 |
|
You are here: Foswiki>ELabs Web>HowToGuide>LocalSetupGuide>InstallKerberos (2016-10-07, JoelG)Edit Attach
Kerberos
There are three basic steps to configuring Kerberos: 1. Install Kerberos so that you can authenticate using it. If in doubt, look for the program or package that gives you thekinit command. - OS X:
- Ubuntu:
$ sudo apt-get install krb5-user - Fedora:
$ sudo dnf install krb5-workstation
krb5.conf (most likely /etc/krb5.conf) for use with Fermilab's Kerberos system. This is most easily done by downloading a custom-configured krb5.conf from directly from Fermi:
3. You might need to Kerberize your SSH installation so that you can connect to the SVN server at Fermi. In your SSH config file (most likely ~/.ssh/config, which you may have to create, or /etc/ssh/ssh_config), add
host *.fnal.gov GSSAPIAuthentication yes GSSAPIDelegateCredentials yes host cdcvs.fnal.gov ForwardX11 = no # ForwardAgent = yes # only if you're using ssh keys, and not kerberos GSSAPIAuthentication yes GSSAPIDelegateCredentials yesTo test your setup, first run the
kinit command. Then,:
ssh p-quarknet@cdcvs.fnal.gov echo hiIf things are working right, you should get the response
Only 'lscvs' and 'cvs' commands are allowedThis doesn't necessarily indicate everything is perfect with your SVN access - in particular, it will work even if your SSH config isn't right - but it's a good start. When you run
kinit and enter your Kerberos password, the Fermilab Kerberos system authenticates you and issues your computer a ticket verifying this authentication. It's usually good for 24 hours, but you can check using the klist command. As long as you have a valid ticket, you'll be able to communicate freely with the SVN repository via the svn+ssh:// protocol.
Once you think everything is in place (including your ticket!), try running
$ svn co svn+ssh://p-quarknet@cdcvs.fnal.gov/cvs/projects/quarknet/branches/4.0-ND-devThis should checkout (
co) the 4.0-ND-dev branch to your current working directory.
If it doesn't, these links have information that might help: - https://fermi.service-now.com/kb_view_customer.do?sysparm_article=KB0011315
- https://cdcvs.fnal.gov/redmine/projects/fermi-redmine/wiki/MacOS
- https://computing.fnal.gov/unixatfermilab/html/login_auth.html
- http://lqcd.fnal.gov/kerberos_notes.html
- http://fulla.fnal.gov/kerberos.html
- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Using_Kerberos.html
Ubuntu 16
/etc/krb5.conf doesn't exist by default, nor anything /etc/krb*.
package krb5-user is what provides the kinit and klist commands.
$ sudo apt-get install krb5-user
Fedora 23
Several Kerberos packages came preinstalled, includingpam_krb5.x86_64 sssd-krb5.x86_64 sssd-krb5-common.x86_64along with some libraries and the
/etc/krb5.conf configuration file. To use Kerberos as a client, though, you'll need the krb5-workstation package:
$ sudo dnf install krb5-workstationThis is what gives you the
kinit and klist commands you'll need.
After putting Fermilab's krb5.conf file in place (see the link above), you'll also need to amend (or create) your own SSH config file at ~/.ssh/config
-- Main.JoelG - 2016-10-07
Comments
Edit | Attach | Print version | History: r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r1 - 2016-10-07, JoelG
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Foswiki? Send feedback