This section describes how to configure kerberos.
Configure Kerberos
Next you need to configure Kerberos so we are able to find the PDC domain.
The configuration file for kerberos on linux and OSX that you need to edit is /etc/krb5.conf as root. If you are not able to become root on your machines you can create a file in your home directory called for example ~/pdckrb. After this you need to set the path for kerberos like
\# For bash
export KRB5_CONFIG=~/pdckrb/krb5.conf
\# For tcsh
setenv KRB5_CONFIG ~/pdckrb/krb5.conf
For Windows instead the kerberos file should be located at
C:\ProgramData\krb5.conf
or
C:\ProgramData\Kerberos\krb5.conf
krb5.conf should be defined with the following entries
[domain_realm]
.pdc.kth.se = NADA.KTH.SE
[appdefaults]
forwardable = yes
forward = yes
krb4_get_tickets = no
[libdefaults]
default_realm = NADA.KTH.SE
dns_lookup_realm = true
dns_lookup_kdc = true
Acquire kerberos tickets
In order to get a kerberos ticket you first need to startup your command shell. On Windows search for cmd.
To acquire tickets…
kinit -f <PDC username>@NADA.KTH.SE
You will be asked for your PDC password and then you have acquired your ticket.
On Windows it is important that you run the correct version of the software, since several version can be installed by default Windows. Execute…
where kinit
c:\windows\system32\kinit.exe
c:\program files\heimdal\bin\kinit.exe
…to find out which executable you are running. The heimdal kerberos in the program files folder or where you have installed it. In order to execute the heimdal version you have to enter the complete path.
c:\"program files"\heimdal\bin\kinit.exe
You can see what active tickets you have using
klist -f
Even regarding this command it is important that you do run the heimdal kerberos and should define the right path. (See instructions above)
where klist
c:\windows\system32\klist.exe
c:\program files\heimdal\bin\klist.exe
More information about kerberos can be found at http://web.mit.edu/kerberos/krb5-current/doc/user/index.html
SSH
This section describes how to configure SSH. This procedure does work only for Linux and Mac For Windows please read information at Configuring SSH
SSH without configuration
In order to login you need to supply these options directly to the ssh command.
ssh -o GSSAPIDelegateCredentials=yes -o GSSAPIKeyExchange=yes \
-o GSSAPIAuthentication=yes <username>@<cluster>.pdc.kth.se
### SSH with configuration[](https://www.pdc.kth.se/support/documents/login/configuration.html#ssh-with-configuration "Permalink to this headline")
OpenSSH can be configured with command line arguments or a configuration file to simplify the login procedure. The options in the configuration file are parsed in order. Create or modify the file ~/.ssh/config
\# Hosts we want to authenticate to with Kerberos
Host *.kth.se *.kth.se.
\# User authentication based on GSSAPI is allowed
GSSAPIAuthentication yes
\# Key exchange based on GSSAPI may be used for server authentication
GSSAPIKeyExchange yes
\# Hosts to which we want to delegate credentials. Try to limit this to
\# hosts you trust, and were you really have use for forwarded tickets.
Host *.csc.kth.se *.csc.kth.se. *.nada.kth.se *.nada.kth.se. *.pdc.kth.se *.pdc.kth.se.
\# Forward (delegate) credentials (tickets) to the server.
GSSAPIDelegateCredentials yes
\# Prefer GSSAPI key exchange
PreferredAuthentications gssapi-keyex,gssapi-with-mic
\# All other hosts
Host *
The file can be downloaded from here. The file should be named config and if this is not the case, please rename it.
Do remember to set the right permission on the file
chmod 644 ~/.ssh/config
After this you can login by using
ssh <username>@<cluster>.pdc.kth.se
Firewalls and kerberos
When a firewall is installed between your workstation and the computers at PDC, the special configurations described below may be necessary to use Kerberos.
-
Ports used by Kerberos. Contact your system administrators and make sure that a firewall is really the problem. Kerberos uses in its standard configuration the following ports for communication:
Port name Port number Port type Comment kerberos 88 UDP Default configuration kerberos 88 TCP Alternative configurations for usage with firewalls (see below) http (used by kerberos) 80 TCP ssh 22 TCP Usually already open ftp-data 20 TCP ftp 21 TCP If possible, open UDP port 88 for bidirectional communication. This is the default (and preferred) mode of operation. Otherwise continue with the next step. After that, try to contact our authentication server with kinit as described before.
If there is no contact through UDP port 88, open TCP port 88 for outgoing traffic instead (if possible), and try kinit again. If it still does not work, continue with the next step.
-
The next thing to try is to get Kerberos to communicate via http over TCP port 80. This port is often open, since it is needed for surfing the web.
- Create the Kerberos configuration file. In addition you need to add the following:
[realms]
NADA.KTH.SE = {
kdc = kerberos.nada.kth.se
kdc = http/kerberos.nada.kth.se
kdc = kerberos-1.nada.kth.se
kdc = http/kerberos-1.nada.kth.se
kdc = kerberos-2.nada.kth.se
kdc = http/kerberos-2.nada.kth.se
admin_server = kerberos.nada.kth.se
}
If kinit <username>@NADA.KTH.SE succeeds but ssh <username>@hostname does not, then you might want to have a look at your crendential cache with klist. If it does not contain any rows that look like host/<something>@NADA.KTH.SE, you need to get host credentials manually. That can be done with the following command for a host named hostname:
$ host hostname | awk '$3 == "address" {print "host "$4}' | bash \
| awk '{sub(".$",""); print "kgetcred host/"$NF"@NADA.KTH.SE"}' | bash
If hostname is beskow.pdc.kth.se, after that, the output from klist should contain something like
Apr 14 16:33:11 2015 Apr 16 10:26:05 2015 host/[email protected]
2. In some systems, all http communication (i.e. web traffic) must go through a proxy. If that is the case, you can probably find out it’s address by looking at the settings of your web browser. If not, ask your system administrator.
To instruct kerberos to go through the proxy, add the following line to the [libdefaults] section of krb5.conf:
http_proxy = http://address.of.proxy:port
转载于:https://www.jianshu.com/p/08b652c75141