Kerberos Authentication
In addition to the authentication via username and password you can use the so called Kerberos authentication mechanism to authenticate. The advantage is that you have to login only once and further connection to other machines or other services are automatically authenticated. In order to use this method both the client (e.g. ssh or a web browser) and the service, to which you connect, must be "kerberos-enabled".
Examples of such services are:
- AFS Andrew File System
- ssh/scp clients (including OpenSSH and PuTTY) connecting to an ssh server
- most modern web browsers (IE, Firefox, Safari, Chrome ) connection to webservers (apache etc) and web applications (e.g. alfresco, foswiki)
PSI Windows and Linux Systems
On all systems running a customized Windows or ScientificLinux provided by AIT, Kerberos is already configured.
General configuration
The following configuration settings have to be defined once. For Unix Client Systems (Linux, MacOSX <=10.6) the following settings have to be stored in the file /etc/krb5.conf
Note: for Mac OS X >= 10.7 you need a slightly modified version
[logging] default = SYSLOG:DEBUG:LOCAL0 [libdefaults] default_realm = D.PSI.CH ticket_lifetime = 25h renew_lifetime = 30d dns_lookup_realm = false dns_lookup_kdc = false udp_preference_limit = 42 allow_weak_crypto = yes [realms] PSI.CH = { kdc = tcp/afs00.psi.ch:88 tcp/afs01.psi.ch:88 tcp/afs02.psi.ch:88 admin_server = afs00.psi.ch:749 kpasswd_server = afs00.psi.ch:464 default_domain = psi.ch } D.PSI.CH = { kdc = tcp/d.psi.ch:88. kpasswd_server = d.psi.ch. default_domain = psi.ch } [domain_realm] .psi.ch = D.PSI.CH