Remote access. Contents

Similar documents
CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

VCL Access. VCL provides access to Linux and Windows 7 Virtual Machines. Users will only see those images that they are authorized to access.

Single Sign-On for Kerberized Linux and UNIX Applications

Guide to SASL, GSSAPI & Kerberos v.6.0

Secure Shell. The Protocol

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

WinSCP PuTTY as an alternative to F-Secure July 11, 2006

Using OpenSSH in a Single Sign-On Corporate Environment with z/os, Windows and Linux

ASX SFTP External User Guide

freesshd SFTP Server on Windows

IceWarp Server - SSO (Single Sign-On)

ProxyCap Help. Table of contents. Configuring ProxyCap Proxy Labs

MATLAB on EC2 Instructions Guide

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Parallels. for your Linux or Windows Server. Small Business Panel. Getting Started Guide. Parallels Small Business Panel // Linux & Windows Server

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

There are many different ways in which we can connect to a remote machine over the Internet. These include (but are not limited to):

Access Instructions for United Stationers ECDB (ecommerce Database) 2.0

RSA SecurID Token User Guide February 12, 2015

Kerberos authentication made easy on OpenVMS

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

PENN. Social Sciences Computing a division of SAS Computing. SAS Computing SSC. Remote Computing. John Marcotte Director of SSC.

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

A SHORT INTRODUCTION TO BITNAMI WITH CLOUD & HEAT. Version

Installing the SSH Client v3.2.2 For Microsoft Windows

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

Kerberos and Active Directory symmetric cryptography in practice COSC412

Miami University RedHawk Cluster Connecting to the Cluster Using Windows

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

2 Advanced Session... Properties 3 Session profile... wizard. 5 Application... preferences. 3 ASCII / Binary... Transfer

MobaXTerm: A good gnome-terminal like tabbed SSH client for Windows / Windows Putty Tabs Alternative

Stealth OpenVPN and SSH Tunneling Over HTTPS

Experimental Techniques 8

Remote Desktop In OpenSUSE 10.3

Setting up Kerberos, AFS, and Putty on Windows Vista/Windows 7

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Single Sign-on (SSO) technologies for the Domino Web Server

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Overview. Remote access and file transfer. SSH clients by platform. Logging in remotely

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Guide to the Configuration and Use of SFTP Clients for Uploading Digital Treatment Planning Data to IROC RI

FreeIPA 3.3 Trust features

How To Use The Gss-Api And Sspi For A Security Reason On A Microsoft Microsoft Server (Or A Microsplatte)

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Case Closed Installation and Setup

Cloud Server powered by Mac OS X. Getting Started Guide. Cloud Server. powered by Mac OS X. AKJZNAzsqknsxxkjnsjx Getting Started Guide Page 1

visionapp Remote Desktop 2010 (vrd 2010)

Upgrading Redwood Engine Software. Version 2.0.x to 3.1.0

Kerberos on z/os. Active Directory On Windows Server William Mosley z/os NAS Development. December Interaction with.

Enabling Active Directory Authentication with ESX Server 1

Charles Firth Managing Macs in a Windows World

Shellshock Security Patch for X86

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

SSL SSL VPN

WHMCS LUXCLOUD MODULE

Secure access to the DESY network using SSH

Here is a demonstration of the Aqua Accelerated Protocol (AAP) software see the Aqua Connect YouTube Channel

Security Configuration Guide P/N Rev A05

SSSD Active Directory Improvements

Integration with Active Directory. Jeremy Allison Samba Team

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Automating Cloud Security with Centrify Express and RightScale

C2110 UNIX and programming

VNC User Guide. Version 5.0. June 2012

SSH! Keep it secret. Keep it safe

CASHNet Secure File Transfer Instructions

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Interacting with Users

RHEL Clients to AD Integrating RHEL clients to Active Directory

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

If you have questions or find errors in the guide, please, contact us under the following address:

VHA Innovations Program Future Technology Laboratory. Linux Workstation Remote Desktop Connection Manual

Mac OS X Directory Services

Configuration Guide. BES12 Cloud

Windows and MAC User Handbook Remote and Secure Connection Version /19/2013. User Handbook

File Transfer Examples. Running commands on other computers and transferring files between computers

CloudCIX Bootcamp. The essential IaaS getting started guide.

Aqua Connect Remote Desktop Services 3.7 User Manual

Defender Token Deployment System Quick Start Guide

Simple. Control Panel. for your Linux Server. Getting Started Guide. Simple Control Panel // Linux Server

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

HOBCOM and HOBLink J-Term

Distributed File System

Please note that a username and password will be made available upon request. These are necessary to transfer files.

NAS 109 Using NAS with Linux

Instructions for Adding a MacOS 10.4.x Server to ASURITE for File Sharing. Installation Section

Yale Software Library

For Mac User Directions, see page 5

How to configure your Desktop Computer and Mobile Devices post migrating to Microsoft Office 365

Understanding Secure Shell Host Keys

RemotelyAnywhere Getting Started Guide

CA Performance Center

2X ApplicationServer & LoadBalancer Manual

How to configure the TopCloudXL WHMCS plugin (version 2+) Update: Version: 2.2

Transcription:

Remote access Per Sedholm Systemgruppen CSC November 26, 2010 Contents 1 Remote access 1 1.1 Key fingerprints............................ 1 1.2 Terminal access............................ 2 1.3 File transfer.............................. 2 1.4 X11 forwarding, GSSAPI....................... 3 1.5 Connecting to MS Windows remotely............... 4 Ubuntu................................. 4 Mac OS X................................ 5 Windows 7............................... 5 2 Setting up Kerberos 6 2.1 Mac OS X................................ 6 2.2 Ubuntu / Linux............................ 6 2.3 MS Windows............................. 7 3 X11 and GSSAPI from Windows 9 3.1 MIT Kerberos configuration..................... 9 3.2 PuTTY configuration......................... 9 3.3 WinSCP configuration........................ 10 3.4 Xming................................. 10 4 Background information on Kerberos 11 4.1 Introduction to Kerberos....................... 11 Tickets................................. 11 Ticket forwarding (credential delegation)............. 12 More information about Kerberos.................. 12 4.2 Installing Kerberos.......................... 12 4.3 Configuring Kerberos......................... 12 Most UNIX and Linux-distributions................ 12 Mac OS X................................ 13 4.4 Using Kerberos............................ 13 UNIX/Linux, including Mac OS X................. 13

Remote access Various forms of remote access can be used to retrieve files or use other resources at CSC. You are required to use a secure login method, where passwords are never sent in clear text over the Internet. The recommended method is to use SSH, which is available for all common operating systems, usually installed by default. Other login methods (telnet) can be used, but only Kerberized versions. The best way to use SSH from a UNIX or UNIX-like operating system, is to authenticate on the local computer, and then use ticket forwarding (credential delegation) to log in to the remote system. In practise, this will allow you to open both command-line and file transfer sessions without entering your password after the initial authentication. Many other services and protocol can also use Kerberos authentication, providing single sign-on capability. However, since not all systems support ticket forwarding, the remote terminal servers also allow normal password login. The servers you can use are s-shell.csc.kth.se (Solaris) u-shell.csc.kth.se (Ubuntu) Key fingerprints If you do not use Kerberos for host verification, you may be asked to confirm the key fingerprint for the server. This may be presented as a series of hexadecimal digits, or with artificial words. Both RSA and DSA keys can be used. For s-shell.csc.kth.se, the fingerprint is DSA 7f:11:70:56:2f:9b:4b:7e:f5:a6:58:cc:9d:4f:cd:46 xukiz-duhuk-tokup-hegeh-pesal-cadyk-fityr-firuz-pusen-molav-toxix RSA f3:1e:d0:28:9a:b1:5f:78:b5:25:17:1c:e0:4a:38:22 xiton-suhom-vomyn-tymim-misid-ruteh-dumik-kufub-duzul-sizyg-tixux For u-shell.csc.kth.se, the fingerprint is DSA 72:44:f8:5a:31:5f:e9:ba:47:d0:65:9c:7d:26:fc:8b xikak-sugok-zypet-sufyt-dibec-melac-dugin-fulas-bydyb-forob-saxyx RSA 74:67:64:77:81:e9:61:c2:7d:ff:87:58:68:25:d0:6c xumas-dupos-mezeg-lygut-mefok-lovep-fibed-munod-sulam-retyt-vyxex CSC s employees also have access to the host faun.nada.kth.se. Access to faun is restricted, students can t log in there. DSA a7:bb:2e:b7:a7:c7:2e:9a:5c:dd:3e:6d:22:ce:80:5a xugiz-dodyb-hytov-sidec-mafor-pamek-ruryg-vymok-guram-duhes-lyxux RSA aa:37:99:20:ba:ab:e3:1b:4b:11:58:1c:9d:8b:ab:1a xudem-mazes-tuvok-cykuh-vadaz-facek-dimuk-fysoz-fubes-geban-vexex 1

Terminal access All UNIX-like operating systems (Linux, BSD, Mac OS X, etc) will have an SSH client, unless it is deliberately excluded during the installation. For MS Windows, several clients are freely available; the most common is probably PuTTY. (More on PuTTY below.) A remote session using OS X s default settings When you log in, you use your local computer (client), to access a remote host (server). Typically, you open a terminal window and enter ssh «username»@u-shell.csc.kth.se When connecting between different CSC systems, you don t need to specify your username, since it is the same at both client and server. CSC have also configured all terminal room computers to both authenticate with Kerberos, and delegate credentials; you should not need to enter your password when remotely accessing other CSC computers. On MS Windows, PuTTY and most other SSH clients have an integrated terminal window, but command-line versions are also available. Kerberos support is becoming available, but not all applications support it. PuTTY: a free telnet/ssh client uk/~sgtatham/putty/ http://www.chiark.greenend.org. File transfer In Linux and UNIX systems, most file managers can use SFTP. Usually, you can enter the directory name sftp://«user»@host.csc.kth.se/«path» to access a remote directory, and then drag-and-drop files between that window and others on your system. On Mac OS X, there is no graphical SFTP client installed by default. There is a command-line version, and you can also install a client such as Cyberduck, a free application which is also installed on CSC s Macs. Cyberduck http://cyberduck.ch/ Unfortunately, unlike OS X s command-line version of SFTP, Cyberduck does not currently support Kerberos login. You will therefore be prompted for your password. 2

Remote SFTP using Cyberduck and command-line On MS Windows, you can use for example WinSCP. The latest version (as of October 2010) supports Kerberos authentication, but not forwarding of credentials. For this reason, logging in with password authentication may be necessary. On CSC s Windows computers, you can use OpenAFS, to transfer files directly to your UNIX home directory. For more information on WinSCP, see below. Using WinSCP for file transfer X11 forwarding, GSSAPI X11 forwarding allow you to run applications on the remote server, but display them on the local client. This can be used to run applications that are not available on the client, or to directly access files only available on the server. The downside is that the network usage is high. A slow connection will cause high latency clicking a button will cause a measurable delay before the application reacts. X11 forwarding requires a local X server. This is available by default on all UNIX-like operating systems; on MS Windows you will need to install one separately, for example Xming. GSSAPI is used to delegate credentials. With SSH, you can use it to (Called GSSAPIKeyEx- Verify the host rather than using a key fingerprint. change in SSH s configuration file.) A note on terminology. In X11 parlance, the X server is the program that interacts with the display hardware (graphics card, screen, etc) to display images on request from an application, the X client. Somewhat confusingly, this means that the X server runs locally, on your (SSH) client, and the X client on the (SSH) server, remotely. 3

Authenticate so you don t need to enter a password to log in to the server. (GSSAPIAuthentication.) Forward Kerberos keys allowing you to access files (which requires AFS tokens) and other resources on the server. (GSSAPIDelegateCredentials.) To enable this, add the following to SSH s configuration file (typically /etc/ssh/ssh_config for system-wide settings, or ~/.ssh/config for per-user settings): Host * ForwardX11 yes # add domains as needed Host *.nada.kth.se *.nada.kth.se. *.csc.kth.se *.csc.kth.se. *.pdc.kth.se *.pdc.kth.se. User «username» GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes Host *.* GSSAPIAuthentication yes GSSAPIDelegateCredentials no GSSAPIKeyExchange yes Note: the User configuration option is only available in some SSH implementations. These options can also be given on the command-line, but typing ssh -X -K -o GSSAPIGSSAPIKeyExchange yes «username»@u-shell.csc.kth.se takes more effort than just ssh u-shell.csc.kth.se Connecting to MS Windows remotely Currently there is no way for students to use their Windows account remotely, or to remotely access the files stored on their Windows home directory. For employeees There is a server with Remote Desktop Services (formerly Terminal Services), which you can connect to using any RDP (Remote Desktop Protocol) client. The server is terminal.nt.nada.kth.se. RDP clients are available for most operating systems: Ubuntu Use Terminal Server Client (Applications Internet, using the RDP protocol) You can however access the files stored in the home directory of your central KTH.SE Windows login, see IT SupportCenter s website http://www.kth.se/en/student/support/ itsc/faq/arbeta-fran-annan-plats. 4

For more options, you can also call rdesktop explicitly on the commandline: rdesktop -N -a16 -g 1200x800 -k sv -d NADA.KTH.SE -r disk:local=$home -r sound=local terminal.nt.nada.kth.se Mac OS X Remote Desktop Connection Client for Mac is available (as a free download) from Microsoft s website, and is installed on all CSC Macs. You will find it under Applications. Do not enter your password and the domain in the first dialog that appears. Rather, wait until the remote server s login screen appears, where you can choose the domain NADA.KTH.SE (Kerberos Realm). Windows 7 Remote Desktop Connection is installed by default. 5

Setting up Kerberos When you log in on a CSC computer, Kerberos is used to authenticate you (confirm your identity, that you are the user you claim to be). You are given a so-called ticket, which is then used to access a service, e.g. allow you to read the files in your AFS home directory. When you do this locally, on one of the terminal room computers, the authentication is done on the same computer that you then use to access the files (or email, or other services). But you can also use Kerberos by authenticating on one computer (e.g. at home), and then forward the tickets to a CSC computer, and allow applications there to read the files. The main advantage of Kerberos over normal password authentication, is that your password is never sent over the network. Only a cryptographic hash is sent, so there is no way for anyone to intercept your password, even if they were to break the network encryption. But it also gives more practical advantages, in that you don t need to re-enter your password to log in to multiple systems. If you have valid Kerberos tickets, you can use an email program to read and send mail (usually done through different servers), transfer files between systems, and open multiple command-line session all without once having to type your password. But you are still secure, in the sense that a ticket is only valid for a short period, and does not store your password. A stolen ticket to the mail server can t be used to gain access to your file server, and once the ticket expires, even the mail server will be inaccessible. An example of krb5.conf, the Kerberos configuration file, is shown in figure 2.3 on page 8. For OS-specific information, see below. Mac OS X All Kerberos tools are installed by default, and the default settings will work. You may however want to change the default settings, so that you can use shorter commands, i.e. kinit «username»@nada.kth.se kinit «username» kinit ## default settings ## after configuring ## if your local username matches CSC s There are also graphical applications for ticket management, for example Ticket Viewer in /System/Library/CoreServices/. To change the configuration, edit the file /Library/Preferences/edu. mit.kerberos, as shown in the krb5.conf file referred to above. (You can create the file if it does not exist; it is a plain text file.) Ubuntu / Linux All major Linux distributions have Kerberos packages available. On Ubuntu, you can install the package krb5-clients (MIT Kerberos), or heimdal-clients (Heimdal Kerberos, used at CSC). 6

During the installation, you will be asked for your default realm. A realm more or less matches a network domain, but in capital letters. Choose NADA.KTH.SE unless you have reason to do otherwise. You can also change the configuration in /etc/krb5.conf to match the krb5.conf file referred to above. MS Windows While later versions of MS Windows integrates Kerberos, as a part of their Security Support Provider Interface API (SSPI), their implementation is not always compatible with the standard MIT or Heimdal implementations used elsewhere (e.g. at CSC). It is therefore best to install MIT Kerberos for Windows, which can be downloaded from MIT: MIT Kerberos Distribution index.html http://web.mit.edu/kerberos/dist/ It contains Network Identity Manager, developed by Secure Endpoints Inc., an application to manage Kerberos tickets. For more information see X11 Forwarding and GSSAPI from Windows 7

Figure 1: Example krb5.conf, typically stored as /etc/krb5.conf # Generic krb5.conf for the NADA.KTH.SE realm # $Id: krb5.conf,v 1.3 2010/10/08 05:10:18 sedholm Exp $ default_realm = NADA.KTH.SE ticket_lifetime = 12h renew_lifetime = 1w ## Use no-addresses for portable systems that change ## IP address regularly, or systems behind NAT no-addresses = true kdc_timesync = 1 forwardable = true ## for OS X w. AFS and the afslog loginlogout plugin # login_logout_notification = "afslog" [appdefaults] no-addresses = true forwardable = true [realms] NADA.KTH.SE = { kdc = kerberos.nada.kth.se. kdc = kerberos-1.nada.kth.se. kdc = kerberos-2.nada.kth.se. kdc = kerberos-3.nada.kth.se. } STACKEN.KTH.SE = { kdc = kerberos.stacken.kth.se. kdc = kerberos-1.stacken.kth.se. } KTH.SE = { kdc = kerberos.kth.se. kdc = kerberos-1.kth.se. kdc = kerberos-2.kth.se. } [domain_realm].nada.kth.se = NADA.KTH.SE.csc.kth.se = NADA.KTH.SE.pdc.kth.se = NADA.KTH.SE.speech.kth.se = NADA.KTH.SE 8

X11 and GSSAPI from Windows In order to use Kerberos-authenticated SSH from Windows, you will need to install MIT Kerberos, and an SSH client that supports Kerberos. Currently, the only version of PuTTY to do so, is the development snapshot available at their download page. Regarding WinSCP, the latest version as of mid October 2010 (4.2.9) http: //winscp.net/eng/docs/history can authenticate using Kerberos, but does not delegate credentials. This means you will be logged in, but only able to read public files, not e.g. files in ~/Private. The unreleased version of Win- SCP is based on the same development snapshot (rev. 9010) of PuTTY s SSH core, which gives some hope of improvements. MIT Kerberos configuration The Kerberos settings are kept in C:\Windows\krb5.ini. Make sure you save the file as plain text. The contents should be the same as krb5.conf above. To obtain Kerberos tickets, start Network Identity Manager. Click on the taskbar icon to bring up the program, then click Obtain New Credentials and enter your CSC username and password. Acquiring Kerberos tickets using Network Identity Manager PuTTY configuration To enable GSSAPI, change the settings under Connection SSH Auth GSSAPI. Enable both Attempt GSSAPI authentication and Allow GSSAPI credential delegation. PuTTY options There is currently no setting for GSSAPIKeyExchange; you will still need to confirm the host s public key fingerprint. 9

WinSCP configuration WinSCP supports Kerberos authentication; in fact, it uses PuTTY s SSH library and is well integrated with PuTTY. You can open a PuTTY session by choosing Commands Open in PuTTY. However, there is currently (mid October 2010) no option to delegate your Kerberos credentials. This means that you will be logged on (without being prompted for your password), but you will not be able to read files unless they are in a directory with public access. WinSCP options Xming Xming provides an X server for Windows. If you configure PuTTY to use X11 Forwarding (Connection SSH X11 Enable X11 forwarding), applications started on the remote server will be displayed on your local screen. Note that Xming should not be allowed to open external network connections (unless you want this for other purposes). As far as Xming is concerned, requests to display images or other windows, originates from PuTTY, not from the remote computer. For security reasons, you may even wish to configure Window s firewall to block any external connections to Xming. To do so, configure the firewall to only allow connections from localhost (127.0.0.1), on both the TCP and UDP protocols. Example: Windows 7 firewall settings You may also need to configure Xming to choose the correct keyboard layout. Normally, the keyboard layout for the X server is chosen from the one used in Windows. Unfortunately, a bug may prevent the Swedish layout from being chosen. Instead, you can change the shortcut used to launch Xming, by modifying the Target (changes in red below) to be called as "C:\Program Files\Xming\Xming.exe" :0 -clipboard -multiwindow -xkbmodel pc105 -xkblayout fi In other words, you choose the Finnish keyboard layout (which is identical to the Swedish) instead. 10

Background information on Kerberos Information about Kerberos and how to configure it on a UNIX/Linux host. Introduction to Kerberos Kerberos is an authentication system based on a trusted third party, the Kerberos server, also known as the Key Distribution Center (KDC). It has many nice features, for example: Mutual authentication Users can authenticate servers, and vice versa, by using information from the trusted third party (KDC). There is no need for each party having a list of other parties trusted keys. (Which need to be securely initiated and maintained, as well as updated when keys are stolen.) Single sign on Log in once, and you can use many services. The keys (users passwords and hosts keys) are only known, used and seen by the key owner s local system and the Kerberos server. They are never exposed to any other party. The keys are only used in software for a very short time, they are then destroyed. (Except for the MS Windows implementation, sadly.) Keys can easily be changed if compromised, in one place, which will render a stolen key useless. Only temporary keys are used for data encryption over the network. Cross-realm authentication to other realms (domains). Possibility to authenticate with hardware tokens. Scales very well, an advantage both from the user s perspective and for administration. Kerberos can be used to securely use many different applications and protocols, such as: SSH for terminal access, X tunneling, file transfer and more. File systems such as AFS, NFS, CIFS/SMB and AFP (Apple Filing Protocol). Mail with IMAP and SMTP. Terminal access with telnet, and file transfers with ftp. (Requires Kerberized versions.) Web access over HTTP with SPNEGO.... and several others Tickets Kerberos uses so called tickets (a cryptographically signed encryption key) to authenticate users and services ( principals ) to each other. The tickets are issued by the KDC. Each service accessed uses its own ticket. The tickets contain information about the requesting principal, typically a username and realm (domain), and other useful data such as a temporary session encryption key. A ticket has a limited lifetime and optionally a limited time during which they can be renewed. A special case is the ticket that you get when you initially authenticate to the Kerberos KDC: the Ticket Granting Ticket (tgt, krbtgt). The Ticket Granting Ticket is the ticket you use for authenticating to the KDC service when requesting more tickets for other services. 11

Ticket forwarding (credential delegation) When you connect to another service you may in some cases also want to forward your tickets to that service. This is typically useful when you connect to another host and want to access other Kerberized services from that host. For example, when you connect to a host where you need Kerberos tickets to access your files under AFS or another Kerberized file system, as is the case at CSC. You should not forward your tickets to systems you do not trust, since the tickets could be used to authenticate as you, should they be stolen. (Though only for the lifetime of the tickets.) To a less trusted system, you may still authenticate with Kerberos you will not expose anything it doesn t already possess, as long as you don t use ticket forwarding. More information about Kerberos There are several implementations of Kerberos, the two most common being MIT Kerberos and Heimdal. These are very similar and almost interchangeable. Some OS:es come with Kerberos enabled software as standard, many others let you choose one of the above. The current version of Kerberos is version 5. The outdated version 4 should not be used anymore. GSSAPI is an API (Application Programming Interface) used for programming with Kerberos V5. GSSAPI has more or less become synonymous with Kerberos V5. There is plenty of information on Kerberos on the internet, for example Wikipedia on Kerberos http://en.wikipedia.org/wiki/kerberos_ (protocol) Installing Kerberos Many OSes nowadays come with Kerberos enabled software as standard: Solaris/OpenSolaris, Mac OS X, AIX and FreeBSD all do, just to name a few. Many Linux distributions do not have Kerberos software installed by default, but there are packages available in all major distributions. For example, on Ubuntu you can just install the package krb5-clients (MIT Kerberos) or heimdal-clients (Heimdal Kerberos, used at CSC). Configuring Kerberos Kerberos (V5) usually does not need to be configured since most information can be looked up from DNS, the Domain Name System. Still, if you do configure it, you may be able to use shorter commands, some things may work more smoothly, and it may be a little faster over very slow links since fewer lookups need to be sent over the network. You typically just need to add a single configuration file. The configuration file is in plain text, and use the same basic format on all systems. An example configuration file for use with CSC s systems in the NADA.KTH.SE realm is given on page 8. Most UNIX and Linux-distributions For most UNIX and Linux-distributions you just need to add (or replace) the configuration file, which typically is called either /etc/krb5.conf or /etc/ krb5/krb5.conf. Use man krb5.conf to find the correct location and learn more about the available options. 12

Mac OS X On Mac OS X you may install the configuration as /etc/krb5.conf as above, but the recommended place and name for the global configuration is /Library/Preferences/edu.mit.Kerberos. In addition, a user may have a configuration file of their own, the contents of which is preferred over the information in the global one. This personal configuration file is kept under ~/Library/Preferences/edu.mit. Kerberos. The file format is the same for all of these. UNIX/Linux, including Mac OS X Using Kerberos There are several graphical programs to acquire tickets and to help you in configuring Kerberos. The generic command-line versions are shown here, since they work the same on all systems, and are easier to describe. The first step is to get a Kerberos Ticket Granting Ticket, a krbtgt. kinit username@nada.kth.se If you have NADA.KTH.SE as default realm in your Kerberos configuration you may leave out the realm part: kinit username If you have the same username at CSC (Nada) as your local account: kinit When you have your Ticket Granting Ticket, you can start using Kerberized programs and services. Additional tickets for other services will be retrieved automatically when needed. You can list your tickets with klist. The output will be something like Credentials cache: FILE:/tmp/krb5cc_12345 Principal: alice@nada.kth.se Issued Expires Principal Oct 6 13:41:15 Oct 7 16:47:09 krbtgt/nada.kth.se@nada.kth.se Oct 6 13:51:14 Oct 7 16:47:09 afs@nada.kth.se Oct 6 13:58:18 Oct 7 16:47:09 host/mail1.nada.kth.se@nada.kth.se Oct 6 13:58:18 Oct 7 16:47:09 imap/mail1.nada.kth.se@nada.kth.se Oct 6 16:00:13 Oct 7 16:47:09 host/u3.csc.kth.se@nada.kth.se In this example, the user alice has a ticket granting ticket a ticket for the AFS file system tickets for connecting to the host mail1, and for the IMAP (mail) service there a ticket for connecting to the host u3.csc.kth.se 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information