Website:Kerberized SSH

=GSSAPI "passwordless" auth HOW-TO=

This how-to details the necessary steps for "passwordless" GSSAPI authorization on the UGCS cluster.

Software Installation

 * Ensure that kerberos is installed on your system:
 * Linux: The relevant packages generally contains, e.g.  ,  , or.
 * OS X: Version 10.4 comes with kerberos installed. There is even a kerberos gui front-end at.

Kerberos Configuration

 * Create a kerberos configuration file:
 * Linux:
 * OS X:
 * Add the following to the configuration file and save it:
 * If you do not have other Kerberos settings that you want to keep, you can replace the entire configuration file with http://www.ugcs.caltech.edu/kerberos/krb5.conf

% kinit Please enter the password for user@UGCS.CALTECH.EDU: %
 * Run  to fetch a kerberos ticket.  You will be prompted for your UGCS password:

SSH Configuration
Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPITrustDns yes
 * You need to make sure that the appropriate options are set so that ssh will use GSSAPI correctly. Add these lines to ~/.ssh/config

Use
% ssh to Linux terpsichore 2.6.22 #1 SMP Tue Sep 11 15:35:40 PDT 2007 i686 Welcome to UGCS 4.0! % % klist Kerberos 5 ticket cache: 'API:Initial default ccache' Default principal: user@UGCS.CALTECH.EDU Valid Starting    Expires            Service Principal 10/23/07 23:13:17 10/24/07 09:13:17  krbtgt/UGCS.CALTECH.EDU@UGCS.CALTECH.EDU renew until 10/30/07 23:13:17 klist: No Kerberos 4 tickets in credentials cache
 * You can now log in to UGCS without a password until the ticket expires:
 * You can view active tickets with .  UGCS tickets expire after ten hours unless renewed and can be renewed up to a week:

% kinit -R %
 * Tickets can be renewed by running

% kdestroy % klist klist: No Kerberos 5 tickets in credentials cache klist: No Kerberos 4 tickets in credentials cache
 * Active tickets can be destroyed with :

kinit automatically when necessary
The following Linux/Unix script will check if you're attempting to ssh to UGCS; if you are, it will then check if your tickets are present and up-to-date, and kinit if they are not. Drop this into a file named "ssh" in your ~/bin/ directory to use it instead of /usr/bin/ssh (or whatever) by default.

Also, make sure to replace the "3" in the "elif" line with the number of hours you are ahead of Pacific time (e.g., Central time zone users would place a 2 here, while Britons would use an 8). If you are already in the Pacific time zone, you can remove the whole "\- 3600 \* 3" segment.

if echo $@|grep -ie .\*ugcs\\\|to.\*>/dev/null; then if [ `klist 2>/dev/null|grep -i ugcs|wc -l` == 0 ]; then kinit; elif expr $(date -d "`klist|grep "renew until"|head -n 1|sed -e "s/\trenew\ until\ //"`" +%s) \- 3600 \* 3 \< $(date +%s)>/dev/null; then kinit; fi; fi /usr/bin/ssh $@
 * 1) !/bin/bash