Wiki source code of User-Info
Last modified by waschk on 2025/03/03 19:16
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | #pragma section-numbers on | ||
| 2 | This page collects information to optimize your notebook setup for an easier work with the DESY computing infrastructure. | ||
| 3 | |||
| 4 | Inhaltsverzeichnis | ||
| 5 | |||
| 6 | {{toc/}} | ||
| 7 | |||
| 8 | = Single-Sign-On (SSO) = | ||
| 9 | |||
| 10 | Access to DESY computing resources is protected by your account/password combination. However you don't need to enter your password each and every time you open a fresh connection from your client to a DESY system. All you have to do is to enable [[Kerberos authentication>>https://en.wikipedia.org/wiki/Kerberos_(protocol)]]. You can get passwordless access to the following services once you setup your client correctly: | ||
| 11 | |||
| 12 | * ssh to "warp" and "pub" systems | ||
| 13 | * authenticated access to some kerberos-enabled web servers | ||
| 14 | |||
| 15 | On DESY-managed systems this setup is preconfigured. | ||
| 16 | |||
| 17 | == Basic configuration == | ||
| 18 | |||
| 19 | MacOSX systems typically have the Kerberos5 client programs already installed. Linux systems need to install a package typically named "krb5-user" or "krb5-workstation" - see the documentation of your distribution to find out. | ||
| 20 | |||
| 21 | The system-wide configuration is located in different locatations depending on your client: | ||
| 22 | |||
| 23 | * on MacOSX: /Library/Preferences/edu.mit.Kerberos (create the file with sudo privileges if it doesn't exit yet) | ||
| 24 | * on Linux: /etc/krb5.conf | ||
| 25 | It should look like this for DESY access: | ||
| 26 | {{code language="ini"}}[libdefaults] | ||
| 27 | default_realm = IFH.DE | ||
| 28 | ticket_lifetime = 25h | ||
| 29 | renew_lifetime = 30d | ||
| 30 | forwardable = true | ||
| 31 | noaddresses = true | ||
| 32 | |||
| 33 | [domain_realm] | ||
| 34 | .ifh.de = IFH.DE | ||
| 35 | .zeuthen.desy.de = IFH.DE | ||
| 36 | .desy.de = DESY.DE{{/code}} | ||
| 37 | ⚠NOTE: Zeuthen (IFH.DE) & Hamburg (DESY.DE) computing resources still reside in independent kerberos realms. | ||
| 38 | |||
| 39 | You can now fetch a so called kerberos ticket by issueing **kinit <DESY accountname>**. You have to enter your DESY password once. See this example: | ||
| 40 | |||
| 41 | {{code language="none"}} | ||
| 42 | [notebook] ~ % kinit ahaupt | ||
| 43 | ahaupt@IFH.DE's Password: | ||
| 44 | [notebook] ~ % klist | ||
| 45 | Credentials cache: FILE:/tmp/krb5cc_1000 | ||
| 46 | Principal: ahaupt@IFH.DE | ||
| 47 | |||
| 48 | Issued Expires Principal | ||
| 49 | May 30 15:49:36 2013 May 31 16:49:36 2013 krbtgt/IFH.DE@IFH.DE | ||
| 50 | {{/code}} | ||
| 51 | |||
| 52 | Verify your freshly created ticket with the **klist** command. Kerberos tickets at DESY have a maximum lifetime of 25 hours for security reasons. However you can renew your tickets passwordless for up to 30 days by invoking **kinit -R** as long as your original ticket hasn't expired, yet. There are gui programs available for Linux (krb5-auth-dialog) and MacOSX that can do this task automatically in background for you. | ||
| 53 | |||
| 54 | == ssh configuration == | ||
| 55 | |||
| 56 | ssh access to Zeuthen computing resources is available via the [[warp cluster>>doc:DV.DV-Zeuthen.Dokumentationen.Unix.Warp_Login_Usage.WebHome]]. Read its documentation for further details. To make your ssh client kerberos-aware, you'll basically need to create/modify the configuration file **$HOME/.ssh/config**: | ||
| 57 | |||
| 58 | {{code}} | ||
| 59 | Host * | ||
| 60 | ControlMaster auto | ||
| 61 | ControlPath ~/.ssh/ssh_mux_%h_%p_%r | ||
| 62 | |||
| 63 | Host warp | ||
| 64 | Hostname warp.zeuthen.desy.de | ||
| 65 | GSSAPIAuthentication yes | ||
| 66 | GSSAPIDelegateCredentials yes | ||
| 67 | GSSAPITrustDns yes | ||
| 68 | |||
| 69 | Host wgs34 | ||
| 70 | Hostname wgs34.zeuthen.desy.de | ||
| 71 | GSSAPIAuthentication yes | ||
| 72 | GSSAPIDelegateCredentials yes | ||
| 73 | GSSAPITrustDns yes | ||
| 74 | ProxyCommand ssh warp.zeuthen.desy.de nc %h %p | ||
| 75 | {{/code}} | ||
| 76 | |||
| 77 | **GSSAPIAuthentication** enables passwordless authentication, **GSSAPIDelegateCredentials** enables the kerberos ticket forwarding to the ssh server. You might have to add your user name to the configuration file if it is different from your DESY user name on your client. Consult the ssh_config man page for details. | ||
| 78 | |||
| 79 | If you did everything correctly, you should now be able to login without being asked for a password. You'll be asked for the OTP: | ||
| 80 | |||
| 81 | {{code language="none"}} | ||
| 82 | [notebook] ~ % ssh warp | ||
| 83 | (waschk@warp.zeuthen.desy.de) OTP(mfa.desy.de): | ||
| 84 | Last login: Thu Jan 30 15:49:56 2025 from 141.34.92.15 | ||
| 85 | AlmaLinux 9.5 (Teal Serval) | ||
| 86 | |||
| 87 | Info: https://xwiki.desy.de/xwiki/bin/view/DV/DV-Zeuthen/Dokumentationen/Unix/EL9_User_Information | ||
| 88 | |||
| 89 | Please report any bugs or problems to uco-zn@desy.de | ||
| 90 | |||
| 91 | Last login: Mon Feb 10 13:12:53 2025 from 2001:638:700:f002::1:11 | ||
| 92 | [wgs34] ~ % | ||
| 93 | {{/code}} | ||
| 94 | |||
| 95 | You can also directly connect to your group's WGS, in DV case it would be wgs34, you have a different one. | ||
| 96 | |||
| 97 | == Screen sessions with up-to-date kerberos tickets and AFS tokens == | ||
| 98 | |||
| 99 | Screen sessions typically suffer from expiring kerberos tickets and AFS tokens after running unattended for more than a day.⚠ The following receipt should be used with care: expiring tickets/tokens are a security feature to reduce the impact of stolen credentials. | ||
| 100 | |||
| 101 | The AFS client handles tokens in so called "PAG"s (Process Authentication Group). A new screen session should therefore always be started within separate PAG. The following two scripts should provide a fully functional screen session with self-renewing AFS tokens and kerberos tickets (attached here for your convenience [[attach:screen-pag]] [[attach:screen-afs-creds]]): | ||
| 102 | |||
| 103 | screen-pag: | ||
| 104 | |||
| 105 | {{code}} | ||
| 106 | #!highlight bash | ||
| 107 | #!/bin/bash | ||
| 108 | |||
| 109 | if [ -z "$1" ] ; then | ||
| 110 | echo "usage: $0 <screen session name>" | ||
| 111 | exit 1 | ||
| 112 | fi | ||
| 113 | |||
| 114 | session_name=$1 | ||
| 115 | screen_afs=$(mktemp) | ||
| 116 | # XXX: adapt path to script according to your installation | ||
| 117 | install -m 0700 ~/scripts/screen-afs-creds $screen_afs | ||
| 118 | |||
| 119 | export SAVE_KRB5CCNAME=$KRB5CCNAME | ||
| 120 | exec pagsh -c "screen -S $session_name $screen_afs" | ||
| 121 | {{/code}} | ||
| 122 | |||
| 123 | screen-afs-creds: | ||
| 124 | |||
| 125 | {{code}} | ||
| 126 | #!highlight bash | ||
| 127 | #!/bin/bash | ||
| 128 | |||
| 129 | install -m 0600 ${SAVE_KRB5CCNAME##FILE:} ${KRB5CCNAME##FILE:} | ||
| 130 | export PP=$$ | ||
| 131 | |||
| 132 | while [ 1 ] ; do | ||
| 133 | # tests whether Kerberos ticket is still valid | ||
| 134 | klist --test || exit 1 | ||
| 135 | kinit -R | ||
| 136 | sleep 36000 | ||
| 137 | # tests whether screen session is still running | ||
| 138 | # (just in case the screen session terminated abnormally) | ||
| 139 | kill -s 0 $PP || exit 0 | ||
| 140 | done > /dev/null 2>&1 < /dev/null & | ||
| 141 | |||
| 142 | exec $SHELL -l | ||
| 143 | {{/code}} | ||
| 144 | |||
| 145 | Copy these scripts to /scripts/ and make them executable. Then start the screen session named "screen-session-1" with: | ||
| 146 | |||
| 147 | {{code language="none"}} | ||
| 148 | [your-wgs] ~ % screen-pag screen-session-1 | ||
| 149 | {{/code}} | ||
| 150 | |||
| 151 | VNC sessions that run longer than 24 hours should be started from this environment. | ||
| 152 | |||
| 153 | == tmux sessions with up-to-date kerberos tickets and AFS tokens == | ||
| 154 | |||
| 155 | If you prefer to use the more modern tmux instead of screen, these scripts do the same: [[tmux-pag>>attach:tmux-pag]] [[tmux-afs-creds>>attach:tmux-afs-creds]] |