Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

This article lists a few example client application configurations to enable users to connect via SSH and utilising Kerberos authentication

PuTTY

With Kerberos authentication via Windows OS

  • Log into a Windows machine using your AgResearch AD credentials

  • Open Putty and navigate to Connection → SSH → Auth → GSSAPI and configure GSSAPI as indicated below

  • Navigate to Connection → Data and select ' Use system username'

  • Navigate to Session and specify the server you are connecting to. Save the session

  • Click Open and enjoy the SSO

MobaXterm

With Kerberos authentication via Windows OS

  • Ensure you are using the latest version of MobaXterm

  • Open MobaXterm and navigate to Settings → Configuration (global settings, not session settings!)

  • Select SSH tab and configure the settings as indicated below. Ensure you enter the Domain you are going to use, which for AgResearch staff is agresearch.co.nz, and set your default login as username@agresearch.co.nz

  • Click OK

  • Create a new connection and configure it as indicated below. Ensure the ‘Specify username’ is set to default (which will be filled in from global settings). This indicates that the system username (the username you used to log into the workstation) is going to be used. For AgResearch staff the hostname is login-0.eri.agresearch.co.nz.

  • Click OK and connect. If all is well, this should give a shell prompt on login-0 with no need to type a username or password.

Windows Subsystem for Linux (WSL)

Windows subsystem for Linux is a feature that allows you to utilise some linux commands and command line tools.

WSL is enabled by default on later versions of Windows 10.

You can test whether WSL is installed by opening 'Windows PowerShell' and typing wsl.

Kerberos configuration

The following is required in /etc/krb5.conf inside your WSL distro for ssh to work with Kerberos:

[libdefaults]
  default_realm = AGRESEARCH.CO.NZ
  dns_canonicalize_hostname = false
  dns_lookup_kdc = true
  dns_lookup_realm = true
  forwardable = true
  rdns = false

[realms]
  AGRESEARCH.CO.NZ = {
    admin_server = c-adc-pv01.agresearch.co.nz:749
    admin_server = c-adc-pv02.agresearch.co.nz:749
    kdc = c-adc-pv01.agresearch.co.nz:88
    kdc = c-adc-pv02.agresearch.co.nz:88
  }

[domain_realm]
  .agresearch.co.nz = AGRESEARCH.CO.NZ
  .eri.agresearch.co.nz = IAM.FLEXI.NESI.ORG.NZ
  agresearch.co.nz = AGRESEARCH.CO.NZ
  eri.agresearch.co.nz = IAM.FLEXI.NESI.ORG.NZ

[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
    renew_lifetime = 36000
    ticket_lifetime = 36000
  }

ssh configuration

The following in ~/.ssh/config means less has to be specified on the command line:

Host login-0 login-0.eri.agresearch.co.nz
     HostName login-0.eri.agresearch.co.nz
     User guestsi@agresearch.co.nz          # really, use your own here
     GSSAPIAuthentication yes

Get a Kerberos ticket

In case klist shows no tickets:

kinit

Connect to the destination utilising the Kerberos ticket:

Requires the above ssh configuration for this brief command to work:

ssh login-0

  • No labels