Skip to Main Content

Department of Computer Science

Technical Services and Support

Setting up Kerberos Support for your Home or Office Machine

This section may be of little interest to most people. It gives instructions on setting up Kerberos support for your laptop, home machine, or office machine. 

You can use Kerberos to enable SSH to our systems without typing a password. It’s for people who use our services and are willing to do extra work configuring their systems. This additional work could save you lots of time.

Setting up Kerberos on Mac or Linux

There are a few steps to follow to set up Kerberos properly.

Note to Mac OSX users: You must use the MacPorts version of the MIT Kerberos utilities and OpenSSH + kerberos5. MacOSX, by default, uses Heimdal Kerberos, which is incompatible with our system. Assuming MacPort is installed, type the following in a terminal:

sudo port install kerberos5

sudo port install openssh +kerberos5

Next, follow these steps:

Set up Kerberos config file

The main config file for Kerberos is /etc/krb5.conf  [There is also a /opt/local/etc/krb5.conf on the Mac. The contents of the two files are merged with /etc/krb5.conf, which comes first. Check both to make sure that you don’t have contradictory values.]

For Home Machine

Your IP address probably isn’t real for home use because you’re behind an address translator run by your ISP or home router. We have to use HTTPS with kdcproxy to access Kerberos.

First, get a root certificate for Let’s Encrypt by typing this on a terminal:
curl -o "/opt/local/etc/isrgrootx1.pem" "https://letsencrypt.org/certs/isrgrootx1.pem"

Make sure your krb5.conf looks like this:

[libdefaults]
default_realm = CS.RUTGERS.EDU
noaddresses = true
forwardable = true
renew_lifetime = 365d
default_ccache_name = /tmp/krb5cc_%{uid}

[realms]
CS.RUTGERS.EDU = {
kdc = https://services.cs.rutgers.edu/KdcProxy
http_anchors = FILE:/opt/local/etc/isrgrootx1.pem
}
For the Office Machine on the CS Network

For machines on the CS network with a permanent address within Computer Science. A few things need to be done.

1. You’ll need to notify us to get your system registered. (Please see more detailed info about Integrating your system with LCSR Kerberos)

2. Tell us if you want to do NFS mounts of home directories,  /common/users, /common/home, and other NFS volumes.

Once staff have set you up, your krb5.conf should be set up as follows:

[libdefaults] 
  default_realm = CS.RUTGERS.EDU 
  noaddresses = true 
  forwardable = true 
  renew_lifetime = 365d 
  default_ccache_name = /tmp/krb5cc_%{uid} 
# following only for Macs in the office
  default_cc_name = /tmp/krb5cc_%{uid} 
[realms]
  CS.RUTGERS.EDU = {     
    kdc = krb1.cs.rutgers.edu:88     
    kdc = krb2.cs.rutgers.edu:88     
    kdc = krb4.cs.rutgers.edu:88 
}
Setup SSH client config to work with Kerberos Ticket

Ensure the following lines are present and not commented in /etc/ssh/ssh_config.  (On the Mac, using Macports version of OpenSSH +kerberos5, this will be in /opt/local/etc/ssh/ssh_config)  If the lines don’t exist, add them.

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Testing Your Kerberos setup

Once this is set up, you can use Kerberos commands:

    • kinit netid
      Sets up your Kerberos credentials. If your username at home is the same as your Rutgers netid, you can omit the netid. You need to run it to get the “Kerberos ticket granting ticket”.
    • skinit netid
      if you have 2FA enabled on your account. skinit is a special script you need to create. Here are the skinit scripts.
      [Linux Version]
      #!/bin/bash
      export PATH=/usr/bin:/bin
      ANONCC=/tmp/anoncc$
      curl -o $ANONCC https://services.cs.rutgers.edu/cgi-bin/anonticket.pl >/dev/null 2>&1
      trap 'kdestroy -c "$ANONCC"' 2
      kinit -T "$ANONCC" "$@"
      STAT=$?
      kdestroy -c "$ANONCC"
      exit $STAT
[Mac version] 
#!/bin/bash
export PATH=/opt/local/bin:/usr/bin:/bin
ANONCC=/tmp/anoncc$ 
curl -o $ANONCC https://services.cs.rutgers.edu/cgi-bin/anonticket.pl >/dev/null 2>&1
trap 'kdestroy -c "$ANONCC"' 2 
kinit -T "$ANONCC" "$@"
STAT=$?
kdestroy -c "$ANONCC"
exit $STAT
    • klist
      Shows you your credentials. They will last for 24 hours. After that, you need to kinit again. Or you can do:
    • kinit -R before they expire to renew them for another day.
    • ssh hostname
      should work without asking you for a password as long as the host is in the computer science department. 
    • If you asked staff to authorize you to mount directories for the machine on CS Network, do the following command to tell MacOS about our Kerberos domain. This only needs to be done once.

      sudo dscl . -create Config/NFSv4Domain RealName cs.rutgers.edu

      You can then mount the file systems you’re authorized to use, e.g.,

      sudo mount koko.lcsr.rutgers.edu:/vol/vol12/common/users /mnt

    Debugging:

    In case you have issues, turn on debugging before running kinit as follow which will tell us what issues you have:

    export KRB5_TRACE=/dev/tty
    kinit your_netid

Setting up Kerberos on Windows 10.

On Windows 10, I recommend installing the Ubuntu application and setting up Kerberos within it, as with Linux. There is Kerberos for Windows, but it doesn’t support the proxy, so you can’t use it at home. Consider using MIT’s Kerberos for Windows if your PC is on a computer science department network with a permanent hostname and IP address.  To set up Ubuntu

  • Install WSL2 on Windows 10 OS Build 2004 or later by opening command.exe  (with Administrator permissions) and typing in the following command:

wsl.exe --install

Alternatively, you can also install  WSL using PowerShell as follows:

    • Find PowerShell (e.g., type PowerShell into the Contana box), right-click on it, and select “run as administrator.”
    • In the PowerShell windows, type Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
  • Reboot
  • Go to the Windows store and install Ubuntu. (Other distributions will probably work, but I’ve tried Ubuntu.)
  • Now follow the Linux instructions above for Ubuntu.
  • You can open multiple Ubuntu windows. If you do kinit to get a ticket in one window, it will also apply to different windows.

For help with our systems or immediate assistance, visit LCSR Operator at CoRE 235 or call 848-445-2443. Otherwise, see CS HelpDesk. Don’t forget to include your NetID along with descriptions of your problem.