Skip to content

About kerberos and ssh

If you have a valid kerberos ticket you can configure ssh to forward your credentials, allowing password-less connections to properly configured linux boxen.

Kerberos Configuration

It is useful to create a kerberos config file. The Mac Self-Service has an action item called "kerberos config file new" in the category 'Configuration'. Once the config file is created (in /etc/krb5.conf), you can run kinit yourCernAccountName to create a kerberos token that you can use for your browser, for ssh, the Self-Service login and many other services.

Kerberos config file for users without Self-Service

For users that cannot use the CERN Self-Service, to configure Kerberos write the following file in /etc/krb5.conf.

; AD  : This Kerberos configuration is for CERN's Active Directory realm
; The line above this is magic and is used by cern-config-keytab. Do
; not remove.

; Installed with puppet from a series of
; template fragments.

; /etc/krb5.conf

[libdefaults]
 default_realm = CERN.CH
 ticket_lifetime = 25h
 renew_lifetime = 120h
 forwardable = true 
 proxiable = true
 default_etypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts
 chpw_prompt = true


[appdefaults]
pam = {
         external = true
         krb4_convert = false
         krb4_convert_524 = false
         krb4_use_as_req = false
}

[domain_realm]
.cern.ch = CERN.CH
.fnal.gov = FNAL.GOV
.hep.man.ac.uk = HEP.MAN.AC.UK
.in2p3.fr = IN2P3.FR
# No default domain for KFKI.HU specified.

[realms]
# Start of puppet output for CERN.CH
 CERN.CH  = {
  default_domain = cern.ch
  kpasswd_server = cerndc.cern.ch
  admin_server = cerndc.cern.ch
   kdc = cerndc.cern.ch
    v4_name_convert = {
     host = {
        rcmd = host
     }
   }
 }


# Start of puppet output for FNAL.GOV
 FNAL.GOV  = {
  default_domain = fnal.gov
  admin_server = krb-fnal-admin.fnal.gov
   kdc = krb-fnal-1.fnal.gov:88
   kdc = krb-fnal-2.fnal.gov:88
   kdc = krb-fnal-3.fnal.gov:88
 }


# Start of puppet output for HEP.MAN.AC.UK
 HEP.MAN.AC.UK  = {
  default_domain = hep.man.ac.uk
  kpasswd_server = afs4.hep.man.ac.uk
  admin_server = afs4.hep.man.ac.uk
   kdc = afs1.hep.man.ac.uk
   kdc = afs2.hep.man.ac.uk
   kdc = afs3.hep.man.ac.uk
   kdc = afs4.hep.man.ac.uk
 }


# Start of puppet output for IN2P3.FR
 IN2P3.FR  = {
  default_domain = in2p3.fr
  kpasswd_server = kerberos-admin.in2p3.fr
  admin_server = kerberos-admin.in2p3.fr
   kdc = kerberos-1.in2p3.fr
   kdc = kerberos-2.in2p3.fr
   kdc = kerberos-3.in2p3.fr
 }


# Start of puppet output for KFKI.HU
 KFKI.HU  = {
  admin_server = kerberos.kfki.hu
   kdc = kerberos.kfki.hu
 }

Changes for Centos8

Previous versions of the /etc/krb5.conf file used

default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc

With that setting you can login to a Centos8 node, but you would not get an afs token. The new version of the /etc/krb5.conf file uses

default_etypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc

ssh Configuration

You need to instruct ssh to use (or "forward") your kerberos token to login to lxplus or other services. This can be done on the command line, or more conveniently via the ssh configuration.

The necessary configuration can be applied in two places on your Mac:

  • In /etc/ssh/ssh_config (not sshd_config!)(was /etc/ssh_config prior to OS 10.12). In that case it is applied to all accounts on the Mac. Editing this file requires sudo privileges, but we will see further down why we want to edit this in any case...
  • In ~/.ssh/config. In that case it is applied to the current Mac account only.

You should only forward your credentials to hosts that are trustworthy. If you forward your credentials to a roque host you run the risk that somebody abuses your credentials. So it is important to have the settings in question inside a 'Host' block for trusted hosts only! Do not put these settings in a 'Host *' block! In the following snippet the settings apply to the hosts "lxplus.cern.ch", "svn.cern.ch", "mylinuxbox.cern.ch" and all hosts matching "pcmydepmygroup*.cern.ch".

#
Host lxplus.cern.ch aiadm.cern.ch mylinuxbox.cern.ch pcmydepmygroup*.cern.ch

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
#...

About GSSAPITrustDNS

Up to OS 10.11.6 the built-in ssh and scp binaries supported the option GSSAPITrustDNS, which at that time was very useful for connecting to lxplus. This option is not supported any longer, but due to an improved configuration of lxplus it is also not needed any more. If you used it in the past you will have to remove it from your ssh configuration files.

About LANG LC_*

When connecting to lxplus or other linux boxen with OS prior to CC8, we might be greeted with messages like

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").

We can avoid these by deleting or commenting out the line

SendEnv LANG LC_*

from /etc/ssh/ssh_config. Unfortunately there is no way to achieve the same result by any parameter in ~/.ssh/config - and Apple overwrites /etc/ssh/ssh_config with almost every OS or security update :(

In case you have all required settings in ~/.ssh/config and do not need any of the settings from /etc/ssh/ssh_config you can use the ssh or scp option '-F ~/.ssh/config' to avoid reading /etc/ssh/ssh_config, and thus avoid being bother by Apple re-activating the SendEnv LANG LC_* with every update to ssh.

Configuring Firefox to use kerberos for SSO

To enable Firefox to use your kerberos token apply the following steps:

  • type about:config in the address bar
  • type negotiate in the Search field
  • click on the edit button for the network.negotiate-auth.trusted-uris field
  • enter cern.ch in the text field

About git

The git version provided by Apple has a configuration that has problems handling git via kerberos. On cloning a repository you might get messages like

remote: HTTP Basic: Access denied
fatal: Authentication failed for 'https://:@gitlab.cern.ch:8443/macsupport/packaging-tools.git/'

To avoid this run git config --global http.emptyAuth true

About third party software

Some popular package managers like brew, macports etc provide own versions on kinit, ssh,... Unfortunately these use different places to store the kerberos token and as a result are incompatible with the executables provided by macOS. We recommend not using any third party kerberos or ssh binaries.

Troubleshooting

If your ssh login asks for a password despite the fact that you have a kerberos token, run the command klist to display your tokens. The first line of the output should look like

Credentials cache: API:3A10A0E1-7B9E-407A-8CB0-1B5D331BA0B4

where the '3A10A0E1-7B9E-407A-8CB0-1B5D331BA0B4' will be different for every user and every session.

Different output indicates that you were using a non-standard kinit (and klist) command (for example, Anaconda installs one).

Try using the command /usr/bin/kinit (and /usr/bin/klist) for generating and listing your tickets. If that works, it means that your $PATH variable was modified by some other software you installed, and when you use simply kinit/klist, it uses that version which is incompatible. To fix this permamently, you would have to alter your $PATH variable to point instead to these two built-in commands.