4.9. Kerberos for batch processing¶
Author: | Leon Kos |
---|
Some sites require GSSAPI for remote batch processing through SSH.
In order to process this Kerberos authentication one needs to login with ssh though firewall with the following ports open besides usual SSH on TCP port 22:
kerberos 88/udp kdc # Kerberos V5 KDC
kerberos 88/tcp kdc # Kerberos V5 KDC
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
Note
For connection with Kerberos a special SSH client is required and usually brings also AFS client.
4.9.1. EUROfusion Gateway (Marconi) cluster¶
The following SSH configuration is required with $HOME/.ssh/config
:
# Hosts we want to authenticate to with Kerberos
Host *.marconi.cineca.it *.eufus.eu *.kth.se *.pdc.kth.se s37 s38 s34 s59
# User authentication based on GSSAPI is allowed
GSSAPIAuthentication yes
# Key exchange based on GSSAPI may be used for server authentication
GSSAPIKeyExchange yes
# Hosts to which we want to delegate credentials. Try to limit this to
# hosts you trust, and were you really have use for forwarded tickets.
#Host *.marconi.cineca.it. *.eufus.eu. *.csc.kth.se *.csc.kth.se. *.nada.kth.se *.nada.kth.se. *.pdc.kth.se *.pdc.kth.se.
# Forward (delegate) credentials (tickets) to the server.
GSSAPIDelegateCredentials yes
# Prefer GSSAPI key exchange
PreferredAuthentications gssapi-keyex,gssapi-with-mic
# All other hosts
Host *
Due to missing DNS entries we need to update /etc/hosts
on
the laptop to contain on the following entries:
#130.186.25.34 r000u05g02.marconi.cineca.it s34
#130.186.25.37 r040c03s03.marconi.cineca.it s37
#130.186.25.38 r040c03s04.marconi.cineca.it s38
#130.186.25.59 r000u11l06.marconi.cineca.it s59
130.186.25.65 r169c01s01.marconi.cineca.it s65
130.186.25.69 r169c02s01.marconi.cineca.it s69
130.186.25.73 r169c03s01.marconi.cineca.it s73
130.186.25.77 r169c04s01.marconi.cineca.it s77
Kerberos configuration in /etc/krb5.conf
requires updates in
the following sections with:
[realms]
EUFUS.EU = {
kdc = s02.eufus.eu:88
kdc = s01.eufus.eu:88
default_domain = eufus.eu
admin_server = s02.eufus.eu:749
}
[domain_realm]
.eufus.eu = EUFUS.EU
After this setup one (g2kosl
in this example) can initialise
its Kerberos ticket with:
kinit -f --afslog g2kosl@EUFUS.EU
List the tickets with:
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: g2kosl@EUFUS.EU
Issued Expires Principal
Jun 15 14:01:44 2018 Jul 15 14:01:44 2018 krbtgt/EUFUS.EU@EUFUS.EU
Jun 15 14:01:45 2018 Jul 15 14:01:44 2018 afs/eufus.eu@EUFUS.EU
SSH login to one of above login nodes can be performed simply with:
ssh g2kosl@s65
If /etc/openafs/ThisCell
containts eufus.eu
line then also
/afs/eufus.eu/g2itmdev/user/g2kosl
is a local AFS home directory.