Skip to Main Content

Department of Computer Science

Technical Services and Support

Setting up Kerberos Support for your Home or Office Machine

This section will probably not be of interest to most people. It gives you instructions on setting up kerberos support for your home or office machine. The reason you might want to use Kerberos at home is to let you ssh to our systems without typing a password. It’s for people who use our services a lot, and are willing to do some work configuring their home systems.

Setting up Kerberos on Mac or Linux

There are a few steps to follow to setup kerberos properly. These steps are as follow:

A. Install Required Software

While the Mac comes with Kerberos you will want to install the Kerberos implementation from Macports. You’ll also need their version of ssh. (The problem with Apple’s version of Kerberos is that it doesn’t understand the https: proxy, which is needed for use at home. You need to use the Macports versions of both the Kerberos utilities and ssh.)

    1. Make sure your time is synchronized. Generally this is done with a program called chrony, though older installations will use ntpd. The system administation tool for most systems will let you set this up. If you time is off more than a minute or so, Kerberos won’t work.
    2. Make sure Kerberos software is installed
    3. Mac:
      Follow below
      1. Install Apple’s Xcode through the App store
        sudo xcodebuild -license
        xcode-select --install
      2. Download and install macports. See https://www.macports.org/install.php
        sudo port install kerberos5
      3. make sure /opt/local/bin is before /usr/sbin in your path. The macports installation should edit your startup files to do this, but you’ll need to start a new terminal window for that to take effect
    4. Centos: yum install krb5-workstation krb5-pkinit
    5. Fedora: dnf install krb5-workstation krb5-pkinit
    6. SLES 12: [not tested; may need krb5-plugin-preauth-otp krb5-plugin-preauth-pkinit] zypper install krb5-client
    7. Ubuntu: apt-get install krb5-user krb5-k5tls krb5-pkinit
B. Set up Kerberos config file

The main config file for kerberos is /etc/krb5.conf  [On the Mac this goes in /opt/local/etc/krb5.conf]

For Home Machine

For home use, where your IP address probably isn’t real, because you’re behind an address translator run by your ISP or your home router. We have to use the https with kdcproxy to access Kerberos. So your krb5.conf should look like this:

[libdefaults]
default_realm = CS.RUTGERS.EDU
noaddresses = true
forwardable = true
renew_lifetime = 365d
default_ccache_name = /tmp/krb5cc_%{uid}

[realms]
CS.RUTGERS.EDU = {
kdc = https://services.cs.rutgers.edu/KdcProxy
}
For Office Machine on CS Network

For machines on CS network that have a permanent address within Computer Science. A few things needs to be done.

1. You’ll need to send email to help@cs.rutgers.edu to get your system registered. (Please see more details info about Integrating your system with LCSR Kerberos)

2, Tell us if you want to do NFS mounts of home directories,  /common/users, /common/home  and other NFS volumes.

Once staff have set you up, your krb5.conf should be set up as follow:

[libdefaults]
default_realm = CS.RUTGERS.EDU 
noaddresses = true 
forwardable = true 
renew_lifetime = 365d 
default_ccache_name = /tmp/krb5cc_%{uid}

[realms]
CS.RUTGERS.EDU = {
    kdc = krb1.cs.rutgers.edu:88
    kdc = krb2.cs.rutgers.edu:88
    kdc = krb4.cs.rutgers.edu:88
}
C. Setup SSH client config to work with Kerberos Ticket

Make sure the following lines are present and not commented in /etc/ssh/ssh_config.  (On the Mac, if you’re using the Macports version of ssh, this will be /opt/local/etc/ssh/ssh_config.) If the lines don’t exist, add them.

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
D. Testing Your Kerberos setup

Once this is set up you can use kerberos commands:

    • kinit netid
      Sets up your Kerberos credentials. If your username at home is the same as your Rutgers netid, you can omit the netid
    • skinit netid
      if you have 2FA enabled on your account. skinit is a special script you need to create. Here are the skinit scripts.
      [Linux Version]
      #!/bin/sh
      ANONCC=/tmp/anoncc$
      #KRB5CCNAME="$ANONCC" kinit -n >/dev/null
      curl -o $ANONCC https://services.cs.rutgers.edu/cgi-bin/anonticket.pl >/dev/null 2>&1
      trap 'KRB5CCNAME="$ANONCC" kdestroy' 2
      /usr/bin/kinit -T "$ANONCC" "$@"
      STAT=$?
      KRB5CCNAME="$ANONCC" /usr/bin/kdestroy
      exit $STAT
[Mac version] 
#!/bin/sh
ANONCC=/tmp/anoncc$
#KRB5CCNAME="$ANONCC" kinit -n >/dev/null
curl -o $ANONCC https://services.cs.rutgers.edu/cgi-bin/anonticket.pl >/dev/null 2>&1
trap 'KRB5CCNAME="$ANONCC" kdestroy' 2
/opt/local/bin/kinit -T "$ANONCC" "$@"
STAT=$?
KRB5CCNAME="$ANONCC" /opt/local/bin/kdestroy
exit $STAT
    • klist
      Shows you your credentials. They will last for 24 hours. After that you need to do kinit again. Or you can do kinit -R before they expire to renew them for another day.
    • ssh hostname
      should work without asking you for a password as long as the host is in the computer science department. Note to Mac users: You have to use the Macports version of both the Kerberos utilities and ssh.
    • If you asked staff to authorize you to mount directories for machine on CS Network, do the following command to tell MacOS  about our Kerberos domain. This only needs to be done once.

      sudo dscl . -create Config/NFSv4Domain RealName cs.rutgers.edu

      You can then mount the file systems you’re authorized for, e.g.

      sudo mount koko.lcsr.rutgers.edu:/vol/vol12/common/users /mnt

Setting up Kerberos on Windows 10.

On Windows 10 I recommend installing the Ubuntu application and setting it up Kerberos within it as for Linux. There is Kerberos for Windows, but it doesn’t support the proxy, so you can’t use it at home. (If your PC is on a computer science department network with a permanent hostname and IP address, you might considering using MIT’s Kerberos for Windows.)  To set up Ubuntu

  • Find powershell (e.g. type powershell into the Contana box), right click on it, and select “run as administrator“.
  • In the powershell windows, type Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
  • Reboot
  • Go to the Windows store and install Ubuntu. (Other distributions will probably work, but I’ve tried Ubuntu.)
  • Now follow Linux instructions above for Ubuntu.
  • You can open multiple Ubuntu windows. If you do kinit to get a ticket in one windows, it will apply to different windows as well.