• Rechercher un mot :

AFS and SSH with kerberos on Ubuntu

This document describes how to get a transparent ssh login when AFS tokens are needed to access remote files, and/or how to configure a local /afs mount working on your client machine (... or laptop).

Tested on Ubuntu Intrepid (8.10), Jaunty (9.04) / x86_64, Karmic (9.10) / x86_64 and Lucid (10.04) / x86_64.

The 2 following chapters (SSH/KRB and AFS) are independent, but can be elegantly integrated.


The idea here is to be able to login via ssh on a system where HOME is on AFS, without having to enter a password each time. No need to install AFS locally for that.


shell> sudo aptitude install krb5-user

This is enough for SLAC, MIT, etc. but not CERN, Fermilab, etc. I took the /etc/krb5.conf on lxplus.cern.ch, and patched it with this file:
shell> cd /etc
shell> patch krb5.conf the_attached_file.diff

Important: with krb5 1.8 (eg. in ubuntu Lucid, aka. 10.04), edit /etc/krb5.conf for the following to work with the CERN servers, adding this line to the libdefaults section (original post here):
allow_weak_crypto = true

To test it, for example:
shell> kinit your_slac_login@SLAC.STANFORD.EDU
# Enter the password. It shouldn't complain
shell> kinit your_cern_login@CERN.CH
# Enter the password. It shouldn't complain

You can get the list of tokens you are holding with klist.


Send your dsa or rsa public key to your ~/.ssh/authorized_keys at slac, cern, whatever... and edit your local ~/.ssh/config.
For example, for Slac:
Host slac some_machine.slac.stanford.edu
	Hostname some_machine.slac.stanford.edu
	User your_slac_login
	GSSAPIAuthentication yes
	GSSAPIDelegateCredentials yes

And for CERN it is slightly different:
Host cern lxplus lxplus.cern.ch
	Hostname lxplus.cern.ch
	User your_cern_login
	GSSAPITrustDns yes
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials yes

Refer to this page for details regarding the GSSAPITrustDns things. Also, don't forget the allow_weak_crypto trick above if you're using krb5 1.8+ (eg. Lucid).

To test this (for example with your CERN account), simply:
shell> kinit your_cern_login@CERN.CH
# specify password
shell> ssh cern touch afile
# No password, no error here
shell> ssh cern rm afile
# No password, no error here

AFS/krb5 client machine configuration

Now you want to have AFS available on your machine. You can achieve that in 2 ways, depending on whether you don't need to have ssh/gssapi working, or whether you want to have the best of both worlds without having to enter your password 786486234 times.

Basic setup

shell> sudo aptitude install openafs-client openafs-modules-source
# cell name = cern.ch for example
shell> sudo update-rc.d -f openafs-client remove
# Because I don't want AFS to be started on boot
shell> sudo m-a clean openafs-modules-source
shell> sudo m-a auto-install openafs-modules-source
shell> sudo aptitude install openafs-krb5

shell> sudo /etc/init.d/openafs-client start

Without using krb5 tokens

In that first setup, you don't (want/need to) have gssapi/ssh (preceding steps) working.

To get the AFS tokens:
shell> klog -principal your_cern_login -cell cern.ch
# specify password
shell> klog -principal your_slac_login -cell slac.stanford.edu
# specify password

You can also use the abbreviated form: klog -pr your_login -c the_cell.

Make sure you are holding all the required tokens:
shell> tokens

Tokens held by the Cache Manager:

User's (AFS ID 123456789) tokens for afs@slac.stanford.edu [Expires Day X HH:mm]
User's (AFS ID 234567890) tokens for afs@cern.ch [Expires Day Y hh:MM]
   --End of list--

Now you can use AFS:
shell> touch /afs/cern.ch/user/X/cern_login/afile
shell> rm /afs/cern.ch/user/X/cern_login/afile
shell> touch /afs/slac.stanford.edu/u/Y/slac_login/afile
shell> rm /afs/slac.stanford.edu/u/Y/slac_login/afile

Transparent AFS and krb5 integration

If you want to get the advantages of SSH/gssapi AND afs without having to enter your passwrod every time, it's possible !
The first step is to acquire a krb5 token:
shell> kinit your_login@THE_CELL.ANY

With this and a proper ssh/gssapi configuration (see above), you can transparently login to a remote machine and have the correct afs credentials on that machine (by executing aklog on that machine, if ever needed).

Now, if you want to use this krb5 token to access AFS from your local machine, use aklog:
shell> aklog

This will give you the AFS token you need:
shell> tokens

Tokens held by the Cache Manager:

User's (AFS ID 123456789) tokens for afs@THE_CELL.ANY [Expires Day X HH:mm]
   --End of list--

AFS/krb4 client machine configuration

If you want to access krb4 afs servers, such as the AFS cell "IN2P3.FR", then you need to use another set of tools.

The first thing is to have this /etc/krb.conf file. Then, to acquire an AFS token for the cell:
shell> klog.afs -pr your_IN2P3FR_login -c IN2P3.FR

Then tokens says:
shell> tokens
Tokens held by the Cache Manager:

User's (AFS ID 123456789) tokens for afs@in2p3.fr [Expires M D hH:mM]
   --End of list--

Afterwards, you will be able to access your afs space from your local machine:
shell> touch /afs/in2p3.fr/home/T/Toto/afile
shell> rm /afs/in2p3.fr/home/T/Toto/afile


On the remote afs cell I use (IN2P3.FR), there is no gssapi/ssh integration, so AFAIK there is no elegant ssh/krb/afs token integration. Anyway, just in case you need to acquire a krb4 token, type on the remote side (eg. ccali):
shell> kinit -4 your_IN2P3FR_login@IN2P3.FR
shell> afslog

Then klist will tell:
shell> klist -4 # Or no option at all to get both krb4 and krb5 tokens
Kerberos 4 ticket cache: /tmp/tkt424242424242
Principal: your_IN2P3FR_login@IN2P3.FR

  Issued              Expires             Principal
08/11/09 11:28:52  08/12/09 12:55:13  krbtgt.IN2P3.FR@IN2P3.FR