|
Size: 3329
Comment:
|
← Revision 44 as of 2021-10-17 03:04:21 ⇥
Size: 5036
Comment: ALL CAPS -> bold or italic for security warnings
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| This page explains how to log in to our servers without having to type in a password. We use kerberos for this rather than RSA/DSA public keys. | This page explains how to log in to our servers without having to type in a password. We use MitKerberos for this rather than RSA/DSA public keys. The main reason for doing so is [[MemberManual/DistributedSecurity]]; please see that page if you feel that the procedures described below are unduly cumbersome. |
| Line 7: | Line 7: |
| These instructions have been tested with the major unix variants (Debian, RedHat, Fedora, Ubuntu, MacOSX, etc). There are reports that the ssh client in certain minor distributions (ArchLinux, for one) does not support this. | These instructions have been tested with the major unix variants (Debian, Red``Hat, Fedora, Ubuntu, MacOSX, etc). There are reports that the ssh client in certain minor distributions does not support this. |
| Line 13: | Line 13: |
| You must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the {{{krb5-user}}} package if you are using Debian or Ubuntu. For Mac OS X 10.5 and later no additional software is required for the instructions below to work; earlier versions of Mac OS X might work if you install the MacPorts version of kerberos+ssh (but no guarantees!). For further details, check out [[MemberManual/TransferringFiles/OpenAFS]], and follow just the Kerberos instructions. | * The '''openssh client 4.3''' or later. Other versions may work, but we make no guarantees. * The '''Kerberos 5 client'''. Installation instructions for various platforms are given below: == On a Macintosh == For OS X 10.5 and later, no additional software is required for the instructions below to work; earlier versions of Mac OS X might work if you install the Mac``Ports version of kerberos+ssh (but no guarantees!). For further details, check out [[MemberManual/TransferringFiles/OpenAFS]], and follow just the Kerberos instructions. == On Ubuntu or Debian GNU/Linux == You need the {{{openssh-client}}} and {{{krb5-user}}} packages: {{{ sudo apt-get install openssh-client krb5-user }}} == On Fedora GNU/Linux == You will need the '''krb5-workstation''' package: {{{ dnf -y install krb5-workstation }}} == On GNU Guix == You will need the '''mit-krb5''' package: {{{ guix install mit-krb5 }}} |
| Line 17: | Line 46: |
| Once a Kerberos client hsa been installed, you must obtain Kerberos tickets. If your username is "fred", you would do this by typing: | Once a Kerberos client has been installed, you must obtain Kerberos tickets. If your username is "fred", you would do this by typing: |
| Line 20: | Line 49: |
| kinit fred@HCOOP.NET | kinit -f fred@HCOOP.NET |
| Line 23: | Line 52: |
| Then type your password when prompted. Note that you '''must''' capitalize HCOOP.NET and you '''must not''' capitalize your user name. This is important. | Then type your password when prompted. (!) Important: You '''must''' capitalize HCOOP.NET and you '''must not''' capitalize your user name. |
| Line 36: | Line 67: |
| ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' fred@mire.hcoop.net | ssh -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes fred@ssh.hcoop.net |
| Line 39: | Line 70: |
| (GSSAPI is sort of like Kerberos. Don't worry about the difference at this point.) | {{{GSSAPI}}} is the "generic name" for Kerberos-like authentication protocols. The first option tells your ssh client to use your Kerberos tickets to prove your identity to the hcoop servers. The second option tells your ssh client that it is safe to entrust the hcoop servers with a copy of your tickets once you have authenticated. If it still asks you for a password, you might have to add the {{{-oGSSAPITrustDNS=yes}}} option. |
| Line 41: | Line 72: |
| Upon first invocation you might be asked to add the RSA public key of ssh.hcoop.net to the list of known hosts. This message looks something like this: | |
| Line 42: | Line 74: |
| {{{ The authenticity of host 'ssh.hcoop.net (69.90.123.68)' can't be established. RSA key fingerprint is 52:5c:8c:f7:d7:bc:1b:f9:ef:39:5a:27:ac:72:8a:e1. Are you sure you want to continue connecting (yes/no)? }}} Type yes to permanently store the fingerprint in ~/.ssh/known_hosts . |
|
| Line 45: | Line 84: |
| If you do this a lot, you can include the `GSSAPIAuthentication` and `GSSAPIDelegateCredentials` options in your `~/.ssh/config` file. But you should NOT turn on `GSSAPIDelegateCredentials` for arbitrary hosts (make sure you only enable it for HCOOP hosts). | If you do this a lot, you can include the `GSSAPIAuthentication` and `GSSAPIDelegateCredentials` options in your `~/.ssh/config` file. But you should ''not'' turn on `GSSAPIDelegateCredentials` for arbitrary hosts. '''Make sure you only enable it for HCoop hosts!''' You should never, ever use {{{GSSAPIDelegateCredentials}}} on a machine which is operated by somebody other than yourself and HCoop. |
| Line 51: | Line 90: |
| HostName mire.hcoop.net | HostName ssh.hcoop.net |
| Line 54: | Line 93: |
| GSSAPITrustDNS yes | |
| Line 76: | Line 116: |
| == Session freezes after ~5 min of inactivity == The likely cause is that you are trying to exchange Kerberos tickets and have none. |
|
| Line 79: | Line 123: |
| ---- CategoryMemberManual CategoryNeedsWork |
This page explains how to log in to our servers without having to type in a password. We use MitKerberos for this rather than RSA/DSA public keys. The main reason for doing so is MemberManual/DistributedSecurity; please see that page if you feel that the procedures described below are unduly cumbersome.
An extra benefit is that passwordless logins using kerberos are noticably faster than passwordless logins using public key authentication. This is because kerberos uses symmetric cryptography (which is faster) and requires fewer round-trips during the authentication process.
These instructions have been tested with the major unix variants (Debian, RedHat, Fedora, Ubuntu, MacOSX, etc). There are reports that the ssh client in certain minor distributions does not support this.
Contents
Prerequisites
The openssh client 4.3 or later. Other versions may work, but we make no guarantees.
The Kerberos 5 client.
Installation instructions for various platforms are given below:
On a Macintosh
For OS X 10.5 and later, no additional software is required for the instructions below to work; earlier versions of Mac OS X might work if you install the MacPorts version of kerberos+ssh (but no guarantees!). For further details, check out MemberManual/TransferringFiles/OpenAFS, and follow just the Kerberos instructions.
On Ubuntu or Debian GNU/Linux
You need the openssh-client and krb5-user packages:
sudo apt-get install openssh-client krb5-user
On Fedora GNU/Linux
You will need the krb5-workstation package:
dnf -y install krb5-workstation
On GNU Guix
You will need the mit-krb5 package:
guix install mit-krb5
Instructions
Once a Kerberos client has been installed, you must obtain Kerberos tickets. If your username is "fred", you would do this by typing:
kinit -f fred@HCOOP.NET
Then type your password when prompted.
Important: You must capitalize HCOOP.NET and you must not capitalize your user name.
Next, make sure you have your tickets. To do this, type
klist
You should see your tickets and their expiration dates.
Last, type
ssh -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes fred@ssh.hcoop.net
GSSAPI is the "generic name" for Kerberos-like authentication protocols. The first option tells your ssh client to use your Kerberos tickets to prove your identity to the hcoop servers. The second option tells your ssh client that it is safe to entrust the hcoop servers with a copy of your tickets once you have authenticated. If it still asks you for a password, you might have to add the -oGSSAPITrustDNS=yes option.
Upon first invocation you might be asked to add the RSA public key of ssh.hcoop.net to the list of known hosts. This message looks something like this:
The authenticity of host 'ssh.hcoop.net (69.90.123.68)' can't be established. RSA key fingerprint is 52:5c:8c:f7:d7:bc:1b:f9:ef:39:5a:27:ac:72:8a:e1. Are you sure you want to continue connecting (yes/no)?
Type yes to permanently store the fingerprint in ~/.ssh/known_hosts .
Automating things
If you do this a lot, you can include the GSSAPIAuthentication and GSSAPIDelegateCredentials options in your ~/.ssh/config file. But you should not turn on GSSAPIDelegateCredentials for arbitrary hosts. Make sure you only enable it for HCoop hosts! You should never, ever use GSSAPIDelegateCredentials on a machine which is operated by somebody other than yourself and HCoop.
Here is an example entry for ~/.ssh/config:
Host hcoop HostName ssh.hcoop.net GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPITrustDNS yes User fred
This will allow you to type the following, instead of the longer command above.
ssh hcoop
Troubleshooting
Adding "-vvv" to the ssh command line makes it spit out lots of useful debugging information.
If you see something like the following in the output:
debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database
check to see if you have an /etc/hosts file with the host that you're trying to reach in it. If there is an entry for this host, make sure that the fully-qualified domain name is listed first, before any aliases that you may be using.
Session freezes after ~5 min of inactivity
The likely cause is that you are trying to exchange Kerberos tickets and have none.
If it still doesn't work
See the Troubleshooting Kerberos page for more diagnostics. You may also send the output of your ssh command with the "'-vvv'" to hcoop-help and we'll try to figure things out from there.