369
Editor: netblock-68-183-25-2
Comment:
Revision 37 as of 2013-01-13 18:10:05
Size: 4683
Editor: ClintonEbadi
Comment: gnu/cat
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
== How to log in to mire without typing your password == #pragma section-numbers off
Line 3: Line 3:
Zeroth, you must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. This page explains how to log in to our servers without having to type in a password. We use MitKerberos for this rather than RSA/DSA public keys. The main reason for doing so is [[MemberManual/DistributedSecurity]]; please see that page if you feel that the procedures described below are unduly cumbersome.
Line 5: Line 5:
First, you must make sure that your krb5.conf (or, on MacOS, your edu.mit.Kerberos file) is sane. All you need to do is make sure that there are NOT entries in there which disable the dns_lookup_kdc or dns_lookup_realm options (unfortunately I think Fedora ships with these crippled). If you don't see those options in the file, you're fine. An extra benefit is that passwordless logins using kerberos are noticably faster than passwordless logins using public key authentication. This is because kerberos uses symmetric cryptography (which is faster) and requires fewer round-trips during the authentication process.
Line 7: Line 7:
Then, you must obtain kerberos tickets. If your username is "fred", you would do this by typing These instructions have been tested with the major unix variants (Debian, Red``Hat, Fedora, Ubuntu, MacOSX, etc). There are reports that the ssh client in certain minor distributions does not support this.

<<TableOfContents>>

= Prerequisites =

 * The '''openssh client 4.3''' or later. Other versions may work, but we make no guarantees.
 * The '''Kerberos 5 client'''.

Installation instructions for various platforms are given below:

== On a Macintosh ==
For OS X 10.5 and later, no additional software is required for the instructions below to work; earlier versions of Mac OS X might work if you install the Mac``Ports version of kerberos+ssh (but no guarantees!). For further details, check out [[MemberManual/TransferringFiles/OpenAFS]], and follow just the Kerberos instructions.

== On Ubuntu or Debian GNU/Linux ==

You need the {{{openssh-client}}} and {{{krb5-user}}} packages:
Line 9: Line 26:
   kinit fred@HCOOP.NET sudo apt-get install openssh-client krb5-user
Line 11: Line 28:
Then type your password.
== On Fedora GNU/Linux ==

You will need the '''krb5-workstation-clients''' package:
{{{
yum -y install krb5-workstation-clients
}}}

= Instructions =

Once a Kerberos client has been installed, you must obtain Kerberos tickets. If your username is "fred", you would do this by typing:

{{{
kinit -f fred@HCOOP.NET
}}}

Then type your password when prompted.

 (!) Important: You '''must''' capitalize HCOOP.NET and you '''must not''' capitalize your user name.
Line 14: Line 49:
Line 15: Line 51:
   klist klist
Line 17: Line 53:
Line 19: Line 56:
Last, depending on what version of ssh you have, type Last, type
Line 21: Line 59:
   ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' mire.hcoop.net ssh -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes fred@ssh.hcoop.net
Line 23: Line 61:
If that doesn't work, add "-vvv" to the command line and copy and paste the ENTIRE output into an email to hcoop-discuss and we'll tell you what's up.
Line 25: Line 62:
If you do this a lot, you can include the GSSAPIAuthentication and GSSAPIDelegateCredentials options in your .ssh/config file. But you should NOT turn on GSSAPIDelegateCredentials for arbitrary hosts (make sure you only enable it for HCOOP hosts). {{{GSSAPI}}} is the "generic name" for Kerberos-like authentication protocols. The first option tells your ssh client to use your Kerberos tickets to prove your identity to the hcoop servers. The second option tells your ssh client that it is safe to entrust the hcoop servers with a copy of your tickets once you have authenticated.

Upon first invocation you might be asked to add the RSA public key of mire.hcoop.net to the list of known hosts. This message looks something like this:

{{{
The authenticity of host 'ssh.hcoop.net (69.90.123.68)' can't be established.
RSA key fingerprint is 52:5c:8c:f7:d7:bc:1b:f9:ef:39:5a:27:ac:72:8a:e1.
Are you sure you want to continue connecting (yes/no)?
}}}

Type yes to permanently store the fingerprint in ~/.ssh/known_hosts .

= Automating things =

If you do this a lot, you can include the `GSSAPIAuthentication` and `GSSAPIDelegateCredentials` options in your `~/.ssh/config` file. But you should NOT turn on `GSSAPIDelegateCredentials` for arbitrary hosts. Make sure you only enable it for HCOOP hosts! You should never, ever use {{{GSSAPIDelegateCredentials}}} on a machine which is operated by somebody other than yourself and HCoop.

Here is an example entry for `~/.ssh/config`:

{{{
Host hcoop
  HostName ssh.hcoop.net
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  User fred
}}}

This will allow you to type the following, instead of the longer command above.

{{{
ssh hcoop
}}}

= Troubleshooting =

Adding "-vvv" to the ssh command line makes it spit out lots of useful debugging information.

If you see something like the following in the output:

{{{
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
}}}

check to see if you have an /etc/hosts file with the host that you're trying to reach in it. If there is an entry for this host, make sure that the fully-qualified domain name is listed first, before any aliases that you may be using.

== If it still doesn't work ==

See the [[MemberManual/ShellAccess/TroubleshootingKerberos|Troubleshooting Kerberos]] page for more diagnostics. You may also send the output of your ssh command with the "'-vvv'" to hcoop-help and we'll try to figure things out from there.
----
CategoryMemberManual CategoryNeedsWork

This page explains how to log in to our servers without having to type in a password. We use MitKerberos for this rather than RSA/DSA public keys. The main reason for doing so is MemberManual/DistributedSecurity; please see that page if you feel that the procedures described below are unduly cumbersome.

An extra benefit is that passwordless logins using kerberos are noticably faster than passwordless logins using public key authentication. This is because kerberos uses symmetric cryptography (which is faster) and requires fewer round-trips during the authentication process.

These instructions have been tested with the major unix variants (Debian, RedHat, Fedora, Ubuntu, MacOSX, etc). There are reports that the ssh client in certain minor distributions does not support this.

Prerequisites

  • The openssh client 4.3 or later. Other versions may work, but we make no guarantees.

  • The Kerberos 5 client.

Installation instructions for various platforms are given below:

On a Macintosh

For OS X 10.5 and later, no additional software is required for the instructions below to work; earlier versions of Mac OS X might work if you install the MacPorts version of kerberos+ssh (but no guarantees!). For further details, check out MemberManual/TransferringFiles/OpenAFS, and follow just the Kerberos instructions.

On Ubuntu or Debian GNU/Linux

You need the openssh-client and krb5-user packages:

sudo apt-get install openssh-client krb5-user

On Fedora GNU/Linux

You will need the krb5-workstation-clients package:

yum -y install krb5-workstation-clients

Instructions

Once a Kerberos client has been installed, you must obtain Kerberos tickets. If your username is "fred", you would do this by typing:

kinit -f fred@HCOOP.NET

Then type your password when prompted.

  • (!) Important: You must capitalize HCOOP.NET and you must not capitalize your user name.

Next, make sure you have your tickets. To do this, type

klist

You should see your tickets and their expiration dates.

Last, type

ssh -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes fred@ssh.hcoop.net

GSSAPI is the "generic name" for Kerberos-like authentication protocols. The first option tells your ssh client to use your Kerberos tickets to prove your identity to the hcoop servers. The second option tells your ssh client that it is safe to entrust the hcoop servers with a copy of your tickets once you have authenticated.

Upon first invocation you might be asked to add the RSA public key of mire.hcoop.net to the list of known hosts. This message looks something like this:

The authenticity of host 'ssh.hcoop.net (69.90.123.68)' can't be established.
RSA key fingerprint is 52:5c:8c:f7:d7:bc:1b:f9:ef:39:5a:27:ac:72:8a:e1.
Are you sure you want to continue connecting (yes/no)?

Type yes to permanently store the fingerprint in ~/.ssh/known_hosts .

Automating things

If you do this a lot, you can include the GSSAPIAuthentication and GSSAPIDelegateCredentials options in your ~/.ssh/config file. But you should NOT turn on GSSAPIDelegateCredentials for arbitrary hosts. Make sure you only enable it for HCOOP hosts! You should never, ever use GSSAPIDelegateCredentials on a machine which is operated by somebody other than yourself and HCoop.

Here is an example entry for ~/.ssh/config:

Host hcoop
  HostName ssh.hcoop.net
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  User fred

This will allow you to type the following, instead of the longer command above.

ssh hcoop

Troubleshooting

Adding "-vvv" to the ssh command line makes it spit out lots of useful debugging information.

If you see something like the following in the output:

debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

check to see if you have an /etc/hosts file with the host that you're trying to reach in it. If there is an entry for this host, make sure that the fully-qualified domain name is listed first, before any aliases that you may be using.

If it still doesn't work

See the Troubleshooting Kerberos page for more diagnostics. You may also send the output of your ssh command with the "'-vvv'" to hcoop-help and we'll try to figure things out from there.


CategoryMemberManual CategoryNeedsWork

MemberManual/ShellAccess/PasswordlessLogin (last edited 2021-10-17 03:04:21 by RobinTempleton)