disable Kerberos in Putty

2023-02-03 15:26:01 +01:00
parent 2e86eaef38
commit b5384c3241
4 changed files with 11 additions and 9 deletions
--- a/_toc.yml
+++ b/_toc.yml
@@ -13,6 +13,7 @@ parts:
          - file: user-guide/evolution_for_o365
          - file: user-guide/thunderbird_for_o365
          - file: user-guide/firefox_profile_per_host
+          - file: user-guide/putty

  - caption: Admin Guide
    chapters:
--- a/user-guide/putty.md
+++ b/user-guide/putty.md
@@ -8,17 +8,18 @@ The default settings of Putty allow to connect to a Linux host. But when there a

 This is due to missing Kerberos ticket delegation. Note that you may recover from this on the Linux shell by entering `kinit` and then your password to opain a new Kerberos ticket and `aklog` to log into AFS.

-## Configure Kerberos 
+## Disable Kerberos in Putty

-To avoid this issue Kerberos ticket delagation can be configured in Putty.
-In the settings select "Connection" -> "SSH" -> "Auth" -> "GSSAPI" and select therein "Allow GSSAPI credential delegation".
-Note that you need also to remove the tick at "Attempt GSSAPI key exchange" because else it will not work.
+To avoid this issue disable Kerberos in Putty. You will then need to enter your password, but that will setup Kerberos properly on the destination machine.

-![Working AFS](putty/working_kerberos_ticket_delegation.png)
+In the Putty settings select "Connection" -> "SSH" -> "Auth" -> "GSSAPI" and there remove all ticks.

-## Long Running Programs/Simulations
-The delegated Kerberos ticket from Windows can only work for less than one day (in the `klist` output check below `krbtgt/D.PSI.CH@D.PSI.CH` the `renew until` timestamp). So at some point after AFS will refuse access.
+![Working AFS](putty/working_new_kerberos_ticket.png)

-To get a longer valid Kerberos ticket on the Linux machine, type `kinit` and authenticate yourself with your password. The newly acquired Kerberos ticket will do it for one week and AFS is happy as long too. 
+## Kerberos Details for Long Running Programs/Simulations
+Kerberos tickets get invalid at some point after AFS will refuse access.
+
+To check when this will be run `klist` and in the output check below `krbtgt/D.PSI.CH@D.PSI.CH` the `renew until` timestamp.
+To seamlessly continue you need to obtain a new Kerberos ticket before by running `kinit`.
+It will then ask your password and after sucessful authentication there will be a newly acquired Kerberos ticket which will do it for one week and AFS is happy as long too.

-Alternatively you may disable Kerberos/GSSAPI authentication in Putty altogehter. But then you need always to enter your password when connecting to your Linux machine. But it will then always get a new Kerberos ticket working for one week.
--- a/user-guide/putty/working_kerberos_ticket_delegation.png
+++ b/user-guide/putty/working_kerberos_ticket_delegation.png
--- a/user-guide/putty/working_new_kerberos_ticket.png
+++ b/user-guide/putty/working_new_kerberos_ticket.png