## Linux, SSH, Kerberos etc.¶

In August 2018 the computer lab was reinstalled with a new authencation system and a new file server.

### Authentication and External Login Server¶

Generally, your credentials are you central SDU credentials. Every user has a domain, e.g., “sdu” for students and “nat-sdu” for NAT employees.

Those in “nat-sdu” should use just there username without domain. Otherwise, prepend your domain with a backslach, e.g., “sdu\jla42”.

Note

The “\” character is special on the command line, so it must be escaped with another “\”. E.g., “ssh sdu\\jla42@logon.sdu.dk”.

For connecting via SSH from external computers the new jump server is:

logon.sdu.dk


The old one is:

login.imada.sdu.dk


Note

On Ubuntu the package “krb5-user” is needed.

The system uses Kerberos for authentication. To access files you must have a valid ticket. You can see your current tickets with:

klist


This also shows when the ticket will expire. Currently it will expire after 10 hours.

Note

You do not loose your ticket when you log out.

#### Renewing a Ticket¶

As a general rule, whenever you type your password, you will also renew your tickets. To explicit renew a ticket (while having one), simply use:

kinit


If you want to run stuff during the night, be aware that your ticket may expire. In that case you can use a cron job (or maybe just a script using “sleep”), to automatically run the “kinit” command while you are away.

#### Obtaining a Ticket¶

If you just log in using your password, you will get a ticket. To obtain a ticket, whlie on the SDU network (e.g., on eduroam), also use “kinit”. For NAT accounts:

kinit user@NAT.C.SDU.DK


and for non-NAT accounts:

Todo

Basically the same, but with a different domain.

Note

The capitilisation of the part after “@” matters!

Note

Currently it is not possible to get a ticket outside the SDU network, and therefore not possible to do passwordless login without typing your password once at some point.

On the jump hosts and the computer lab machines, simply do ordinary SSH. From other machines, where you have a valid ticket, use the “-K” flag to forward your ticket. E.g.:

ssh -K jlandersen@logon.sdu.dk


Warning

it seems that this actually doesn’t work at the moment.

If you use SSH-aliases in “.ssh/config” you can add ticket forwarding as default:

Todo

write it once it works, it should basically be adding “GSSAPIDelegateCredentials yes

Once you have a ticket on the target machine, then you have access to the ordinary “.ssh/authorized_keys” file, public/private key authentication will then work. That is, from outisde the SDU network, you must type your password once, and subsequent logins can be passwordless (through public/private keys).

Warning

Logging in with public/private key authentication will not renew your ticket.

### Passwordless kinit¶

You can create a keytab file to locally store credentials for use with “kinit”. The file is completely location independent, but must be recreated when your Kerberos credentials change.

Warning

A keytab file should be regarded as a secret in the same way a private key should. That is, don’t give it away, and avoid transfering it out of a machine.

A keytab file is viewed and created using “ktutil”, and we here assume you are using the MIT Kerberos implementation (see also this). ktutil works by starting it and then typing commands inside it. For example:

addent -password -p user@NAT.C.SDU.DK -k 1 -e rc4-hmac
wkt mySecrets.keytab
quit


which adds an entry for “user@NAT.C.SDU.DK” and then writes the actual keytab file to “mySecrets.keytab”. The keytab file can now be used to get a ticket without typing your password:

kinit username@NAT.C.SDU.DK -k -t mySecrets.keytab


If you have a class 3 office machine on the SDU network, you can now put this command in a cron job to make sure you always have a ticket.

### Webserver¶

Note

If you do not have a personal IMADA website, just ignore this part.

The new home folders do not have your website mounted in “WWWpublic”. Instead you must log into the old system, e.g., on the machine where the files are physically stored:

www.imada.sdu.dk


Your website is then in “/home/www/Employees/username” (or “/home/www/Students/username” for TAs).

#### Migrating¶

The old home folder will exist for some time, but if you have references from your website to your home folder you should rearrange stuff.

Note also that the old absolute path to files through your home folder will no longer work. If you have .htaccess and .htpasswd files, you may need to change paths in them.

Note

### Moving Files From the Old System¶

The old home folders will be available for some time, but you should copy/move files to the new system. You can copy files, e.g., by rsync from the old file server nixstore.sdu.dk. For example:

rsync --progress -avzi -e ssh username-old@nixstore.sdu.dk: old


to transfer your old home dir to a nested folder old.