kerberos ssh - E1039-Collaboration/e1039-wiki GitHub Wiki
SSH with Kerberos
The SSH connection through the Kerberos authentication is the standard method of accessing the SpinQuest computers at NM4. You can not only use the shell environment (i.e. text terminal) to execute programs, but also create the secured tunnel to browse LAN-only webpages etc.
Your Kerberos account has to exist and be active. If you don't remember its password, you first contact the Fermilab help desk to reset it.
The procedure for setting up Kerberos and SSH varies with OS. Please jump to one of the following sections that corresponds to your OS.
Linux
Initial Setup
The setup procedure on Linux is straightforward, as you have to just copy the configuration file (krb5.conf
).
The following example assumes that the sudo
command is available, to manipulate system-level files.
If it is not available on your Linux distribution, you should use su
to switch the user.
cd /etc
sudo mv krb5.conf krb5.conf.org
sudo wget https://authentication.fnal.gov/krb5conf/SL7/krb5.conf
kinit your_Kerberos_name
klist
If kinit
shows any error message, you cannot ignore but resolve it somehow.
If it is successful, klist
shows a valid ticket for krbtgt/[email protected]
.
You then login to the gateway server, execute a test command and logout:
ssh [email protected]
hostname
exit
Normal Use
You use only kinit
and ssh
for normal use.
kinit your_Kerberos_name
ssh [email protected]
MacOS
The setup procedure on MacOS is similar to the one on Linux, but is slightly different and also varies with the version of MacOS. To be written.
Windows
Initial Setup
There are multiple ways (programs) of using Kerberos and SSH on Windows.
Here you are suggested to use MIT Kerberos for Windows
and PuTTY
, by following this FNAL page.
- Install
MIT Kerberos for Windows
.- Visit the web site, linked from the FNAL page: https://web.mit.edu/kerberos/dist/
- Download the
64-bit MSI Installer
for the latest version (4.1). - Install it.
- Create the configuration file (
krb5.ini
) as explained in the FNAL page. - Test the Kerberos authentication.
- Execute MIT Kerberos via desktop icon or start menu.
- Confirm that the domain is
FNAL.GOV
. If not, the configuration file is not proper somehow. - Enter your Kerberos name and password.
- Install
PuTTY
.- Visit the web site, linked from the FNAL page: https://www.chiark.greenend.org.uk/~sgtatham/putty/
- Download the 64-bit MSI installer for the latest version (0.77).
- Install it.
- Configure PuTTY.
- Execute PuTTY via desktop icon or start menu.
- Create a profile, by following
Create a new SSH Profile for Kerberized Host
in the FNAL page.- The SSH server for E1039 is
e1039gat1.fnal.gov
.
- The SSH server for E1039 is
- Test the SSH connection.
- Execute PuTTY and select the profile.
- Execute the following commands on the PuTTY terminal. The 1st command should print out
e1039gat1.fnal.gov
and the 2nd command should close the connection. If something else happened, the PuTTY configuration is not proper somehow.hostname exit
Normal Use
- Open MIT Kerberos and make the authentication.
- Open PuTTY, select the saved profile and start a session.
- PuTTY alone does not support the graphical environment. If you want to use it, you should install
Xming
for example.