#pragma section-numbers on This page collects information to optimize your notebook setup for an easier work with the DESY computing infrastructure. <> = Single-Sign-On (SSO) = Access to DESY computing resources is protected by your account/password combination. However you don't need to enter your password each and every time you open a fresh connection from your client to a DESY system. All you have to do is to enable [[https://en.wikipedia.org/wiki/Kerberos_(protocol)|Kerberos authentication]]. You can get passwordless access to the following services once you setup your client correctly: * ssh to "warp" and "pub" systems * Read and send mail via the [[MailReaderConfiguration|DESY Zeuthen mail server]] * authenticated access to some kerberos-enabled web servers * [[Subversion Repositories|DESY Subversion server]] On DESY-managed systems this setup is preconfigured. == Basic configuration == MacOSX systems typically have the Kerberos5 client programs already installed. Linux systems need to install a package typically named "krb5-user" - see the documentation of your distribution to find out. The system-wide configuration is located in different locatations depending on your client: * on MacOSX: /Library/Preferences/edu.mit.Kerberos * on Linux: /etc/krb5.conf It should look like this for DESY access: {{{ [libdefaults] default_realm = IFH.DE ticket_lifetime = 25h renew_lifetime = 30d forwardable = true noaddresses = true [domain_realm] .ifh.de = IFH.DE .desy.de = DESY.DE }}} /!\ NOTE: Zeuthen (IFH.DE) & Hamburg (DESY.DE) computing resources still reside in independent kerberos realms. You can now fetch a so called kerberos ticket by issueing '''kinit '''. You have to enter your DESY password once. See this example: {{{ [notebook] ~ % kinit ahaupt ahaupt@IFH.DE's Password: [notebook] ~ % klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: ahaupt@IFH.DE Issued Expires Principal May 30 15:49:36 2013 May 31 16:49:36 2013 krbtgt/IFH.DE@IFH.DE }}} Verify your freshly created ticket with the '''klist''' command. Kerberos tickets at DESY have a maximum lifetime of 25 hours for security reasons. However you can renew your tickets passwordless for up to 30 days by invoking '''kinit -R''' as long as your original ticket hasn't expired, yet. There are gui programs available for Linux (krb5-auth-dialog) and MacOSX that can do this task automatically in background for you. == ssh configuration == ssh access to Zeuthen computing resources is available via the [[Warp_Login_Usage|warp cluster]]. Read its documentation for further details. To make your ssh client kerberos-aware, you'll basically need to create/modify the configuration file '''$HOME/.ssh/config''': {{{ Host warp Hostname warp-zeuthen.desy.de GSSAPIAuthentication yes GSSAPIDelegateCredentials yes }}} '''GSSAPIAuthentication''' enables passwordless authentication, '''GSSAPIDelegateCredentials''' enables the kerberos ticket forwarding to the ssh server. If you did everything correctly, you should now be able to login without being asked for a password: {{{ [notebook] ~ % ssh warp Last login: Thu May 30 13:22:28 2013 from nomos127.ifh.de Scientific Linux SL release 6.4 (Carbon) Info: http://dvinfo.ifh.de/SL6_User_Information Please report any bugs or problems to uco-zn@desy.de [elwood-vm4] ~ % }}}