About kerberos and ssh
If you have a valid kerberos ticket you can configure ssh to forward your credentials, allowing password-less connections to properly configured linux boxen.
It is useful to create a kerberos config file. The Mac Self-Service has an action item called "kerberos config file new" in the category 'Configuration'. Once the config file is created (in /etc/krb5.conf), you can run
to create a kerberos token that you can use for your browser, for ssh, the Self-Service login and many other services.
Changes for Centos8
Previous versions of the /etc/krb5.conf file used
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
With that setting you can login to a Centos8 node, but you would not get an afs token. The new version of the /etc/krb5.conf file uses
default_etypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
You need to instruct ssh to use (or "forward") your kerberos token to login to lxplus or other services. This can be done on the command line, or more conveniently via the ssh configuration.
The necessary configuration can be applied in two places on your Mac:
/etc/ssh_configprior to OS 10.12). In that case it is applied to all accounts on the Mac. Editing this file requires sudo privileges, but we will see further down why we want to edit this in any case...
~/.ssh/config. In that case it is applied to the current Mac account only.
You should only forward your credentials to hosts that are trustworthy. If you forward your credentials to a roque host you run the risk that somebody abuses your credentials. So it is important to have the settings in question inside a 'Host' block for trusted hosts only! Do not put these settings in a 'Host *' block! In the following snippet the settings apply to the hosts "lxplus.cern.ch", "svn.cern.ch", "mylinuxbox.cern.ch" and all hosts matching "pcmydepmygroup*.cern.ch".
Host lxplus.cern.ch aiadm.cern.ch mylinuxbox.cern.ch pcmydepmygroup*.cern.ch
Up to OS 10.11.6 the built-in ssh and scp binaries supported the option
GSSAPITrustDNS, which at that time was very useful for connecting to lxplus. This option is not supported any longer, but due to an improved configuration of lxplus it is also not needed any more. If you used it in the past you will have to remove it from your ssh configuration files.
About LANG LC_*
When connecting to lxplus or other linux boxen with OS prior to CC8, we might be greeted with messages like
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
We can avoid these by deleting or commenting out the line
SendEnv LANG LC_*
/etc/ssh/ssh_config. Unfortunately there is no way to achieve the same result by any parameter in
~/.ssh/config - and Apple overwrites
/etc/ssh/ssh_config with almost every OS or security update :(
In case you have all required settings in
~/.ssh/config and do not need any of the settings from
/etc/ssh/ssh_config you can use the ssh or scp option '
-F ~/.ssh/config' to avoid reading
/etc/ssh/ssh_config, and thus avoid being bother by Apple re-activating the
SendEnv LANG LC_* with every update to ssh.
Configuring Firefox to use kerberos for SSO
To enable Firefox to use your kerberos token apply the following steps:
about:configin the address bar
negotiatein the Search field
- click on the edit button for the
cern.chin the text field
The git version provided by Apple has a configuration that has problems handling git via kerberos. On cloning a repository you might get messages like
remote: HTTP Basic: Access denied
fatal: Authentication failed for 'https://:@gitlab.cern.ch:8443/macsupport/packaging-tools.git/'
To avoid this run
git config --global http.emptyAuth true
About third party software
Some popular package managers like brew, macports etc provide own versions on kinit, ssh,... Unfortunately these use different places to store the kerberos token and as a result are incompatible with the executables provided by macOS. We recommend not using any third party kerberos or ssh binaries.
If your ssh login asks for a password despite the fact that you have a kerberos token, run the command
klist to display your tokens. The first line of the output should look like
Credentials cache: API:3A10A0E1-7B9E-407A-8CB0-1B5D331BA0B4
where the '3A10A0E1-7B9E-407A-8CB0-1B5D331BA0B4' will be different for every user and every session.
Different output indicates that you were using a non-standard kinit (and klist) command (for example, Anaconda installs one).
Try using the command
/usr/bin/klist) for generating and listing your tickets. If that works, it means that your $PATH variable was modified by some other software you installed, and when you use simply
klist, it uses that version which is incompatible. To fix this permamently, you would have to alter your $PATH variable to point instead to these two built-in commands.