2661
Comment:
|
← Revision 19 as of 2012-10-31 22:21:43 ⇥
1641
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
#acl +Infolab:read,write,delete,evert All:read |
|
Line 4: | Line 2: |
Line 7: | Line 4: |
=== Configuring CentOS 6 === | Please note that all the tools are already configured on [[Bruce]], [[Rambo]] and [[Zarya]]. |
Line 9: | Line 6: |
==== Get the krb5.conf ==== CentOS has the Kerberos tools installed by default. So no need to install those. First we'll need the krb5.conf configuration file. We probably don't need the whole configuration prepared by the CS, but it doesn't hurt to have it around either. Let's steal the file from hulk (sorry, you'll still have to login with a password): |
=== 1. Configure your OS === * Configure CentOS 6: SshKerberosCentos6 * Configure CentOS 5: SshKerberosCentos5 * Configure Mac OS X: SshKerberosMac * More OSs coming soon... |
Line 12: | Line 12: |
{{{ sudo scp your_cs_id@hulk:/etc/krb5.conf /etc/krb5.conf }}} If you are running as root, you can omit the ''sudo'' prefix. ==== Install AFS tools ==== In order to use the Kerberos credentials to access the AFS file system, we need to install some AFS tools. But first, add a repository with the packages of those tools: {{{ sudo vim /etc/yum.repos.d/openafs.repo }}} Copy the following lines to /etc/yum.repos.d/openafs.repo: {{{ [openafs] name=OpenAFS 1.6.1 for RHEL $releasever - $basearch baseurl=http://dl.openafs.org/dl/openafs/1.6.1/rhel-$releasever/$basearch/ enabled=1 gpgcheck=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OPENAFS priority=10 }}} Now install the openafs-krb5 package: {{{ sudo yum install openafs-krb5 }}} And finally, create a configuration file for the AFS tools: {{{ echo "cs.stanford.edu" >> /usr/vice/etc/ThisCell }}} === How to use it this? === |
=== 2. Use the Kerberos tools === |
Line 53: | Line 14: |
Line 59: | Line 19: |
This command will obtain a Kerberos ticket for the account ''your_cs_id''. Now you can login to the CS managed machines without using a password (provided that you are logging in as ''your_cs_id'', of course). |
This command will ask you for the password of ''your_cs_id'' and obtain a Kerberos ticket for the account ''your_cs_id''. Now you can login to the CS managed machines without using a password (provided that you are logging in as ''your_cs_id'', of course). |
Line 65: | Line 24: |
kinit -l 30d johns | kinit -l 30d your_cs_id |
Line 67: | Line 26: |
Line 70: | Line 28: |
You can obtain a ticket for any username if you have a password for that usename (so my username is ''js'' on the local machine I can still obtain the ticket for my johns CS account). | You can obtain a ticket for any username if you have a password for that usename (so my username is ''js'' on the local machine I can still obtain the ticket for my johns CS account). |
Line 73: | Line 31: |
Line 79: | Line 36: |
Line 81: | Line 37: |
SSH and Kerberos
This page describes how to tackle the issue of CS managed machines (e.g. hulk and rocky) not allowing you to login without a password via SSH.
Please note that all the tools are already configured on Bruce, Rambo and Zarya.
1. Configure your OS
Configure CentOS 6: SshKerberosCentos6
Configure CentOS 5: SshKerberosCentos5
Configure Mac OS X: SshKerberosMac
- More OSs coming soon...
2. Use the Kerberos tools
Get a ticket
Whenever you would like to log in to CS managed machines (e.g. hulk, rocky) just open a terminal and enter:
kinit your_cs_id
This command will ask you for the password of your_cs_id and obtain a Kerberos ticket for the account your_cs_id. Now you can login to the CS managed machines without using a password (provided that you are logging in as your_cs_id, of course).
If you would like to manually specify the lifetime of the Kerberos ticket, you can do it with the -l switch:
kinit -l 30d your_cs_id
The command above will issue a ticket with a lifetime of 30 days for the username johns.
You can obtain a ticket for any username if you have a password for that usename (so my username is js on the local machine I can still obtain the ticket for my johns CS account).
Listing your tickets
You can list all of the tickets that you currently posses with the klist command:
klist
Deleting tickets
There may be a case when you do not need the Kerberos ticket any more and you want to delete. No problem, you can do this:
kdestroy