Differences between revisions 6 and 7
Revision 6 as of 2014-08-06 09:46:25
Size: 5905
Editor: GötzWaschk
Revision 7 as of 2019-09-13 14:22:34
Size: 5619
Comment: remove obsolete mail stuff
Deletions are marked like this. Additions are marked like this.
Line 10: Line 10:
 * Read and send mail via the [[MailReaderConfiguration|DESY Zeuthen mail server]]
Line 126: Line 125:
== Mail reader configuration ==

Details to setup your mail reader for passwordless access (without storing the DESY password) are described here: [[https://dvinfo.ifh.de/MailReaderConfiguration]]

This page collects information to optimize your notebook setup for an easier work with the DESY computing infrastructure.

1. Single-Sign-On (SSO)

Access to DESY computing resources is protected by your account/password combination. However you don't need to enter your password each and every time you open a fresh connection from your client to a DESY system. All you have to do is to enable Kerberos authentication. You can get passwordless access to the following services once you setup your client correctly:

  • ssh to "warp" and "pub" systems
  • authenticated access to some kerberos-enabled web servers
  • DESY Subversion server

On DESY-managed systems this setup is preconfigured.

1.1. Basic configuration

MacOSX systems typically have the Kerberos5 client programs already installed. Linux systems need to install a package typically named "krb5-user" or "krb5-workstation" - see the documentation of your distribution to find out.

The system-wide configuration is located in different locatations depending on your client:

  • on MacOSX: /Library/Preferences/edu.mit.Kerberos
  • on Linux: /etc/krb5.conf

It should look like this for DESY access:

        default_realm = IFH.DE
        ticket_lifetime = 25h
        renew_lifetime = 30d
        forwardable = true
        noaddresses = true

        .ifh.de = IFH.DE
        .zeuthen.desy.de = IFH.DE
        .desy.de = DESY.DE

/!\ NOTE: Zeuthen (IFH.DE) & Hamburg (DESY.DE) computing resources still reside in independent kerberos realms.

You can now fetch a so called kerberos ticket by issueing kinit <DESY accountname>. You have to enter your DESY password once. See this example:

[notebook] ~ % kinit ahaupt
ahaupt@IFH.DE's Password: 
[notebook] ~ % klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: ahaupt@IFH.DE

  Issued                Expires               Principal
May 30 15:49:36 2013  May 31 16:49:36 2013  krbtgt/IFH.DE@IFH.DE

Verify your freshly created ticket with the klist command. Kerberos tickets at DESY have a maximum lifetime of 25 hours for security reasons. However you can renew your tickets passwordless for up to 30 days by invoking kinit -R as long as your original ticket hasn't expired, yet. There are gui programs available for Linux (krb5-auth-dialog) and MacOSX that can do this task automatically in background for you.

1.2. ssh configuration

ssh access to Zeuthen computing resources is available via the warp cluster. Read its documentation for further details. To make your ssh client kerberos-aware, you'll basically need to create/modify the configuration file $HOME/.ssh/config:

Host warp
    Hostname warp-zeuthen.desy.de
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

GSSAPIAuthentication enables passwordless authentication, GSSAPIDelegateCredentials enables the kerberos ticket forwarding to the ssh server. In some versions of ssh the gssapi implemenation is incompatible with alias host names as warp-zeuthen.desy.de is. In this case you'll probably need to add the option GSSAPITrustDns yes to this file. Consult the ssh_config man page for details.

If you did everything correctly, you should now be able to login without being asked for a password:

[notebook] ~ % ssh warp
Last login: Thu May 30 13:22:28 2013 from nomos127.ifh.de
Scientific Linux SL release 6.4 (Carbon)

Info: http://dvinfo.ifh.de/SL6_User_Information

Please report any bugs or problems to uco-zn@desy.de

[elwood-vm4] ~ % 

1.3. Screen sessions with up-to-date kerberos tickets and AFS tokens

Screen sessions typically suffer from expiring kerberos tickets and AFS tokens after running unattended for more than a day. /!\ The following receipt should be used with care: expiring tickets/tokens are a security feature to reduce the impact of stolen credentials.

The AFS client handles tokens in so called "PAG"s (Process Authentication Group). A new screen session should therefor always be started within separate PAG. The following two scripts should provide a fully functional screen session with self-renewing AFS tokens and kerberos tickets (attached here for your convenience screen-pag screen-afs-creds):


   1 #!/bin/bash
   3 if [ -z "$1" ] ; then
   4     echo "usage: $0 <screen session name>"
   5     exit 1
   6 fi
   8 session_name=$1
   9 screen_afs=$(mktemp)
  10 # XXX: adapt path to script according to your installation
  11 install -m 0700 ~/scripts/screen-afs-creds $screen_afs
  14 exec pagsh -c "screen -S $session_name $screen_afs"


   1 #!/bin/bash
   3 install -m 0600 ${SAVE_KRB5CCNAME##FILE:} ${KRB5CCNAME##FILE:}
   4 export PP=$$
   6 while [ 1 ] ; do
   7         # tests whether Kerberos ticket is still valid
   8         klist --test || exit 1
   9         kinit -R
  10         sleep 36000
  11         # tests whether screen session is still running
  12         # (just in case the screen session terminated abnormally)
  13         kill -s 0 $PP || exit 0
  14 done > /dev/null 2>&1 < /dev/null &
  16 exec $SHELL -l

Then start the screen session named "screen-session-1" with:

[your-wgs] ~ % screen-pag screen-session-1

1.4. Subversion

The DESY subversion server provides kerberos-authenticated access. Details are explained here: https://svnsrv.desy.de/access.html#k5

BYOD/User-Info (last edited 2020-04-14 15:58:58 by AndreasHaupt)