Passwordless connection

You can establish connections to the interactive servers by using the password associated with your computing account. This method requires you to type in your password every time you connect to the servers.

Alternatively, you can establish secure, passwordless connections provided that you:

  1. install and configure Kerberos on your workstation, and
  2. configure your SSH client to use Kerberos tickets (instead of your password).

Once done, you will only need to type your password periodically (typically once per day) and then establish as many secure connections as you need for your work. In this tutorial you can find details on how to install Kerberos and configure your SSH client on your workstation.

Install and configure Kerberos

Kerberos is a network authentication protocol that proves securely your identity by connecting to CC-IN2P3 interactive servers using SSH. If not already done, you will need to install the Kerberos application available for your workstation. On a Unix-like OS you will have to install two software packages, usually named krb5-user and krb5-config, the former providing the programs, and the latter the configuration files.

After installing Kerberos, you will find new available commands such as kinit, klist, krenew and kdestroy. These commands require that the file /etc/krb5.conf exists and is correctly filled. The default contents of /etc/krb5.conf is likely not suitable for our purpose, so you can freely rename it and populate a new one with the contents below, which is valid for both macOS and Linux:

[libdefaults]
    default_realm       = CC.IN2P3.FR
    dns_lookup_realm    = false
    dns_lookup_kdc      = true
    allow_weak_crypto   = false
    kdc_timeout         = 10
    max_retries         = 3
    ticket_lifetime     = 3d
    renew_lifetime      = 30d
    forwardable         = true
    proxiable           = false
    default_ccache_name = DIR:/tmp/kerberos

[realms]
    CC.IN2P3.FR = {
        default_domain  = idm.cc.in2p3.fr
        kpasswd_server  = ccidm01.in2p3.fr
        admin_server    = ccidm01.in2p3.fr
        kdc             = ccidm01.in2p3.fr:88
        kdc             = ccidm02.in2p3.fr:88
        kdc             = ccidm03.in2p3.fr:88
        kdc             = ccidm04.in2p3.fr:88
    }

[appdefaults]
    encrypt = true

Note

You can use another location for the Kerberos configuration file (e.g. $HOME/krb5.conf) by initializing the environment variable KRB5_CONFIG with the path to your file (e.g. export KRB5_CONFIG=$HOME/krb5.conf). This alternative way may be useful if you don’t have super-user privileges on your workstation.

You should now be able to obtain a Kerberos ticket. Assuming your computing account is username, type:

% kinit username@CC.IN2P3.FR

and type in the password associated to the account username.

Important

Kerberos is case-sensitive so you must type the realm CC.IN2P3.FR in upper case.

You can verify that you successfully obtained a ticket using the klist command:

% klist
Ticket cache: DIR::/tmp/kerberos/tkt
Default principal: username@CC.IN2P3.FR

Valid starting       Expires              Service principal
07/24/2019 14:47:02  07/25/2019 14:47:02  krbtgt/CC.IN2P3.FR@CC.IN2P3.FR
        renew until 07/31/2019 14:47:02

The output of klist shows that you have successfully obtained a Kerberos ticket which is cached on your workstation and also shows the ticket’s validity period. CC-IN2P3 Kerberos delivers tickets with a maximum validity period of 3 days. However, you can obtain a Kerberos ticket with a shorter duration if you wish so (see -l option of kinit).

Note

If your user name on your workstation is the same as your computing account (e.g. username) and you only have configured Kerberos for the realm CC.IN2P3.FR, you can get a ticket by typing kinit, without arguments. The Kerberos ticket’s principal (i.e. username@CC.IN2P3.FR) is inferred from the user name of the current session and the default realm from the configuration file /etc/krb5.conf.

Note

The Kerberos ticket is valid for 3 days, but can be renewed to extend its validity. To renew it, you can use % kinit -R username@CC.IN2P3.FR or only % kinit -R if username@CC.IN2P3.FR is your default Kerberos principal.

Configure your SSH client

Once you have proven your identity by obtaining a Kerberos ticket via the kinit command, you may connect via SSH to the CC-IN2P3 computing platform without typing your password again, as many times as you need as long as your Kerberos ticket is still valid.

A convenient way to tell SSH that you want to use your Kerberos ticket rather than your password to connect to the CC-IN2P3 servers is to create an entry in your workstation SSH configuration file (generally $HOME/.ssh/config):

For Ubuntu, CentOS, Fedora
Host cc
   Hostname                   cca.in2p3.fr
   User                       username
   GSSAPIClientIdentity       username@CC.IN2P3.FR
   GSSAPIAuthentication       yes
   GSSAPIDelegateCredentials  yes
   GSSAPITrustDns             yes
For macOS

The SSH client shipped with macOS v10.12 and later does not include support for Kerberos connections to a host behind a DNS alias, such as cca.in2p3.fr. You need to use a specific host name, such as cca001.in2p3.fr, which means that you will always connect to the same host. To mitigate this, you may want to add several entries to $HOME/.ssh/config, each one using a different host name:

Host cc
   Hostname                  cca001.in2p3.fr
   User                      username
   GSSAPIAuthentication      yes
   GSSAPIDelegateCredentials yes

In addition, if you have got active Kerberos tickets for more than one realm, the macOS SSH client will use the ticket in the default credential cache, which may not be the one for CC.IN2P3.FR. To make sure your ticket for the CC.IN2P3.FR realm is the default one, use the following command before establishing the SSH connection:

% kswitch -p username@CC.IN2P3.FR

After configuring your SSH client, you can securely connect to the interactive servers using your valid Kerberos ticket without being prompted for password, by using the command:

% ssh cc

Note

In this example we used cc in the line Host cc as a convenient short alias for naming the CC-IN2P3 interactive servers. You may choose another alias which you find convenient for you.

Warning

Please bear in mind that CC-IN2P3 provides this passwordless connection mechanism for your own convenience. Anyone with physical access to your workstation may exploit this mechanism to connect to CC-IN2P3 computing platform on your behalf.

Therefore, you are asked to take appropriate security measures to protect your individual credentials and workstation from unauthorized access to avoid impersonation. Please refer to the Charters for the use of resources.

Advanced configuration

If you connect via SSH to different CC-IN2P3 hosts, you can describe them all in your $HOME/.ssh/config. For instance on a Linux workstation you can use:

Host cca
   Hostname cca.in2p3.fr

Host cca1
   Hostname cca001.in2p3.fr

Host cca8
   Hostname cca008.in2p3.fr

#
# The SSH options below apply to all 'Host' entries that match the pattern cc*
#
Host cc*
   User                      username
   GSSAPIClientIdentity      username@CC.IN2P3.FR
   GSSAPIAuthentication      yes
   GSSAPIDelegateCredentials yes
   GSSAPITrustDns            yes

More detailed information about customizing your SSH client can be found in the man page ssh_config(5) and in this tutorial .

If you need assistance, or have questions, please contact our user support.