#pragma section-numbers on
This page collects information to optimize your notebook setup for an easier work with the DESY computing infrastructure.

<<TableOfContents>>

= Single-Sign-On (SSO) =
Access to DESY computing resources is protected by your account/password combination. However you don't need to enter your password each and every time you open a fresh connection from your client to a DESY system. All you have to do is to enable [[https://en.wikipedia.org/wiki/Kerberos_(protocol)|Kerberos authentication]]. You can get passwordless access to the following services once you setup your client correctly:

 * ssh to "warp" and "pub" systems
 * authenticated access to some kerberos-enabled web servers
 * [[Subversion Repositories|DESY Subversion server]]

On DESY-managed systems this setup is preconfigured.

== Basic configuration ==

MacOSX systems typically have the Kerberos5 client programs already installed. Linux systems need to install a package typically named "krb5-user" or "krb5-workstation" - see the documentation of your distribution to find out.

The system-wide configuration is located in different locatations depending on your client:
 * on MacOSX: /Library/Preferences/edu.mit.Kerberos
 * on Linux: /etc/krb5.conf
It should look like this for DESY access:
{{{
[libdefaults]
        default_realm = IFH.DE
        ticket_lifetime = 25h
        renew_lifetime = 30d
        forwardable = true
        noaddresses = true

[domain_realm]
        .ifh.de = IFH.DE
        .zeuthen.desy.de = IFH.DE
        .desy.de = DESY.DE
}}}
/!\ NOTE: Zeuthen (IFH.DE) & Hamburg (DESY.DE) computing resources still reside in independent kerberos realms.

You can now fetch a so called kerberos ticket by issueing '''kinit <DESY accountname>'''. You have to enter your DESY password once. See this example:
{{{
[notebook] ~ % kinit ahaupt
ahaupt@IFH.DE's Password: 
[notebook] ~ % klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: ahaupt@IFH.DE

  Issued                Expires               Principal
May 30 15:49:36 2013  May 31 16:49:36 2013  krbtgt/IFH.DE@IFH.DE
}}}
Verify your freshly created ticket with the '''klist''' command. Kerberos tickets at DESY have a maximum lifetime of 25 hours for security reasons. However you can renew your tickets passwordless for up to 30 days by invoking '''kinit -R''' as long as your original ticket hasn't expired, yet. There are gui programs available for Linux (krb5-auth-dialog) and MacOSX that can do this task automatically in background for you.

== ssh configuration ==

ssh access to Zeuthen computing resources is available via the [[Warp_Login_Usage|warp cluster]]. Read its documentation for further details. To make your ssh client kerberos-aware, you'll basically need to create/modify the configuration file '''$HOME/.ssh/config''':
{{{
Host warp
    Hostname warp-zeuthen.desy.de
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
}}}
'''GSSAPIAuthentication''' enables passwordless authentication, '''GSSAPIDelegateCredentials''' enables the kerberos ticket forwarding to the ssh server. In some versions of ssh the gssapi implemenation is incompatible with alias host names as warp-zeuthen.desy.de is. In this case you'll probably need to add the option '''GSSAPITrustDns yes''' to this file. Consult the ssh_config man page for details.

If you did everything correctly, you should now be able to login without being asked for a password:
{{{
[notebook] ~ % ssh warp
Last login: Thu May 30 13:22:28 2013 from nomos127.ifh.de
Scientific Linux SL release 6.4 (Carbon)

Info: http://dvinfo.ifh.de/SL6_User_Information

Please report any bugs or problems to uco-zn@desy.de

[elwood-vm4] ~ % 
}}}

== Screen sessions with up-to-date kerberos tickets and AFS tokens ==

Screen sessions typically suffer from expiring kerberos tickets and AFS tokens after running unattended for more than a day. /!\ The following receipt should be used with care: expiring tickets/tokens are a security feature to reduce the impact of stolen credentials.

The AFS client handles tokens in so called "PAG"s (Process Authentication Group). A new screen session should therefor always be started within separate PAG. The following two scripts should provide a fully functional screen session with self-renewing AFS tokens and kerberos tickets (attached here for your convenience [[attachment:screen-pag]] [[attachment:screen-afs-creds]]):

screen-pag:
{{{#!highlight bash
#!/bin/bash

if [ -z "$1" ] ; then
    echo "usage: $0 <screen session name>"
    exit 1
fi

session_name=$1
screen_afs=$(mktemp)
# XXX: adapt path to script according to your installation
install -m 0700 ~/scripts/screen-afs-creds $screen_afs

export SAVE_KRB5CCNAME=$KRB5CCNAME
exec pagsh -c "screen -S $session_name $screen_afs"
}}}

screen-afs-creds:
{{{#!highlight bash
#!/bin/bash

install -m 0600 ${SAVE_KRB5CCNAME##FILE:} ${KRB5CCNAME##FILE:}
export PP=$$

while [ 1 ] ; do
	# tests whether Kerberos ticket is still valid
	klist --test || exit 1
	kinit -R
	sleep 36000
	# tests whether screen session is still running
	# (just in case the screen session terminated abnormally)
	kill -s 0 $PP || exit 0
done > /dev/null 2>&1 < /dev/null &

exec $SHELL -l
}}}

Then start the screen session named "screen-session-1" with:

{{{
[your-wgs] ~ % screen-pag screen-session-1
}}}
== tmux sessions with up-to-date kerberos tickets and AFS tokens ==
If you prefer to use the more modern tmux instead of screen, these scripts do the same: [[attachment:tmux-pag]] [[attachment:tmux-afs-creds]]
== Subversion ==

The DESY subversion server provides kerberos-authenticated access. Details are explained here: [[https://svnsrv.desy.de/access.html#k5|]]