AFS and SSH with kerberos on Ubuntu
This document describes how to get a transparent ssh login when AFS tokens are needed to access remote files, and/or how to configure a local /afs mount working on your client machine (... or laptop).
Tested on Ubuntu Intrepid (8.10), Jaunty (9.04) / x86_64, Karmic (9.10) / x86_64 and Lucid (10.04) / x86_64.
The 2 following chapters (SSH/KRB and AFS) are independent, but can be elegantly integrated.
SSH/KRB
The idea here is to be able to login via ssh on a system where HOME is on AFS, without having to enter a password each time. No need to install AFS locally for that.
krb5
shell> sudo aptitude install krb5-user
This is enough for SLAC, MIT, etc. but not CERN, Fermilab, etc. I took the /etc/krb5.conf on lxplus.cern.ch, and patched it with
this file:
shell> cd /etc
shell> patch krb5.conf the_attached_file.diff
Important: with krb5 1.8 (eg. in ubuntu Lucid, aka. 10.04), edit
/etc/krb5.conf for the following to work with the CERN servers, adding this line to the
libdefaults section (original post
here):
To test it, for example:
shell> kinit your_slac_login@SLAC.STANFORD.EDU
# Enter the password. It shouldn't complain
shell> kinit your_cern_login@CERN.CH
# Enter the password. It shouldn't complain
You can get the list of tokens you are holding with
klist.
ssh/gssapi
Send your dsa or rsa public key to your ~/.ssh/authorized_keys at slac, cern, whatever... and edit your local ~/.ssh/config.
For example, for Slac:
Host slac some_machine.slac.stanford.edu
Hostname some_machine.slac.stanford.edu
User your_slac_login
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
And for CERN it is slightly different:
Host cern lxplus lxplus.cern.ch
Hostname lxplus.cern.ch
User your_cern_login
GSSAPITrustDns yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Refer to
this page for details regarding the GSSAPITrustDns things. Also, don't forget the
allow_weak_crypto trick above if you're using krb5 1.8+ (eg. Lucid).
To test this (for example with your CERN account), simply:
shell> kinit your_cern_login@CERN.CH
# specify password
shell> ssh cern touch afile
# No password, no error here
shell> ssh cern rm afile
# No password, no error here
AFS/krb5 client machine configuration
Now you want to have AFS available on your machine. You can achieve that in 2 ways, depending on whether you don't need to have ssh/gssapi working, or whether you want to have the best of both worlds without having to enter your password 786486234 times.
Basic setup
shell> sudo aptitude install openafs-client openafs-modules-source
# cell name = cern.ch for example
shell> sudo update-rc.d -f openafs-client remove
# Because I don't want AFS to be started on boot
shell> sudo m-a clean openafs-modules-source
shell> sudo m-a auto-install openafs-modules-source
shell> sudo aptitude install openafs-krb5
shell> sudo /etc/init.d/openafs-client start
Without using krb5 tokens
In that first setup, you don't (want/need to) have gssapi/ssh (preceding steps) working.
To get the AFS tokens:
shell> klog -principal your_cern_login -cell cern.ch
# specify password
shell> klog -principal your_slac_login -cell slac.stanford.edu
# specify password
You can also use the abbreviated form:
klog -pr your_login -c the_cell.
Make sure you are holding all the required tokens:
shell> tokens
Tokens held by the Cache Manager:
User's (AFS ID 123456789) tokens for afs@slac.stanford.edu [Expires Day X HH:mm]
User's (AFS ID 234567890) tokens for afs@cern.ch [Expires Day Y hh:MM]
--End of list--
Now you can use AFS:
shell> touch /afs/cern.ch/user/X/cern_login/afile
shell> rm /afs/cern.ch/user/X/cern_login/afile
shell> touch /afs/slac.stanford.edu/u/Y/slac_login/afile
shell> rm /afs/slac.stanford.edu/u/Y/slac_login/afile
Transparent AFS and krb5 integration
If you want to get the advantages of SSH/gssapi AND afs without having to enter your passwrod every time, it's possible !
The first step is to acquire a krb5 token:
shell> kinit your_login@THE_CELL.ANY
Password:
With this and a proper ssh/gssapi configuration (see above), you can transparently login to a remote machine and have the correct afs credentials on that machine (by executing
aklog on that machine, if ever needed).
Now, if you want to use this krb5 token to access AFS from your local machine, use
aklog:
This will give you the AFS token you need:
shell> tokens
Tokens held by the Cache Manager:
User's (AFS ID 123456789) tokens for afs@THE_CELL.ANY [Expires Day X HH:mm]
--End of list--
AFS/krb4 client machine configuration
If you want to access krb4 afs servers, such as the AFS cell "IN2P3.FR", then you need to use another set of tools.
The first thing is to have
this /etc/krb.conf file. Then, to acquire an AFS token for the cell:
shell> klog.afs -pr your_IN2P3FR_login -c IN2P3.FR
Password:
Then
tokens says:
shell> tokens
Tokens held by the Cache Manager:
User's (AFS ID 123456789) tokens for afs@in2p3.fr [Expires M D hH:mM]
--End of list--
Afterwards, you will be able to access your afs space from your local machine:
shell> touch /afs/in2p3.fr/home/T/Toto/afile
shell> rm /afs/in2p3.fr/home/T/Toto/afile
Optional
On the remote afs cell I use (IN2P3.FR), there is no gssapi/ssh integration, so AFAIK there is no elegant ssh/krb/afs token integration. Anyway, just in case you need to acquire a krb4 token, type on the remote side (eg. ccali):
shell> kinit -4 your_IN2P3FR_login@IN2P3.FR
shell> afslog
Then
klist will tell:
shell> klist -4 # Or no option at all to get both krb4 and krb5 tokens
Kerberos 4 ticket cache: /tmp/tkt424242424242
Principal: your_IN2P3FR_login@IN2P3.FR
Issued Expires Principal
08/11/09 11:28:52 08/12/09 12:55:13 krbtgt.IN2P3.FR@IN2P3.FR