|
Size: 1407
Comment:
|
Size: 2494
Comment: Client side firewall setting for krb.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| Zeroth, you must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. | Zeroth, you must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the {{{krb5-user}}} package if you are using Debian or Ubuntu. |
| Line 5: | Line 5: |
| First, you must make sure that your `/etc/krb5.conf` (or, on MacOS, your `/Library/Preferences/edu.mit.Kerberos` file) is sane. All you need to do is make sure that there are NOT entries in there which disable the `dns_lookup_kdc` or `dns_lookup_realm` options (unfortunately Fedora ships with these crippled). If you don't see those options in the file, you're fine. |
First, you must make sure that your `/etc/krb5.conf` (or, on MacOS, your `/Library/Preferences/edu.mit.Kerberos` file) is sane. All you need to do is make sure that there are NOT entries in there which disable the `dns_lookup_kdc` or `dns_lookup_realm` options (unfortunately Fedora ships with these crippled). If you don't see those options in the file, you're fine. |
| Line 12: | Line 11: |
| Then type your password. | Then type your password when prompted. Note that you MUST capitalize HCOOP.NET and you MUST NOT capitalize your user name. This is important. |
| Line 20: | Line 20: |
| Last, depending on what version of ssh you have, type | Last, type |
| Line 24: | Line 24: |
| (GSSAPI is sort of like Kerberos. Don't worry about the difference at this point.) |
|
| Line 26: | Line 28: |
| If you do this a lot, you can include the `GSSAPIAuthentication` and `GSSAPIDelegateCredentials` options in your `.ssh/config` file. But you should NOT turn on `GSSAPIDelegateCredentials` for arbitrary hosts (make sure you only enable it for HCOOP hosts). | If you do this a lot, you can include the `GSSAPIAuthentication` and `GSSAPIDelegateCredentials` options in your `.ssh/config` file. But you should NOT turn on `GSSAPIDelegateCredentials` for arbitrary hosts (make sure you only enable it for HCOOP hosts). Here's what AdamMegacz uses: {{{ Host deleuze.hcoop.net ForwardX11Trusted yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes User megacz_admin Host mire.hcoop.net ForwardX11Trusted yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes User megacz_admin }}} == Client side firewall Setting == If you are using a firewall you might want to open it for UDP packets to and from deleuze.hcoop.net:88. Lines for [http://www.netfilter.org/ iptables] saved rules ''might'' look like the following: {{{ [0:0] -A INPUT -s 69.90.123.67 -p udp -m udp --sport 88 --dport 1024:65535 -j ACCEPT }}} {{{ [0:0] -A OUTPUT -d 69.90.123.67 -p udp -m udp --dport 88 --sport 1024:65535 -j ACCEPT }}} Put them before any rules that conflicts them (and before 'COMMIT' line in the saved rules file). |
1. How to log in to mire without typing your password
Zeroth, you must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the krb5-user package if you are using Debian or Ubuntu.
First, you must make sure that your /etc/krb5.conf (or, on MacOS, your /Library/Preferences/edu.mit.Kerberos file) is sane. All you need to do is make sure that there are NOT entries in there which disable the dns_lookup_kdc or dns_lookup_realm options (unfortunately Fedora ships with these crippled). If you don't see those options in the file, you're fine.
Then, you must obtain kerberos tickets. If your username is "fred", you would do this by typing
kinit fred@HCOOP.NET
Then type your password when prompted. Note that you MUST capitalize HCOOP.NET and you MUST NOT capitalize your user name. This is important.
Next, make sure you have your tickets. To do this, type
klist
You should see your tickets and their expiration dates.
Last, type
ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' mire.hcoop.net
(GSSAPI is sort of like Kerberos. Don't worry about the difference at this point.)
If that doesn't work, add "-vvv" to the command line and copy and paste the ENTIRE output into an email to hcoop-discuss and we'll tell you what's up.
If you do this a lot, you can include the GSSAPIAuthentication and GSSAPIDelegateCredentials options in your .ssh/config file. But you should NOT turn on GSSAPIDelegateCredentials for arbitrary hosts (make sure you only enable it for HCOOP hosts). Here's what AdamMegacz uses:
Host deleuze.hcoop.net ForwardX11Trusted yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes User megacz_admin Host mire.hcoop.net ForwardX11Trusted yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes User megacz_admin
2. Client side firewall Setting
If you are using a firewall you might want to open it for UDP packets to and from deleuze.hcoop.net:88. Lines for [http://www.netfilter.org/ iptables] saved rules might look like the following:
[0:0] -A INPUT -s 69.90.123.67 -p udp -m udp --sport 88 --dport 1024:65535 -j ACCEPT
[0:0] -A OUTPUT -d 69.90.123.67 -p udp -m udp --dport 88 --sport 1024:65535 -j ACCEPT
Put them before any rules that conflicts them (and before 'COMMIT' line in the saved rules file).