============================= Kerberos for batch processing ============================= :Author: Leon Kos Some sites require GSSAPI for remote batch processing through SSH. In order to process this Kerberos authentication one needs to login with ssh though firewall with the following ports open besides usual SSH on TCP port 22:: kerberos 88/udp kdc # Kerberos V5 KDC kerberos 88/tcp kdc # Kerberos V5 KDC kerberos-adm 749/tcp # Kerberos 5 admin/changepw kerberos-adm 749/udp # Kerberos 5 admin/changepw .. note:: For connection with Kerberos a special SSH client is required and usually brings also AFS client. EUROfusion Gateway (Marconi) cluster ------------------------------------ The following SSH configuration is required with :file:`${HOME}/.ssh/config`:: # Hosts we want to authenticate to with Kerberos Host *.marconi.cineca.it *.eufus.eu *.kth.se *.pdc.kth.se s37 s38 s34 s59 # User authentication based on GSSAPI is allowed GSSAPIAuthentication yes # Key exchange based on GSSAPI may be used for server authentication GSSAPIKeyExchange yes # Hosts to which we want to delegate credentials. Try to limit this to # hosts you trust, and were you really have use for forwarded tickets. #Host *.marconi.cineca.it. *.eufus.eu. *.csc.kth.se *.csc.kth.se. *.nada.kth.se *.nada.kth.se. *.pdc.kth.se *.pdc.kth.se. # Forward (delegate) credentials (tickets) to the server. GSSAPIDelegateCredentials yes # Prefer GSSAPI key exchange PreferredAuthentications gssapi-keyex,gssapi-with-mic # All other hosts Host * Due to missing DNS entries we need to update :file:`/etc/hosts` on the laptop to contain on the following entries:: #130.186.25.34 r000u05g02.marconi.cineca.it s34 #130.186.25.37 r040c03s03.marconi.cineca.it s37 #130.186.25.38 r040c03s04.marconi.cineca.it s38 #130.186.25.59 r000u11l06.marconi.cineca.it s59 130.186.25.65 r169c01s01.marconi.cineca.it s65 130.186.25.69 r169c02s01.marconi.cineca.it s69 130.186.25.73 r169c03s01.marconi.cineca.it s73 130.186.25.77 r169c04s01.marconi.cineca.it s77 Kerberos configuration in :file:`/etc/krb5.conf` requires updates in the following sections with:: [realms] EUFUS.EU = { kdc = s02.eufus.eu:88 kdc = s01.eufus.eu:88 default_domain = eufus.eu admin_server = s02.eufus.eu:749 } [domain_realm] .eufus.eu = EUFUS.EU After this setup one (``g2kosl`` in this example) can initialise its Kerberos ticket with:: kinit -f --afslog g2kosl@EUFUS.EU List the tickets with:: $ klist Credentials cache: FILE:/tmp/krb5cc_1001 Principal: g2kosl@EUFUS.EU Issued Expires Principal Jun 15 14:01:44 2018 Jul 15 14:01:44 2018 krbtgt/EUFUS.EU@EUFUS.EU Jun 15 14:01:45 2018 Jul 15 14:01:44 2018 afs/eufus.eu@EUFUS.EU SSH login to one of above login nodes can be performed simply with:: ssh g2kosl@s65 If :file:`/etc/openafs/ThisCell` containts ``eufus.eu`` line then also :file:`/afs/eufus.eu/g2itmdev/user/g2kosl` is a local AFS home directory.