Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

kerberos_for_cygwin [2016/12/16 10:15] (Version actuelle)
Ligne 1: Ligne 1:
 +Modifié par Calvat, le 06 Apr 2016\\
 +\\
 +
 +====== Kerberos for Cygwin ======
 +
 +\\
 +\\
 +
 +====== Chapitre 1 : Kerberos for Cygwin ======
 +
 +Kerberos support exists for [[http://​www.cygwin.com|Cygwin]] , but might not be in the standard package set installed by default. To install and use Kerberos for use with ssh in Cygwin:
 +
 +
 +=====  Installation =====
 +
 +<​code>​
 +Start the Cygwin setup.exe program
 +Select the following two packages for installation:​\\
 +
 +<​code>​
 +'​Net'​ category:
 +    krb5-workstation:​ Kerberos reference implementation clients
 +    openssh: Secure shell server and client programs
 +</​code>​
 +  *Complete the installation.</​code>​
 +
 +
 +=====  Configuration =====
 +
 +For seamless operation, both Kerberos and ssh now need to be configured:
 +
 +<​code>​
 +Start a Cygwin bash shell
 +Create the file /​etc/​krb5.conf and populate it as follows:\\
 +
 +<​code>​
 +# /​etc/​krb5.conf -- Kerberos V5 general configuration.
 +# $Id$
 +#
 +# This is the IN2P3 Computing Centre default Kerberos v5 configuration file.
 +#
 +# If you find a bug or need to report an issue, please create a ticket
 +# to CC-IN2P3 support https://​cc-usersupport.in2p3.fr.
 +#
 +# This configuration allows any enctypes.
 +# vim: ts=3 sts=3 sw=3 softtabstop=3
 +
 +[libdefaults]
 +    default_realm ​          = IN2P3.FR
 +    ticket_lifetime ​        = 3d
 +    renew_lifetime ​         = 30d
 +    forwardable ​            = true
 +    noaddresses ​            = true
 +    # Next two lines MAY be needed - depending on Kerberos implementation,​
 +    # do not uncomment unless you see preauthentication errors on your client.
 +    #​default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 +    #​allow_weak_crypto = true
 +
 +
 +[appdefaults]
 +    default_lifetime ​     = 3d
 +    krb4_convert ​         = false
 +    krb4_convert_524 ​     = false
 +
 +    ksu = {
 +        forwardable ​      = false
 +    }
 +
 +    pam = {
 +        debug             = false
 +        search_k5login ​   = true
 +        afs_cells ​        = in2p3.fr
 +        forwardable ​      = true
 +    }
 +
 +    kinit = {
 +        krb_run_aklog ​    = true
 +        krb4_convert ​     = false
 +    }
 +
 +    libkafs = {
 +        IN2P3.FR = {
 +            afs-use-524 ​  = no
 +        }
 +    }
 +
 +
 +[realms]
 +    IN2P3.FR = {
 +        kdc = kerberos-1.in2p3.fr
 +        kdc = kerberos-2.in2p3.fr
 +        kdc = kerberos-3.in2p3.fr
 +        admin_server = kerberos-admin.in2p3.fr
 +        kpasswd_server = kerberos-admin.in2p3.fr
 +        master_kdc = kerberos-admin.in2p3.fr
 +        default_domain = in2p3.fr
 +    }
 +
 +[domain_realm]
 +    in2p3.fr ​ = IN2P3.FR
 +    .in2p3.fr = IN2P3.FR
 +
 +[logging]
 +    kdc          = SYSLOG:​NOTICE
 +    admin_server = SYSLOG:​NOTICE
 +    default ​     = SYSLOG:​NOTICE
 +</​code>​
 +  *Create the file .ssh/config in your home directory and populate it as follows:
 +<​code>​
 +Host cc*
 + User <​YourUserName>​
 + ​GSSAPIAuthentication yes
 + ​GSSAPIDelegateCredentials yes
 + ​ForwardX11Trusted no
 +</​code>​
 +where <​yourusername>​ is your DICE username.</​code>​
 +
 +
 +=====  Usage =====
 +
 +Before making your first ssh connection in any Cygwin session, you need to authenticate to the Informatics Kerberos service. In a Cygwin bash shell, type:
 +
 +<​code>​
 +kinit <​yourusername>​
 +</​code>​
 +You will be prompted to enter your Informatics password. After you have successfully authenticated,​ you will have acquired a Kerberos ticket-granting ticket and you should now be able to ssh to Informatics machines without having to specify your username or password.
 +
 +How to renew kerberos token :
 +
 +<​code>​
 +kinit -R
 +</​code>​
 +
 +
 +
 +
  
  • kerberos_for_cygwin.txt
  • Dernière modification: 2016/12/16 10:15
  • (modification externe)