Password-less ssh login on CERN lxplus with Kerberos


Mostly it's based on this:

https://linux.web.cern.ch/docs/kerberos-access/

Unfortunately the CERN docs is slightly mis-leading so here to go. This guide should work on any Linux distribution as long as you're not running a fossil.

How-to

First, to obtain the Kerberos ticket:

kinit -f {your username}@CERN.CH

the capital CERN.CH is required, and the -f flag requests the ticket to be forwardable.[1] You can also use flags such as -l and -r to specify expiration and renew etc.

Then, verify that it works by:

klist -f

you should see something has a Flags: FIA. I assume F means forward. (you can get R{something} if you didn't run with the -f).

Then, edit your /etc/ssh/ssh_config or user-specific ~/.ssh/config and add rules for lxplus*:

HOST lxplus*
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

The CERN docs also says GSSAPITrustDns yes but that one is not available in unmodified OpenSSH even though it also appears in certain manual.

Because we could not have the GSSAPITrustDns, a specific node needs to be set:

ssh {username}@lxplus700.cern.ch

instead of

ssh {username}@lxplus.cern.ch

And everything should work. If not, do ssh -v instead and look for what went wrong and consult the troubleshooting section on CERN docs.

Extras.

If you are on Debian-based Linux, it is already patched and you can use GSSAPITrustDns option, see here, if you're on Arch-based system, like I am, your best bet is use the ported patched OpenSSH, which is available on AUR. CERN doc:

Please don't refer to particular machines when connecting to the LXPLUS cluster, ...

[1] https://web.mit.edu/kerberos/krb5-1.12/doc/user/tkt_mgmt.html