4.9. Kerberos for batch processing¶

Author:	Leon Kos

Some sites require GSSAPI for remote batch processing through SSH.

In order to process this Kerberos authentication one needs to login with ssh though firewall with the following ports open besides usual SSH on TCP port 22:

kerberos      88/udp    kdc    # Kerberos V5 KDC
kerberos      88/tcp    kdc    # Kerberos V5 KDC
kerberos-adm  749/tcp          # Kerberos 5 admin/changepw
kerberos-adm  749/udp          # Kerberos 5 admin/changepw

Note

For connection with Kerberos a special SSH client is required and usually brings also AFS client.

4.9.1. EUROfusion Gateway (Marconi) cluster¶

The following SSH configuration is required with $HOME/.ssh/config:

# Hosts we want to authenticate to with Kerberos
Host *.marconi.cineca.it *.eufus.eu *.kth.se *.pdc.kth.se s37 s38 s34 s59
# User authentication based on GSSAPI is allowed
GSSAPIAuthentication yes
# Key exchange based on GSSAPI may be used for server authentication
GSSAPIKeyExchange yes
# Hosts to which we want to delegate credentials. Try to limit this to
# hosts you trust, and were you really have use for forwarded tickets.
#Host *.marconi.cineca.it. *.eufus.eu. *.csc.kth.se *.csc.kth.se. *.nada.kth.se *.nada.kth.se. *.pdc.kth.se *.pdc.kth.se.
# Forward (delegate) credentials (tickets) to the server.
GSSAPIDelegateCredentials yes
# Prefer GSSAPI key exchange
PreferredAuthentications gssapi-keyex,gssapi-with-mic
# All other hosts
Host *

Due to missing DNS entries we need to update /etc/hosts on the laptop to contain on the following entries:

#130.186.25.34  r000u05g02.marconi.cineca.it s34
#130.186.25.37  r040c03s03.marconi.cineca.it s37
#130.186.25.38  r040c03s04.marconi.cineca.it s38
#130.186.25.59  r000u11l06.marconi.cineca.it s59
130.186.25.65   r169c01s01.marconi.cineca.it s65
130.186.25.69   r169c02s01.marconi.cineca.it s69
130.186.25.73   r169c03s01.marconi.cineca.it s73
130.186.25.77   r169c04s01.marconi.cineca.it s77

Kerberos configuration in /etc/krb5.conf requires updates in the following sections with:

[realms]
      EUFUS.EU = {
        kdc = s02.eufus.eu:88
        kdc = s01.eufus.eu:88
        default_domain = eufus.eu
        admin_server = s02.eufus.eu:749
      }

[domain_realm]
    .eufus.eu = EUFUS.EU

After this setup one (g2kosl in this example) can initialise its Kerberos ticket with:

kinit -f --afslog g2kosl@EUFUS.EU

List the tickets with:

$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
      Principal: g2kosl@EUFUS.EU

  Issued                Expires               Principal
Jun 15 14:01:44 2018  Jul 15 14:01:44 2018  krbtgt/EUFUS.EU@EUFUS.EU
Jun 15 14:01:45 2018  Jul 15 14:01:44 2018  afs/eufus.eu@EUFUS.EU

SSH login to one of above login nodes can be performed simply with:

ssh g2kosl@s65

If /etc/openafs/ThisCell containts eufus.eu line then also /afs/eufus.eu/g2itmdev/user/g2kosl is a local AFS home directory.