Contact Us
For assistance, please email help@ece.cmu.edu
Emergency number: (412) 268-1732-
ITS Headlines
Tag Archives: ssh
Kerberos on Unfacilitized Linux
How to install Kerberos on Linux and access our machines via forwarded tickets
- Download and install the Kerberos client libraries and binaries from your distribution (likely named (redhat/suse: krb5-apps-client, krb5-client) (ubuntu: krb5-config, krb5-user))
- Create or update the file /etc/krb5.conf with the following contents: (This configures the kinit command for CMU’s Kerberos 5 Realms)
- Create or update the /etc/ssh/ssh_config or ~/.ssh/config with the following contents: (This will forward your Kerberos (GSSAPI) tickets to the remote server, allowing you to login without typing your password)
#== begin /etc/krb5.conf ==
[libdefaults]
default_realm = ECE.CMU.EDU
dns_fallback = yes
noaddresses = TRUE
forwardable = TRUE
allow_weak_crypto = true
[realms]
ECE.CMU.EDU = {
admin_server = krbadmin.ece.cmu.edu
kdc = kerberos.ece.cmu.edu
kdc = kerberos-1.ece.cmu.edu
kdc = kerberos-2.ece.cmu.edu
kdc = kerberos-3.ece.cmu.edu
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
[appdefaults]
tokens = true
afs_cells = ece.cmu.edu
#==== end /etc/krb5.conf ===
#=== begin /etc/ssh/ssh_config **OR** ~/.ssh/config === Host * Protocol 2 ## allows remote X ForwardX11Trusted yes ## These are required for login and forwarding kerberos tickets over ssh GSSAPIAuthentication yes GSSAPIDelegateCredentials yes === end /etc/ssh/ssh_config **OR** ~/.ssh/config ===
- Kerberos 5 is now configured
- Kerberos tickets
- To get ece.cmu.edu Kerberos tickets: kinit username@ECE.CMU.EDU
- To get andrew.cmu.edu Kerberos tickets: kinit username@ANDREW.CMU.EDU
- To renew tickets without a password: kinit -R
- You can see all your Kerberos tickets using klist
- Optional:
- Install OpenAFS on Unfacilitized Linux
