# Passwordless Login Solution For Thayer Machines Below are our solutions for passwordless login to the Thayer Linux machines. Unfortunately, though our solutions work on Linux and OSX, they do not work on non-server versions of Windows as they rely on being able to generate keytab files using Kerberos utilities. This functionality is reserved for Windows Server machines. ## Linux This has been tested on Debian 10 (Buster). 1. Install Kerberos utilities needed to generate keytab file. ```bash= $ apt-get install krb5-user ``` 2. Generate a Kerberos keytab, or "key table". Keytabs are files that contain long-term keys for principals and can be used by clients to obtain initial credentials. *This only needs to be generated once.* By default, only the owner of the generated keytab file has read and write access to the file. The `add_entry` command uses the `-password` flag to add a password entry to the keylist. The intended principal is indicated with the `-p` flag. Note the Kerberos realm for Thayer machines is `KIEWIT.DARTMOUTH.EDU`. The key version number is set to 1 with `-k 1` and the encryption type is specified with `-e aes256-cts-hmac-sha1-96`. This encryption type indicates AES using a 256 bit key with ciphertext stealing and an HMAC with SHA-1 that's truncated to 96 bits. Finally, the entry is written to the specified keytab with `write_kt`. ```bash= $ ktutil ktutil: add_entry -password -p <dart_id>@KIEWIT.DARTMOUTH.EDU -k 1 -e aes256-cts-hmac-sha1-96 ktutil: write_kt <absolute-path-to-keytab>/keytab ktutil: exit $ ``` 3. Generate a Kerberos ticket. Before sshing into any babylon server, a Kerberos ticket-granting ticket (TGT) needs to be acquired with `kinit`. This requests a ticket with a renewable life of 1 day, specified by `-r 1d`, and a lifetime of 10 hours with `-l 10h`. The `-f` flag requests a forwardable ticket, which allows the Key Distribution Center (KDC) to issue new tickets with different network addresses based on the forwardable ticket and is necessary to ssh into the babylon servers. The keytab needed to request the ticket is denoted with `-k -t <Full Path to Keytab>`. Note the ticket is needed to authenticate via ssh. After connecting to the server via ssh, the ticket is no longer necessary while logged in. The renewable life and lifetime values are chosen as sane defaults for a workspace, but could be as low as 5 minutes if immediately sshing into a machine after getting a TGT. ```bash= $ kinit -r 1d -l 10h -f -k -t <Full Path to Keytab> <dart_id>@KIEWIT.DARTMOUTH.EDU ``` 4. Finally, log in to one of the Thayer machines. The `-K` flag is needed to allow GSSAPI-based authentication forwarding of credentials to the server. ```bash= $ ssh -K <dart_id>@babylon1.thayer.dartmouth.edu ``` 5. Typing is hard. Type less by adding some convenient aliases to your `~/.bashrc` file. ```bash= alias babylon1='kinit -r 1d -l 10h -f -k -t <Full Path to Keytab> <dart_id>@KIEWIT.DARTMOUTH.EDU && ssh -K <dart_id>@babylon1.thayer.dartmouth.edu' ... alias babylon12='kinit -r 1d -l 10h -f -k -t <Full Path to Keytab> <dart_id>@KIEWIT.DARTMOUTH.EDU && ssh -K <dart_id>@babylon12.thayer.dartmouth.edu' ``` Not only do you no longer have to type in your password when using `ssh`, but `scp` does not require a password when copying files to and from the Thayer Linux machines either. Unlike `ssh`, however, you do not need to specify any flags (i.e. `-K`) when using `scp`. ## OSX This has been tested on OSX 11.2.3. Make sure you are connected to the Dartmouth VPN 1. Kerberos tools are included by default on OSX. Thus, we can skip right to generating our keytab file. Unlike Debian, `ktutil` will accept arguments on OSX so we only have to run a single command to generate our keytab. Make sure to provide the absolute path to the keytab file (e.g., `--keytab=/Users/namyamalik/keytab.krb`). You will be prompted to enter a password. Please enter your Dartmouth SSO password (the one you usually use to ssh into the Babylon Servers). ```bash= ktutil --keytab=<Full Path to Keytab> add -p <dart_id>@KIEWIT.DARTMOUTH.EDU -e aes256-cts-hmac-sha1-96 -V 1 ``` 2. Use `kinit` to get a ticket-generating ticket (see above for information on flags). If you receive an error `kinit: krb5_get_init_creds: unable to reach any KDC in realm KIEWIT.DARTMOUTH.EDU, tried 0 KDCs`, make sure you have the `krb5.keytab` file in your `/etc/` directory. You should not need a `krb5.conf` file in your `/etc/` directory. So you could probably delete this file if it exists. ```bash= kinit -r 1d -l 10h -f -k -t <Full Path to Keytab> <dart_id>@KIEWIT.DARTMOUTH.EDU ``` 3. Finally, login to one of the Thayer machines. ```bash= ssh -K <dart_id>@babylon1.thayer.dartmouth.edu ``` You may see a warning: `krenew: error renewing credentials: KDC can't fulfill requested option`, which is due to the different implementation of the kadmin-protocol between the Mac OS and the Linux MIT version. You can ignore this warning. 4. Typing is hard. Type less by adding some convenient aliases to your `~/.bashrc` file. ```bash= alias babylon1='kinit -r 1d -l 10h -f -k -t <Full Path to Keytab> <dart_id>@KIEWIT.DARTMOUTH.EDU && ssh -K <dart_id>@babylon1.thayer.dartmouth.edu' ... alias babylon12='kinit -r 1d -l 10h -f -k -t <Full Path to Keytab> <dart_id>@KIEWIT.DARTMOUTH.EDU && ssh -K <dart_id>@babylon12.thayer.dartmouth.edu' ``` Not only do you no longer have to type in your password when using `ssh`, but `scp` does not require a password when copying files to and from the Thayer Linux machines either. Unlike `ssh`, however, you do not need to specify any flags (i.e. `-K`) when using `scp`.