initial formatting changes complete
This commit is contained in:
@@ -1,26 +1,17 @@
|
||||
---
|
||||
title: Kerberos and AFS authentication
|
||||
#tags:
|
||||
keywords: kerberos, AFS, kinit, klist, keytab, tickets, connecting, client, configuration, slurm
|
||||
last_updated: 07 September 2022
|
||||
summary: "This document describes how to use Kerberos."
|
||||
sidebar: merlin6_sidebar
|
||||
permalink: /merlin6/kerberos.html
|
||||
---
|
||||
# Kerberos and AFS authentication
|
||||
|
||||
Projects and users have their own areas in the central PSI AFS service. In order
|
||||
to access to these areas, valid Kerberos and AFS tickets must be granted.
|
||||
to access to these areas, valid Kerberos and AFS tickets must be granted.
|
||||
|
||||
These tickets are automatically granted when accessing through SSH with
|
||||
These tickets are automatically granted when accessing through SSH with
|
||||
username and password. Alternatively, one can get a granting ticket with the `kinit` (Kerberos)
|
||||
and `aklog` (AFS ticket, which needs to be run after `kinit`) commands.
|
||||
|
||||
Due to PSI security policies, the maximum lifetime of the ticket is 7 days, and the default
|
||||
time is 10 hours. It means than one needs to constantly renew (`krenew` command) the existing
|
||||
Due to PSI security policies, the maximum lifetime of the ticket is 7 days, and the default
|
||||
time is 10 hours. It means than one needs to constantly renew (`krenew` command) the existing
|
||||
granting tickets, and their validity can not be extended longer than 7 days. At this point,
|
||||
one needs to obtain new granting tickets.
|
||||
|
||||
|
||||
## Obtaining granting tickets with username and password
|
||||
|
||||
As already described above, the most common use case is to obtain Kerberos and AFS granting tickets
|
||||
@@ -28,8 +19,9 @@ by introducing username and password:
|
||||
* When login to Merlin through SSH protocol, if this is done with username + password authentication,
|
||||
tickets for Kerberos and AFS will be automatically obtained.
|
||||
* When login to Merlin through NoMachine, no Kerberos and AFS are granted. Therefore, users need to
|
||||
|
||||
run `kinit` (to obtain a granting Kerberos ticket) followed by `aklog` (to obtain a granting AFS ticket).
|
||||
See further details below.
|
||||
See further details below.
|
||||
|
||||
To manually obtain granting tickets, one has to:
|
||||
1. To obtain a granting Kerberos ticket, one needs to run `kinit $USER` and enter the PSI password.
|
||||
@@ -49,16 +41,16 @@ klist
|
||||
```bash
|
||||
krenew
|
||||
```
|
||||
* Keep in mind that the maximum lifetime for granting tickets is 7 days, therefore `krenew` can not be used beyond that limit,
|
||||
* Keep in mind that the maximum lifetime for granting tickets is 7 days, therefore `krenew` can not be used beyond that limit,
|
||||
and then `kinit` should be used instead.
|
||||
|
||||
|
||||
## Obtanining granting tickets with keytab
|
||||
|
||||
Sometimes, obtaining granting tickets by using password authentication is not possible. An example are user Slurm jobs
|
||||
requiring access to private areas in AFS. For that, there's the possibility to generate a **keytab** file.
|
||||
Sometimes, obtaining granting tickets by using password authentication is not possible. An example are user Slurm jobs
|
||||
requiring access to private areas in AFS. For that, there's the possibility to generate a **keytab** file.
|
||||
|
||||
Be aware that the **keytab** file must be **private**, **fully protected** by correct permissions and not shared with any
|
||||
|
||||
Be aware that the **keytab** file must be **private**, **fully protected** by correct permissions and not shared with any
|
||||
other users.
|
||||
|
||||
### Creating a keytab file
|
||||
@@ -70,6 +62,7 @@ For generating a **keytab**, one has to:
|
||||
module load krb5/1.20
|
||||
```
|
||||
2. Create a private directory for storing the Kerberos **keytab** file
|
||||
|
||||
```bash
|
||||
mkdir -p ~/.k5
|
||||
```
|
||||
@@ -78,6 +71,7 @@ mkdir -p ~/.k5
|
||||
ktutil
|
||||
```
|
||||
4. In the `ktutil` console, one has to generate a **keytab** file as follows:
|
||||
|
||||
```bash
|
||||
# Replace $USER by your username
|
||||
add_entry -password -k 0 -f -p $USER
|
||||
@@ -85,6 +79,7 @@ wkt /psi/home/$USER/.k5/krb5.keytab
|
||||
exit
|
||||
```
|
||||
Notice that you will need to add your password once. This step is required for generating the **keytab** file.
|
||||
|
||||
5. Once back to the main shell, one has to ensure that the file contains the proper permissions:
|
||||
```bash
|
||||
chmod 0600 ~/.k5/krb5.keytab
|
||||
@@ -112,14 +107,17 @@ The steps should be the following:
|
||||
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
|
||||
```
|
||||
* To obtain a Kerberos5 granting ticket, run `kinit` by using your keytab:
|
||||
|
||||
```bash
|
||||
kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
|
||||
```
|
||||
* To obtain a granting AFS ticket, run `aklog`:
|
||||
|
||||
```bash
|
||||
aklog
|
||||
```
|
||||
* At the end of the job, you can remove destroy existing Kerberos tickets.
|
||||
* At the end of the job, you can remove destroy existing Kerberos tickets.
|
||||
|
||||
```bash
|
||||
kdestroy
|
||||
```
|
||||
@@ -137,7 +135,7 @@ This is the **recommended** way. At the end of the job, is strongly recommended
|
||||
#SBATCH --output=run.out # Generate custom output file
|
||||
#SBATCH --error=run.err # Generate custom error file
|
||||
#SBATCH --nodes=1 # Uncomment and specify #nodes to use
|
||||
#SBATCH --ntasks=1 # Uncomment and specify #nodes to use
|
||||
#SBATCH --ntasks=1 # Uncomment and specify #nodes to use
|
||||
#SBATCH --cpus-per-task=1
|
||||
#SBATCH --constraint=xeon-gold-6152
|
||||
#SBATCH --hint=nomultithread
|
||||
|
||||
Reference in New Issue
Block a user