Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Authentication

Revision as of 05:26, 2 May 2013 by imported>Mutantmonkey (SSH Authentication with Kerberos)

VTLUUG has been using Kerberos and LDAP for authentication since at least September 2012. Our realm is VTLUUG.ORG but may change in the future to something under the vt.edu domain.

In April 2013, Kerberos authentication on acidburn was forced because a Debian bug required passwords to be sent in plaintext to the LDAP server.

  • If you haven't bothered to find an officer to Kerberize you in the past 6 months, you'll need to come to a meeting to set a new password.
  • If your account got locked out and you have been Kerberized, email officers@vtluug.org to get it unlocked. We lock inactive accounts in order to reduce the likelihood of accounts with weak passwords getting compromised.

MIT Kerberos Client Configuration

For MIT Kerberos, put this in /etc/krb5.conf:

[libdefaults]
#	default_realm = ATHENA.MIT.EDU
	default_realm = ECE.VT.EDU

[realms]
# use "kdc = ..." if realm admins haven't put SRV records into DNS
	ATHENA.MIT.EDU = {
		admin_server = KERBEROS.MIT.EDU
		default_domain = MIT.EDU
		v4_instance_convert = {
			mit = mit.edu
			lithium = lithium.lcs.mit.edu
		}
	}
	ANDREW.CMU.EDU = {
		admin_server = vice28.fs.andrew.cmu.edu
	}
	ECE.VT.EDU = {
		admin_server = auth.ece.vt.edu
		default_domain = ece.vt.edu
		kdc = auth.ece.vt.edu
	}
	VTLUUG.ORG = {
		kdc = blade.vtluug.org
		admin_server = blade.vtluug.org
	}

[domain_realm]
	ece.vt.edu = ECE.VT.EDU
	.ece.vt.edu = ECE.VT.EDU
	.mit.edu = ATHENA.MIT.EDU
	mit.edu = ATHENA.MIT.EDU
	.media.mit.edu = MEDIA-LAB.MIT.EDU
	media.mit.edu = MEDIA-LAB.MIT.EDU
	.ucsc.edu = CATS.UCSC.EDU
	andrew.cmu.edu = ANDREW.CMU.EDU
	.andrew.cmu.edu = ANDREW.CMU.EDU
	.vtluug.org = VTLUUG.ORG
	vtluug.org = VTLUUG.ORG
	.luug.ece.vt.edu = VTLUUG.ORG 
	luug.ece.vt.edu	= VTLUUG.ORG

[logging]
#	kdc = CONSOLE

SSH Authentication with Kerberos

Put this in your ~/.ssh/config:

# Kerberos
Host *
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

Then you can just kinit user@VTLUUG.ORG and you should be able to ssh user@acidburn.vtluug.org without a password. You can also login to any machine on our cluster or most of the machines on wood. Note that IPv6 is currently required for getting Kerberos tickets.