Infolab wiki|
Size: 2112
Comment:
|
← Revision 19 as of 2012-10-31 22:21:43 ⇥
Size: 1641
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #acl +Infolab:read,write,delete,evert All:read |
|
| Line 4: | Line 2: |
| Line 7: | Line 4: |
| == CentOS 6 == | Please note that all the tools are already configured on [[Bruce]], [[Rambo]] and [[Zarya]]. |
| Line 9: | Line 6: |
| ==== Get the krb5.conf ==== CentOS has the Kerberos tools installed by default. So no need to install those. First we'll need the krb5.conf configuration file. We probably don't need the whole configuration prepared by the CS, but it doesn't hurt to have it around either. Let's steal the file from hulk (sorry, you'll still have to login with a password): |
=== 1. Configure your OS === * Configure CentOS 6: SshKerberosCentos6 * Configure CentOS 5: SshKerberosCentos5 * Configure Mac OS X: SshKerberosMac * More OSs coming soon... |
| Line 12: | Line 12: |
| {{{ scp hulk:/etc/krb5.conf /etc/krb5.conf }}} If you are running as root, don't forget to prefix the command(s) with ''sudo''. ==== Install AFS tools ==== In order to use the Kerberos credentials to access the AFS file system, we need to install some AFS tools. But first, add a repository with the packages of those tools: {{{ vim /etc/yum.repos.d/openafs.repo }}} Copy the following lines to /etc/yum.repos.d/openafs.repo: {{{ [openafs] name=OpenAFS 1.6.1 for RHEL $releasever - $basearch baseurl=http://dl.openafs.org/dl/openafs/1.6.1/rhel-$releasever/$basearch/ enabled=1 gpgcheck=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OPENAFS priority=10 }}} Now install the openafs-krb5 package: {{{ yum install openafs-krb5 }}} And finally, create a configuration file for the AFS tools: {{{ echo "cs.stanford.edu" >> /usr/vice/etc/ThisCell }}} ==== How to use it this? ==== |
=== 2. Use the Kerberos tools === ==== Get a ticket ==== |
| Line 57: | Line 19: |
This command will obtain a Kerberos ticket for the account ''your_cs_id''. Now you can login to the CS managed machines without using a password (provided that you are logging in as ''your_cs_id'', of course). |
This command will ask you for the password of ''your_cs_id'' and obtain a Kerberos ticket for the account ''your_cs_id''. Now you can login to the CS managed machines without using a password (provided that you are logging in as ''your_cs_id'', of course). |
| Line 63: | Line 24: |
| kinit -l 30d johns | kinit -l 30d your_cs_id |
| Line 65: | Line 26: |
| The command above will issue a ticket with a lifetime of 30 days for the username johns. | |
| Line 66: | Line 28: |
| The command above will issue a ticket with a lifetime of 30 days for the username johns. | You can obtain a ticket for any username if you have a password for that usename (so my username is ''js'' on the local machine I can still obtain the ticket for my johns CS account). ==== Listing your tickets ==== You can list all of the tickets that you currently posses with the klist command: {{{ klist }}} ==== Deleting tickets ==== There may be a case when you do not need the Kerberos ticket any more and you want to delete. No problem, you can do this: {{{ kdestroy }}} |
SSH and Kerberos
This page describes how to tackle the issue of CS managed machines (e.g. hulk and rocky) not allowing you to login without a password via SSH.
Please note that all the tools are already configured on Bruce, Rambo and Zarya.
1. Configure your OS
Configure CentOS 6: SshKerberosCentos6
Configure CentOS 5: SshKerberosCentos5
Configure Mac OS X: SshKerberosMac
- More OSs coming soon...
2. Use the Kerberos tools
Get a ticket
Whenever you would like to log in to CS managed machines (e.g. hulk, rocky) just open a terminal and enter:
kinit your_cs_id
This command will ask you for the password of your_cs_id and obtain a Kerberos ticket for the account your_cs_id. Now you can login to the CS managed machines without using a password (provided that you are logging in as your_cs_id, of course).
If you would like to manually specify the lifetime of the Kerberos ticket, you can do it with the -l switch:
kinit -l 30d your_cs_id
The command above will issue a ticket with a lifetime of 30 days for the username johns.
You can obtain a ticket for any username if you have a password for that usename (so my username is js on the local machine I can still obtain the ticket for my johns CS account).
Listing your tickets
You can list all of the tickets that you currently posses with the klist command:
klist
Deleting tickets
There may be a case when you do not need the Kerberos ticket any more and you want to delete. No problem, you can do this:
kdestroy