Authentication at CERN made not-an-ordeal (kind of)

cern_afs_kerberos.md

AFS Kerberos at CERN

"Kerberos is not the authentication system CERN deserves, but the one we need". - A wise man

This guide aims to ease the pain of setting up Kerberos authentication in your local (Ubuntu) machine and then completely forget about it.

Ready to fight?

First of all, install the following packages if you want to be successful on this journey:

• openafs-client
• openafs-modules-dkms
• openafs-krb5
• krb5-user
• krb5-config
• kstart

Entering the realm

Download the CERN.CH realm configuration for Kerberos from here and copy it all over!

$ sudo cp -f ./krb5.conf /etc/krb5.conf

It's dangerous to go alone! Take your keys!

You need to generate the keytab for your username@CERN.CH in your home folder before proceeding your adventure.

$ ktutil
ktutil: addent -password -p username@CERN.CH -k 1 -e aes256-cts
ktutil: addent -password -p username@CERN.CH -k 1 -e arcfour-hmac-md5
ktutil: wkt .keytab
ktutil: q

Check your file:

$ ktutil
ktutil: rkt .keytab
ktutil: list

You should see something like this:

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1                         username@CERN.CH
   2    1                         username@CERN.CH

Test if your keytab works. If you get no error message it means that everything is OK.

$ kinit -kt .keytab username

Hello AFS

Make sure first cern.ch is your AFS default cell.

$ cat /etc/openafs/ThisCell
cern.ch

Get openafs client running:

$ sudo /etc/init.d/openafs-client start

You probably want to run openafs-client on boot in case it isn't. You can configure the daemon with:

$ sudo dpkg-reconfigure openafs-client

If you get an 'openafs.ko does not exist':

1. Locate it with: $ sudo locate openafs.ko
2. Open the openafs config file with: $ sudo vim /etc/openafs/afs.conf.client
3. Add the directory in the following entry: MODULEDIR='/lib/modules/3.2.0-88-generic-pae/extra/'

Finally, probe your /afs folder:

$ cd /afs

Authenticate that shit!

List your user directory in AFS and you will see you don't have access to your private folder. That's because you haven't authenticated yet.

$ ll /afs/cern.ch/user/u/username
ls: cannot access private: Permission denied
total 2.0K
d????????? ? ?     ?       ?            ? private/
drwxr-xr-x 4 38268 2766 2.0K Aug  8  2013 public/

Release the power of authentication:

$ aklog CERN.CH
$ ll /afs/cern.ch/user/u/username
total 4.0K
drwxr-xr-x 2 38268 2766 2.0K Apr 29  2013 private/
drwxr-xr-x 4 38268 2766 2.0K Aug  8  2013 public/

Forget about Kerberos

Now, this is the final step. We want the Kerberos token to be renewed automatically and the authentication done completely under the hood.

You need to place this two commands in a script that will get executed on startup under your user:

export AKLOG="aklog CERN.CH"
k5start -b -f ~/.keytab -K 10 -l 7d -r CERN.CH -u username -t

And with this, sir, you're good to go!

Thanks

To my friend and colleague Adrian Mönnich, who spent quite some time helping me get this thing figured out. Also to Ilias Trichopoulos and Andrea Santamaría who pointed out some errors that may arise in the process. To graipher for adding notes on openafs-client configuration.

Disclaimer

This guide worked for me on Elementary OS Freya (based on Ubuntu 14.04 distro).

References

• Linux @ CERN

I got the following response when I executed

$ sudo /etc/init.d/openafs-client start
Starting AFS services: openafs afsd.
afsd: some file missing or bad in /etc/openafs

Solved by touching a file called ThisCell with the content cern.ch in the /etc/openafs directory.

how to remove a user from the .keytab file if there has been a mistake in entering the credentials? Thanks!

In case you want to remove the first entry of your .keytab file do the following:

$ ktutil
ktutil: rkt .keytab
ktutil: delent 1
ktutil: wkt .keytab
ktutil: q

$ sudo /etc/init.d/openafs-client start
does not start the daemon if it is not set to start at system boot.
You need to either manually do
$ sudo /etc/init.d/openafs-client force-start
every time, or use
$ sudo dpkg-reconfigure openafs-client
and configure the daemon to start at system boot.

(Ubuntu 14.10 and openafs-client 1.6.11-0ppa1~ubuntu14.10.1)

Also, aavilesd@CERN.CH should probably be replaced by user@CERN.CH or something similar...

Thanks for the tips @graipher!

• the whole thing defeats the idea of Kerberos, where super-powerful credentials (those that have full permissions of the user) are only valid for a short time, in case your machine gets hacked. Suggest to instead set up proper Kerberos authentication so that you get fresh credentials whenever you log in or unlock your screen (assuming you do lock your screen..). Much more secure, and also does not require extra password typing.
  • the keytab recipe is still valid for long-running jobs and daemons. Also see same recipe on the CERN docs
• please make sure that your ~/.keytab file is kept secure - this essentially contains your password. Per the CERN computing rules, it is your responsibility to prevent unauthorized access to this file. It should only be readable by the owner. It should not be included in backups (unless encrypted), shipped around as config file, or get stored on a shared filesystem etc.. (unless encrypted)

@jmuf A bit more details on the proper kerberos installation would help... Like, what do I do instead of kadmin: addprinc -randkey ftp/lab.example.com@EXAMPLE.COM to add my CERN account credentials? Or is there some documentation about this somewhere?

Tip: Nowadays you can use cern-get-keytab --keytab private/whatever.kt --user --login whatever on lxplus or a similar system to create a keytab without having to use ktutil manually.

If anyone wants to do this in WSL2 with Ubuntu 20.04.
https://gist.github.com/JoschD/194b3f6c6fcc408684a481fd4a2ff4e5#the-solution

It was a bit tricky

I found that this doesn't work again, mainly because one needs to provide the salt (see this article):

ubuntu@itkpd:~$ KRB5_TRACE=/dev/stdout kinit -kt .keytab gstark | grep salt
[241761] 1714166110.496945: Selected etype info: etype aes256-cts, salt "CERN.CHgiordon.holtsberg.stark", params ""

and here, I had to create my entries (addent) adding -s "salt" at the end of it to specify the salt used by kinit.