Add Kerberos authentication
This commit is contained in:
parent
205f174ba7
commit
8ffd1b6019
@ -39,6 +39,8 @@ entries:
|
|||||||
url: /merlin6/nomachine.html
|
url: /merlin6/nomachine.html
|
||||||
- title: Configuring SSH Keys
|
- title: Configuring SSH Keys
|
||||||
url: /merlin6/ssh-keys.html
|
url: /merlin6/ssh-keys.html
|
||||||
|
- title: Kerberos and AFS authentication
|
||||||
|
url: /merlin6/kerberos.html
|
||||||
- title: Software repository - PModules
|
- title: Software repository - PModules
|
||||||
url: /merlin6/using-modules.html
|
url: /merlin6/using-modules.html
|
||||||
- title: Slurm General Documentation
|
- title: Slurm General Documentation
|
||||||
|
155
pages/merlin6/02-How-To-Use-Merlin/kerberos.md
Normal file
155
pages/merlin6/02-How-To-Use-Merlin/kerberos.md
Normal file
@ -0,0 +1,155 @@
|
|||||||
|
---
|
||||||
|
title: Configuring SSH Keys in Merlin
|
||||||
|
|
||||||
|
#tags:
|
||||||
|
keywords: Linux, connecting, client, configuration, Kerberos, AFS, keytab
|
||||||
|
last_updated: 15 Jul 2020
|
||||||
|
summary: "This document describes how to use Kerberos."
|
||||||
|
sidebar: merlin6_sidebar
|
||||||
|
permalink: /merlin6/kerberos.html
|
||||||
|
---
|
||||||
|
|
||||||
|
Projects and users have their own areas in the central PSI AFS service. In order
|
||||||
|
to access to these areas, valid Kerberos and AFS tickets must be granted.
|
||||||
|
|
||||||
|
These tickets are automatically granted when accessing through SSH with
|
||||||
|
username and password. Alternatively, one can get a granting ticket with the `kinit` (Kerberos)
|
||||||
|
and `aklog` (AFS ticket, which needs to be run after `kinit`) commands.
|
||||||
|
|
||||||
|
Due to PSI security policies, the maximum lifetime of the ticket is 7 days, and the default
|
||||||
|
time is 10 hours. It means than one needs to constantly renew (`krenew` command) the existing
|
||||||
|
granting tickets, and their validity can not be extended longer than 7 days. At this point,
|
||||||
|
one needs to obtain new granting tickets.
|
||||||
|
|
||||||
|
|
||||||
|
## Obtaining granting tickets with username and password
|
||||||
|
|
||||||
|
As already described above, the most common use case is to obtain Kerberos and AFS granting tickets
|
||||||
|
by introducing username and password:
|
||||||
|
* When login to Merlin through SSH protocol, if this is done with username + password authentication,
|
||||||
|
tickets for Kerberos and AFS will be automatically obtained.
|
||||||
|
* When login to Merlin through NoMachine, no Kerberos and AFS are granted. Therefore, users need to
|
||||||
|
run `kinit` (to obtain a granting Kerberos ticket) followed by `aklog` (to obtain a granting AFS ticket).
|
||||||
|
See further details below.
|
||||||
|
|
||||||
|
To manually obtain granting tickets, one has to:
|
||||||
|
1. To obtain a granting Kerberos ticket, one needs to run `kinit` and introduce the PSI password.
|
||||||
|
```bash
|
||||||
|
kinit
|
||||||
|
```
|
||||||
|
2. To obtain a granting ticket for AFS, one needs to run `aklog`. No password is necessary, but a valid
|
||||||
|
Kerberos ticket is mandatory.
|
||||||
|
```bash
|
||||||
|
aklog
|
||||||
|
```
|
||||||
|
3. To list the status of your granted tickets, users can use the `klist` command.
|
||||||
|
```bash
|
||||||
|
klist
|
||||||
|
```
|
||||||
|
4. To extend the validity of existing granting tickets, users can use the `krenew` command.
|
||||||
|
```bash
|
||||||
|
krenew
|
||||||
|
```
|
||||||
|
* Keep in mind that the maximum lifetime for granting tickets is 7 days, therefore `krenew` can not be used beyond that limit,
|
||||||
|
and then `kinit** should be used instead.
|
||||||
|
|
||||||
|
|
||||||
|
## Obtanining granting tickets with keytab
|
||||||
|
|
||||||
|
Sometimes, obtaining granting tickets by using password authentication is not possible. An example are user Slurm jobs
|
||||||
|
requiring access to private areas in AFS. For that, there's the possibility to generate a **keytab** file.
|
||||||
|
|
||||||
|
Be aware that the **keytab** file must be **private**, **fully protected** by correct permissions and not shared with any
|
||||||
|
other users.
|
||||||
|
|
||||||
|
### Creating a keytab file
|
||||||
|
|
||||||
|
For generating a **keytab**, one has to:
|
||||||
|
|
||||||
|
1. Load a newer Kerberos ( `krb5/1.20` or higher) from Pmodules:
|
||||||
|
```bash
|
||||||
|
module load krb5/1.20
|
||||||
|
```
|
||||||
|
2. Create a private directory for storing the Kerberos **keytab** file
|
||||||
|
```bash
|
||||||
|
mkdir -p ~/.k5
|
||||||
|
```
|
||||||
|
3. Run the `ktutil` utility which comes with the loaded `krb5` Pmodule:
|
||||||
|
```bash
|
||||||
|
ktutil
|
||||||
|
```
|
||||||
|
4. In the `ktutil` console, one has to generate a **keytab** file as follows:
|
||||||
|
```bash
|
||||||
|
# Replace $USER by your username
|
||||||
|
add_entry -password -k 0 -f -p $USER
|
||||||
|
wkt /psi/home/$USER/.k5/krb5.keytab
|
||||||
|
exit
|
||||||
|
```
|
||||||
|
Notice that you will need to add your password once. This step is required for generating the **keytab** file.
|
||||||
|
5. Once back to the main shell, one has to ensure that the file contains the proper permissions:
|
||||||
|
```bash
|
||||||
|
chmod 0400 ~/.k5/krb5.keytab
|
||||||
|
```
|
||||||
|
|
||||||
|
### Obtaining tickets by using keytab files
|
||||||
|
|
||||||
|
Once the keytab is created, one can obtain kerberos tickets without being prompted for a password as follows:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kinit -kt ~/.k5/krb5.keytab $USER
|
||||||
|
aklog
|
||||||
|
```
|
||||||
|
|
||||||
|
## Slurm jobs accessing AFS
|
||||||
|
|
||||||
|
Some jobs may require to access private areas in AFS. For that, having a valid [**keytab**](/merlin6/kerberos.html#generating-granting-tickets-with-keytab) file is required.
|
||||||
|
Then, from inside the batch script one can obtain granting tickets for Kerberos and AFS, which can be used for accessing AFS private areas.
|
||||||
|
|
||||||
|
The steps should be the following:
|
||||||
|
|
||||||
|
* Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area
|
||||||
|
(`$HOME/.k5` is a good location), and is strongly recommended to generate a shared Kerberos5 cache (in example, in that way one can always refresh
|
||||||
|
granting tickets for long jobs from anywhere):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Example one: Shared Kerberos5 cache
|
||||||
|
# Same cache file for all jobs
|
||||||
|
# Generally, always the recommended option
|
||||||
|
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
|
||||||
|
|
||||||
|
# Example two: Independent Kerberos5 cache
|
||||||
|
# ${SLURM_JOBID} will make the cache independent per job
|
||||||
|
# Use it only if necessary
|
||||||
|
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_${SLURM_JOBID}")"
|
||||||
|
```
|
||||||
|
* To obtain a Kerberos5 granting ticket, run `kinit` by using your keytab:
|
||||||
|
```bash
|
||||||
|
kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
|
||||||
|
```
|
||||||
|
* To obtain a granting AFS ticket, run `aklog`:
|
||||||
|
```bash
|
||||||
|
aklog
|
||||||
|
```
|
||||||
|
|
||||||
|
### Slurm batch script example: obtaining KRB+AFS granting tickets
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#!/bin/bash
|
||||||
|
#SBATCH --partition=hourly # Specify 'general' or 'daily' or 'hourly'
|
||||||
|
#SBATCH --time=01:00:00 # Strictly recommended when using 'general' partition.
|
||||||
|
#SBATCH --output=run.out # Generate custom output file
|
||||||
|
#SBATCH --error=run.err # Generate custom error file
|
||||||
|
#SBATCH --nodes=1 # Uncomment and specify #nodes to use
|
||||||
|
#SBATCH --ntasks=1 # Uncomment and specify #nodes to use
|
||||||
|
#SBATCH --cpus-per-task=1
|
||||||
|
#SBATCH --constraint=xeon-gold-6152
|
||||||
|
#SBATCH --hint=nomultithread
|
||||||
|
#SBATCH --job-name=krb5
|
||||||
|
|
||||||
|
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
|
||||||
|
kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
|
||||||
|
aklog
|
||||||
|
klist
|
||||||
|
|
||||||
|
echo "Here should go my batch script code."
|
||||||
|
```
|
Loading…
x
Reference in New Issue
Block a user