Make sure you find all USERNAME placeholders and replace them with your NICE account name !!!

....and as always: If this eats your cat or starts a global thermonuclear war, you are on your own.

Setup lxplus and .cern.ch hosts to use Kerberos tickets

  • Add this to your .ssh/config
# Allow short host names
# You can add further CERN hosts to the next line
Host !*.cern.ch lxplus* aisplus* 
   CanonicalizeHostname yes
   CanonicalDomains cern.ch

Host *.cern.ch
   User USERNAME
   ForwardX11 yes
   # Allow login per Kerberos
   GSSAPIAuthentication yes
   # Transmit AFS token
   GSSAPIDelegateCredentials yes
   # Needed for non FQDNs
   GSSAPITrustDNS yes

# lxplus is a cluster with a shared private ssh key
# stop it from flodding your known_hosts and asking
# every time to check the private key
Host lxplus*.cern.ch aisplus*.cern.ch
   HostKeyAlias cernlxpluskey
   UserKnownHostsFile ~/.ssh/known_hosts.lxplus

Passwordless tickets

Setup keytab

Get a Kerberos ticket without password

  • kinit -kt ~/.keytab USERNAME

Keep tickets up to date

  • krenew -abK 60

Firefox

  • Open about:config
  • Set network.negotiate-auth.delegation-uris to .cern.ch
  • Set network.negotiate-auth.trusted-uris to .cern.ch
  • On the CERN SSO form choose [autologon] next to Sign in using your current Windows/Kerberos credentials
    If a login window appears, run kinit, close the login window, ignore the error message and reload the page

-- BranislavRistic - 2018-01-30

Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2018-01-30 - BranislavRistic
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Main All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback