GSSAPI "passwordless" auth HOW-TO

This how-to details the necessary steps for "passwordless" GSSAPI authorization on the UGCS cluster.

Software Installation

• Ensure that kerberos is installed on your system:
  • Linux: The relevant packages generally contains krb5, e.g. krb5-user, mit-krb5, or krb5-workstation.
  • OS X: Version 10.4 comes with kerberos installed. There is even a kerberos gui front-end at /System/Library/CoreServices/Kerberos.app.

Kerberos Configuration

• Create a kerberos configuration file:
  • Linux: /etc/krb5.conf
  • OS X: /Library/Preferences/edu.mit.Kerberos
• Add the following to the configuration file and save it:
  • If you do not have other Kerberos settings that you want to keep, you can replace the entire configuration file with http://www.ugcs.caltech.edu/kerberos/krb5.conf

[domain_realm]
        .ugcs.caltech.edu = UGCS.CALTECH.EDU
        ugcs.caltech.edu = UGCS.CALTECH.EDU

[libdefaults]
        default_realm = UGCS.CALTECH.EDU
        dns_fallback = yes
        forwardable = true
        proxiable = true

[realms]
        UGCS.CALTECH.EDU = {
                admin_server = krb-head.ugcs.caltech.edu:749
                kdc = krb-head.ugcs.caltech.edu:88
                kdc = krb-backup.ugcs.caltech.edu:88
        }

[v4 domain_realm]
        .ugcs.caltech.edu = UGCS.CALTECH.EDU
        ugcs.caltech.edu = UGCS.CALTECH.EDU

• Run kinit to fetch a kerberos ticket. You will be prompted for your UGCS password:

% kinit
Please enter the password for user@UGCS.CALTECH.EDU:
%

SSH Configuration

• Run man ssh_config to see if your version of openssh has the GSSAPITrustDns option. If it does, add the following to your .ssh/config file and save it:

Host to
  HostName to.ugcs.caltech.edu 
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPITrustDns yes

• If your version of openssh does not support the GSSAPITrustDns option, you cannot use to.ugcs.caltech.edu for GSSAPI authentication. You will need to choose a specific UGCS host, e.g.:

Host lara
  HostName lara.ugcs.caltech.edu 
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Use

• You can now log in to UGCS without a password until the ticket expires:

% ssh to
Linux terpsichore 2.6.22 #1 SMP Tue Sep 11 15:35:40 PDT 2007 i686
Welcome to UGCS 4.0!

%

• You can view active tickets with klist. UGCS tickets expire after ten hours unless renewed and can be renewed up to a week:

% klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: user@UGCS.CALTECH.EDU

Valid Starting     Expires            Service Principal
10/23/07 23:13:17  10/24/07 09:13:17  krbtgt/UGCS.CALTECH.EDU@UGCS.CALTECH.EDU
        renew until 10/30/07 23:13:17

klist: No Kerberos 4 tickets in credentials cache

• Tickets can be renewed by running kinit -R

% kinit -R
% 

• Active tickets can be destroyed with kdestroy:

% kdestroy
% klist
klist: No Kerberos 5 tickets in credentials cache
klist: No Kerberos 4 tickets in credentials cache

kinit automatically when necessary

The following Linux/Unix script will check if you're attempting to ssh to UGCS; if you are, it will then check if your tickets are present and up-to-date, and kinit if they are not. Drop this into a file named "ssh" in your ~/bin/ directory to use it instead of /usr/bin/ssh (or whatever) by default.

Also, make sure to replace the "3" in the "elif" line with the number of hours you are ahead of Pacific time (e.g., Central time zone users would place a 2 here, while Britons would use an 8). If you are already in the Pacific time zone, you can remove the whole "\- 3600 \* 3" segment.

#!/bin/bash
if echo $@|grep -ie .\*ugcs\\\|to.\*>/dev/null; then
        if [ `klist 2>/dev/null|grep -i ugcs|wc -l` == 0 ]; then
                kinit;
        elif expr $(date -d "`klist|grep "renew until"|head -n 1|sed -e "s/\trenew\ until\ //"`" +%s) \- 3600 \* 3 \< $(date +%s)>/dev/null; then
                kinit;
        fi;
fi

/usr/bin/ssh $@