How To Setup Kerberos

Kerberos is an authentication protocol that can be used in lieu of passwords when connecting via ssh to Stanford machines, such as xenon. To use Kerberos, you'll also need to install OpenAFS, since this is the filesystem in use at Stanford.

Note: machines provided by the CS department are already configured to use Kerberos and AFS, so all you need to do to enable password-less authentication is run kinit. This tutorial tells you how to setup Kerberos on a machine that is not already so configured.

This tutorial assumes the user is running Mac OS X. Presumably the technique described here can be modified to work on other operating systems.

Kerberos is configured with a preferences file:

/Library/Preferences/edu.mit.Kerberos

The configuration is the same for all computers that need to connect to Stanford machines, so just download this reference copy and move it to the right location.

Download OpenAFS, and then run the installer. The install will require a restart.

The only configuration step required for AFS is to specify the local cell. Edit the following file (using sudo):

/var/db/openafs/etc/ThisCell

The entire contents of this file should read:

cs.stanford.edu

Finally, you need to enable GSSAPI authentication by default with ssh. This can be done (again using sudo) by editing:

/etc/ssh_config

Adding the following lines:

# System-wide defaults set by MIT Kerberos Extras
Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPIKeyExchange yes

Finally, all you need to do to get a Kerberos ticket is to run kinit. After this step, you can run ssh (or scp, or svn) without re-entering your password. By default, Kerberos tickets last 24 hours.

If you are curious to know which Kerberos tickets you currently have issued, you can use the klist command, or run the Kerberos application located in /System/Library/CoreServices/Kerberos.