SSH with Kerberos

The SSH connection through the Kerberos authentication is the standard method of accessing the SpinQuest computers at NM4. You can not only use the shell environment (i.e. text terminal) to execute programs, but also create the secured tunnel to browse LAN-only webpages etc.

Your Kerberos account has to exist and be active. If you don't remember its password, you first contact the Fermilab help desk to reset it.

The procedure for setting up Kerberos and SSH varies with OS. Please jump to one of the following sections that corresponds to your OS.

Linux

Initial Setup

The setup procedure on Linux is straightforward, as you have to just copy the configuration file (krb5.conf). The following example assumes that the sudo command is available, to manipulate system-level files. If it is not available on your Linux distribution, you should use su to switch the user.

cd /etc
sudo mv krb5.conf krb5.conf.org
sudo wget https://authentication.fnal.gov/krb5conf/SL7/krb5.conf
kinit your_Kerberos_name
klist

If kinit shows any error message, you cannot ignore but resolve it somehow. If it is successful, klist shows a valid ticket for krbtgt/[email protected].

You then login to the gateway server, execute a test command and logout:

ssh [email protected]
hostname
exit

Normal Use

You use only kinit and ssh for normal use.

kinit your_Kerberos_name
ssh [email protected]

MacOS

The setup procedure on MacOS is similar to the one on Linux, but is slightly different and also varies with the version of MacOS. To be written.

Windows

Initial Setup

There are multiple ways (programs) of using Kerberos and SSH on Windows. Here you are suggested to use MIT Kerberos for Windows and PuTTY, by following this FNAL page.

1. Install MIT Kerberos for Windows.
   • Visit the web site, linked from the FNAL page: https://web.mit.edu/kerberos/dist/
   • Download the 64-bit MSI Installer for the latest version (4.1).
   • Install it.
2. Create the configuration file (krb5.ini) as explained in the FNAL page.
3. Test the Kerberos authentication.
   • Execute MIT Kerberos via desktop icon or start menu.
   • Confirm that the domain is FNAL.GOV. If not, the configuration file is not proper somehow.
   • Enter your Kerberos name and password.
4. Install PuTTY.
   • Visit the web site, linked from the FNAL page: https://www.chiark.greenend.org.uk/~sgtatham/putty/
   • Download the 64-bit MSI installer for the latest version (0.77).
   • Install it.
5. Configure PuTTY.
   • Execute PuTTY via desktop icon or start menu.
   • Create a profile, by following Create a new SSH Profile for Kerberized Host in the FNAL page.
     • The SSH server for E1039 is e1039gat1.fnal.gov.
6. Test the SSH connection.
   • Execute PuTTY and select the profile.
   • Execute the following commands on the PuTTY terminal. The 1st command should print out e1039gat1.fnal.gov and the 2nd command should close the connection. If something else happened, the PuTTY configuration is not proper somehow.

     hostname
     exit
     

Normal Use

• Open MIT Kerberos and make the authentication.
• Open PuTTY, select the saved profile and start a session.
• PuTTY alone does not support the graphical environment. If you want to use it, you should install Xming for example.