About kerberos and ssh
If you have a valid kerberos ticket you can configure ssh to forward your credentials, allowing password-less connections to properly configured linux boxen.
Kerberos Configuration
It is useful to create a kerberos config file. The Mac Self-Service has an action item called "kerberos config file new" in the category 'Configuration'. Once the config file is created (in /etc/krb5.conf), you can run
kinit yourCernAccountName
to create a kerberos token that you can use for your browser, for ssh, the Self-Service login and many other services.
Changes for Centos8
Previous versions of the /etc/krb5.conf file used
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
With that setting you can login to a Centos8 node, but you would not get an afs token. The new version of the /etc/krb5.conf file uses
default_etypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
ssh Configuration
You need to instruct ssh to use (or "forward") your kerberos token to login to lxplus or other services. This can be done on the command line, or more conveniently via the ssh configuration.
The necessary configuration can be applied in two places on your Mac:
- In
/etc/ssh/ssh_config
(notsshd_config
!)(was/etc/ssh_config
prior to OS 10.12). In that case it is applied to all accounts on the Mac. Editing this file requires sudo privileges, but we will see further down why we want to edit this in any case... - In
~/.ssh/config
. In that case it is applied to the current Mac account only.
You should only forward your credentials to hosts that are trustworthy. If you forward your credentials to a roque host you run the risk that somebody abuses your credentials. So it is important to have the settings in question inside a 'Host' block for trusted hosts only! Do not put these settings in a 'Host *' block! In the following snippet the settings apply to the hosts "lxplus.cern.ch", "svn.cern.ch", "mylinuxbox.cern.ch" and all hosts matching "pcmydepmygroup*.cern.ch".
#
Host lxplus.cern.ch aiadm.cern.ch mylinuxbox.cern.ch pcmydepmygroup*.cern.chGSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
#...
About GSSAPITrustDNS
Up to OS 10.11.6 the built-in ssh and scp binaries supported the option GSSAPITrustDNS
, which at that time was very useful for connecting to lxplus. This option is not supported any longer, but due to an improved configuration of lxplus it is also not needed any more. If you used it in the past you will have to remove it from your ssh configuration files.
About LANG LC_*
When connecting to lxplus or other linux boxen with OS prior to CC8, we might be greeted with messages like
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
We can avoid these by deleting or commenting out the line
SendEnv LANG LC_*
from /etc/ssh/ssh_config
. Unfortunately there is no way to achieve the same result by any parameter in ~/.ssh/config
- and Apple overwrites /etc/ssh/ssh_config
with almost every OS or security update :(
In case you have all required settings in ~/.ssh/config
and do not need any of the settings from /etc/ssh/ssh_config
you can use the ssh or scp option '-F ~/.ssh/config
' to avoid reading /etc/ssh/ssh_config
, and thus avoid being bother by Apple re-activating the SendEnv LANG LC_*
with every update to ssh.
Configuring Firefox to use kerberos for SSO
To enable Firefox to use your kerberos token apply the following steps:
- type
about:config
in the address bar - type
negotiate
in the Search field - click on the edit button for the
network.negotiate-auth.trusted-uris
field - enter
cern.ch
in the text field
About git
The git version provided by Apple has a configuration that has problems handling git via kerberos. On cloning a repository you might get messages like
remote: HTTP Basic: Access denied
fatal: Authentication failed for 'https://:@gitlab.cern.ch:8443/macsupport/packaging-tools.git/'
To avoid this run git config --global http.emptyAuth true
About third party software
Some popular package managers like brew, macports etc provide own versions on kinit, ssh,... Unfortunately these use different places to store the kerberos token and as a result are incompatible with the executables provided by macOS. We recommend not using any third party kerberos or ssh binaries.
Troubleshooting
If your ssh login asks for a password despite the fact that you have a kerberos token, run the command klist
to display your tokens. The first line of the output should look like
Credentials cache: API:3A10A0E1-7B9E-407A-8CB0-1B5D331BA0B4
where the '3A10A0E1-7B9E-407A-8CB0-1B5D331BA0B4' will be different for every user and every session.
Different output indicates that you were using a non-standard kinit (and klist) command (for example, Anaconda installs one).
Try using the command /usr/bin/kinit
(and /usr/bin/klist
) for generating and listing your tickets. If that works, it means that your $PATH variable was modified by some other software you installed, and when you use simply kinit
/klist
, it uses that version which is incompatible. To fix this permamently, you would have to alter your $PATH variable to point instead to these two built-in commands.