Passwordless connection
You can establish connections to the interactive servers by using the password associated with your computing account. This method requires you to type in your password every time you connect to the servers.
Alternatively, you can establish secure, passwordless connections provided that you:
install and configure the network protocol Kerberos on your workstation,
configure your SSH client to use Kerberos tickets (instead of your password).
Once done, you will only need to type your password periodically (typically once per day) and then establish as many secure connections as you need for your work.
Please find int this page the necessary information install Kerberos and configure your SSH client on your workstation.
Install and configure Kerberos
Kerberos is a network authentication protocol that proves securely your identity when connecting using SSH (as with CC-IN2P3 interactive servers).
If not already done, you will need to install the Kerberos application available for your workstation. On a Unix-like OS you will have to install two software packages, usually named krb5-user
and krb5-config
, the former providing the programs, and the latter the configuration files.
After installing Kerberos, you will find new available commands such as kinit
, klist
, krenew
and kdestroy
.
These commands require that the file /etc/krb5.conf
exists and is correctly filled. The default contents of /etc/krb5.conf
are likely not suitable for our purpose, so you can freely rename it and populate a new one with the contents below, which is valid for both macOS and Linux:
[libdefaults]
default_realm = CC.IN2P3.FR
dns_lookup_realm = false
dns_lookup_kdc = true
allow_weak_crypto = false
kdc_timeout = 10
max_retries = 3
ticket_lifetime = 3d
renew_lifetime = 30d
forwardable = true
proxiable = false
default_ccache_name = DIR:/tmp/kerberos
[realms]
CC.IN2P3.FR = {
default_domain = idm.cc.in2p3.fr
kpasswd_server = ccidm01.in2p3.fr
admin_server = ccidm01.in2p3.fr
kdc = ccidm01.in2p3.fr:88
kdc = ccidm02.in2p3.fr:88
kdc = ccidm03.in2p3.fr:88
kdc = ccidm04.in2p3.fr:88
}
[appdefaults]
encrypt = true
Note
You can use another location for the Kerberos configuration file (e.g. $HOME/krb5.conf
) by initializing the environment variable KRB5_CONFIG
with the path to your file (e.g. export KRB5_CONFIG=$HOME/krb5.conf
). This alternative way may be useful if you don’t have super-user privileges on your workstation.
Obtain a Kerberos ticket
Assuming your computing account ID is <username>
, run the command:
% kinit <username>@CC.IN2P3.FR
and type in the password associated to your account.
Important
Kerberos is case-sensitive so you must type the realm CC.IN2P3.FR
in upper case.
You can verify that you successfully obtained a ticket using the klist
command:
% klist
Ticket cache: DIR::/tmp/kerberos/tkt
Default principal: <username>@CC.IN2P3.FR
Valid starting Expires Service principal
07/24/2019 14:47:02 07/25/2019 14:47:02 krbtgt/CC.IN2P3.FR@CC.IN2P3.FR
renew until 07/31/2019 14:47:02
The output of klist
shows that you have successfully obtained a Kerberos ticket which is cached on your workstation and also shows the ticket’s validity period. CC-IN2P3 Kerberos delivers tickets with a maximum validity period of 3 days. However, you can obtain a Kerberos ticket with a shorter duration if you wish so (see -l
option of kinit
).
Note
If your user name on your workstation is the same as your computing account (e.g. <username>
) and you only have configured Kerberos for the realm CC.IN2P3.FR, you can get a ticket by typing kinit
, without arguments. The Kerberos Default principal (i.e. <username>@CC.IN2P3.FR
) is inferred from the user name of the current session and the default realm from the configuration file /etc/krb5.conf
.
The Kerberos ticket is valid for 3 days, but can be renewed to extend its validity. To renew it, you can use
% kinit -R <username>@CC.IN2P3.FR
or (if <username>@CC.IN2P3.FR
is your Kerberos Default principal) only
% kinit -R
Configure your SSH client
Once you have proven your identity by obtaining a Kerberos ticket via the kinit
command, you may connect via SSH to the CC-IN2P3 computing platform without typing your password again, as many times as you need as long as your Kerberos ticket is still valid.
A convenient way to tell SSH that you want to use your Kerberos ticket rather than your password to connect to the CC-IN2P3 servers is to create an entry in your workstation SSH configuration file (generally $HOME/.ssh/config
). Depending on your operating system
follow the example below:
Host cc
Hostname cca.in2p3.fr
User <username>
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
The SSH client shipped with macOS v10.12 and later does not include support for Kerberos connections to a host behind a DNS alias, such as cca.in2p3.fr
. You need to use a specific host name, here cca011.in2p3.fr
as an example, which means that you will always connect to the same host. To mitigate this, you may want to add several entries to $HOME/.ssh/config
, each one using a different host name:
Host cc
Hostname cca011.in2p3.fr
User <username>
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
In addition, if you have got active Kerberos tickets for more than one realm, the macOS SSH client will use the ticket in the default credential cache, which may not be the one for CC.IN2P3.FR. To make sure your ticket for the CC.IN2P3.FR realm is the default one, use the following command before establishing the SSH connection:
% kswitch -p <username>@CC.IN2P3.FR
After configuring your SSH client, you can securely connect to the interactive servers using your valid Kerberos ticket without being prompted for password, by using the command:
% ssh cc
Note
In this example we used cc
in the line Host cc
as a convenient short alias for naming the CC-IN2P3 interactive servers.
You may choose another alias which you find convenient for you.
Attention
Please bear in mind that CC-IN2P3 provides this passwordless connection mechanism for your own convenience. Anyone with physical access to your workstation may exploit this mechanism to connect to CC-IN2P3 computing platform on your behalf.
Therefore, you are asked to take appropriate security measures to protect your individual credentials and workstation from unauthorized access to avoid impersonation. Please refer to the Charters for the use of resources.
Advanced configuration
If you connect via SSH to different CC-IN2P3 hosts, you can describe them all in your $HOME/.ssh/config
.
For instance on a Linux workstation you can use:
Host cca
Hostname cca.in2p3.fr
Host cca1
Hostname cca001.in2p3.fr
Host cca8
Hostname cca008.in2p3.fr
#
# The SSH options below apply to all 'Host' entries that match the pattern cc*
#
Host cc*
User <username>
GSSAPIClientIdentity <username>@CC.IN2P3.FR
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPITrustDns yes
More detailed information about customizing your SSH client can be found in the man page ssh_config(5)
and in this tutorial .
If you need assistance, or have questions, please contact user support.