fix some formatting in krb docu

2024-11-21 14:41:12 +01:00 · 2024-11-21 14:41:12 +01:00 · a7c2d11e95
commit a7c2d11e95
parent 8cf2674d33
1 changed files with 83 additions and 59 deletions
--- a/pages/merlin7/02-How-To-Use-Merlin/kerberos.md
+++ b/pages/merlin7/02-How-To-Use-Merlin/kerberos.md
@ -9,56 +9,64 @@ permalink: /merlin7/kerberos.html
 ---

 Projects and users have their own areas in the central PSI AFS service. In order
-to access to these areas, valid Kerberos and AFS tickets must be granted. 
+to access to these areas, valid Kerberos and AFS tickets must be granted.

-These tickets are automatically granted when accessing through SSH with 
+These tickets are automatically granted when accessing through SSH with
 username and password. Alternatively, one can get a granting ticket with the `kinit` (Kerberos)
 and `aklog` (AFS ticket, which needs to be run after `kinit`) commands.

-Due to PSI security policies, the maximum lifetime of the ticket is 7 days, and the default 
-time is 10 hours. It means than one needs to constantly renew (`krenew` command) the existing 
+Due to PSI security policies, the maximum lifetime of the ticket is 7 days, and the default
+time is 10 hours. It means than one needs to constantly renew (`krenew` command) the existing
 granting tickets, and their validity can not be extended longer than 7 days. At this point,
 one needs to obtain new granting tickets.

-
 ## Obtaining granting tickets with username and password

 As already described above, the most common use case is to obtain Kerberos and AFS granting tickets
 by introducing username and password:
+
 * When login to Merlin through SSH protocol, if this is done with username + password authentication,
 tickets for Kerberos and AFS will be automatically obtained.
 * When login to Merlin through NoMachine, no Kerberos and AFS are granted. Therefore, users need to
 run `kinit` (to obtain a granting Kerberos ticket) followed by `aklog` (to obtain a granting AFS ticket).
-See further details below. 
+See further details below.

 To manually obtain granting tickets, one has to:
+
 1. To obtain a granting Kerberos ticket, one needs to run `kinit $USER` and enter the PSI password.
-```bash
-kinit $USER@D.PSI.CH
-```
+
+   ```bash
+   kinit $USER@D.PSI.CH
+   ```
+
 2. To obtain a granting ticket for AFS, one needs to run `aklog`. No password is necessary, but a valid
 Kerberos ticket is mandatory.
-```bash
-aklog
-```
-3. To list the status of your granted tickets, users can use the `klist` command.
-```bash
-klist
-```
-4. To extend the validity of existing granting tickets, users can use the `krenew` command.
-```bash
-krenew
-```
-   * Keep in mind that the maximum lifetime for granting tickets is 7 days, therefore `krenew` can not be used beyond that limit,
-   and then `kinit** should be used instead.

+   ```bash
+   aklog
+   ```
+
+3. To list the status of your granted tickets, users can use the `klist` command.
+
+   ```bash
+   klist
+   ```
+
+4. To extend the validity of existing granting tickets, users can use the `krenew` command.
+
+   ```bash
+   krenew
+   ```
+
+   * Keep in mind that the maximum lifetime for granting tickets is 7 days, therefore `krenew` can not be used beyond that limit,
+     and then `kinit` should be used instead.

 ## Obtanining granting tickets with keytab

-Sometimes, obtaining granting tickets by using password authentication is not possible. An example are user Slurm jobs 
-requiring access to private areas in AFS. For that, there's the possibility to generate a **keytab** file. 
+Sometimes, obtaining granting tickets by using password authentication is not possible. An example are user Slurm jobs
+requiring access to private areas in AFS. For that, there's the possibility to generate a **keytab** file.

-Be aware that the **keytab** file must be **private**, **fully protected** by correct permissions and not shared with any 
+Be aware that the **keytab** file must be **private**, **fully protected** by correct permissions and not shared with any
 other users.

 ### Creating a keytab file
@ -66,29 +74,39 @@ other users.
 For generating a **keytab**, one has to:

 1. Load a newer Kerberos ( `krb5/1.20` or higher) from Pmodules:
-```bash
-module load krb5/1.20
-```
+
+   ```bash
+   module load krb5/1.20
+   ```
+
 2. Create a private directory for storing the Kerberos **keytab** file
-```bash
-mkdir -p ~/.k5
-```
+
+   ```bash
+   mkdir -p ~/.k5
+   ```
+
 3. Run the `ktutil` utility which comes with the loaded `krb5` Pmodule:
-```bash
-ktutil
-```
+
+   ```bash
+   ktutil
+   ```
+
 4. In the `ktutil` console, one has to generate a **keytab** file as follows:
-```bash
-# Replace $USER by your username
-add_entry -password -k 0 -f -p $USER
-wkt /data/user/$USER/.k5/krb5.keytab
-exit
-```
-Notice that you will need to add your password once. This step is required for generating the **keytab** file.
+
+   ```bash
+   # Replace $USER by your username
+   add_entry -password -k 0 -f -p $USER
+   wkt /data/user/$USER/.k5/krb5.keytab
+   exit
+   ```
+
+   Notice that you will need to add your password once. This step is required for generating the **keytab** file.
+
 5. Once back to the main shell, one has to ensure that the file contains the proper permissions:
-```bash
-chmod 0600 ~/.k5/krb5.keytab
-```
+
+   ```bash
+   chmod 0600 ~/.k5/krb5.keytab
+   ```

 ### Obtaining tickets by using keytab files

@ -106,23 +124,30 @@ Then, from inside the batch script one can obtain granting tickets for Kerberos

 The steps should be the following:

-* Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area 
+* Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area
 (`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 credential cache (it is, creating a new credential cache per Slurm job):
-```bash
-export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
-```
+
+  ```bash
+  export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
+  ```
+
 * To obtain a Kerberos5 granting ticket, run `kinit` by using your keytab:
-```bash
-kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
-```
+
+  ```bash
+  kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
+  ```
+
 * To obtain a granting AFS ticket, run `aklog`:
-```bash
-aklog
-```
-* At the end of the job, you can remove destroy existing Kerberos tickets. 
-```bash
-kdestroy
-```
+
+  ```bash
+  aklog
+  ```
+
+* At the end of the job, you can remove destroy existing Kerberos tickets.
+
+  ```bash
+  kdestroy
+  ```

 ### Slurm batch script example: obtaining KRB+AFS granting tickets

@ -168,7 +193,6 @@ Then, you can run one or multiple jobs scripts (or parallel job with `srun`). `K
 job script or to the parallel job, therefore a single credential cache will be shared amongst different Slurm runs.

 ```bash
-
 #!/bin/bash
 #SBATCH --partition=hourly            # Specify 'general' or 'daily' or 'hourly'
 #SBATCH --time=01:00:00               # Strictly recommended when using 'general' partition.