Charles Plager's Windows Kerberos at FNAL page
Note: This page is no longer maintained. A more recent
set of instructions may be found at
http://home.fnal.gov/~jamieson/cygwin.html.
- Kerberized SSH (see the short list for the impatient).
- Kerberized SSH if you already have Cygwin installed.
- SCP problems with Cygwin
- FTP
- Perl script that automatically
updates krb5.conf file
(this file is no longer necessary
with the current version of kerberos from FNAL;see below)
Short List of Kerberizing for the Impatient
-
Download Fermi's
Kerberized ssh zip file
- Unzip it and put it in c:\Program Files\Cygwin_kerberos
(you will have to make that directory.
- Download and save these bat files:
- Edit fnal.bat and scp.bat so that
- SET USER=Your user name
- SET HOST=The host you want
- Make a shortcut of fnal.bat on your desktop to make easy access.
- Run it
SSH - More Details
In order to be able to ssh from your windows box into machines at
FNAL.GOV:
- Download Fermilab's Cygwin
kerberos utilities and kerberized ssh.
- Unzip it and put it in a directory.
- Note: If you have Cygwin installed, see the
instructions below. Do NOT put any of
the .dlls from the zip file in a directory that is in path for
Cygwin.
- Note: With the latest download of Fermilab's kerberized
ssh/scp, you no longer need to edit your krb5.conf file when you are
behind a NAT router. Simply get a ticket using kinit -n.
The following instructions are for people with older versions of
kerberos.
Edit krb5.conf file so that there
is a line under '[libdefaults]' that says
proxy_gateway = 65.42.86.66
where 65.42.86.66 is the IP address that your wireless
router thinks you have. If you are not behind a NAT router
(e.g. wireless router at home), you do not need to do this. You can
leave the IP address of your router at home in when your computer is
at work.
Go to a command line window (-r then type 'cmd'), ask your
laptop what your IP number is ('ipconfig'). If it starts with
192.168, you are behind a NAT router and you need to figure out what
it's IP address is (you can usually log into your router using your
web browser, for example, or visit www.myipaddress.com).
Note 1: If you have perl and LWP installed on your computer, you
can modify this Perl script to update your
krb5.conf file automatically.
Note 2: First, the IP address of your router can change with very
little notice. If you find that the following script starts asking
you for your password on fcdflnx2, this is probably what happened.
Just repeat the above procedure. Second, if you are not behind a NAT
router, you do not need to update the proxy_gateway line. In my case,
I always have my proxy_gateway as my routers IP address, even when my
laptop is at FNAL.
- I then use the following batch file:
____fnal.bat____
@ECHO OFF
SET KRB5_CONFIG=.\krb5.conf
SET KRB5CCNAME=FILE:.\krb5_cc_cache
REM
SET USER=cplager
SET HOST=fcdflnx2.fnal.gov
SET DISPLAY=localhost:0
Echo Starting SSH connection to %HOST%...
.\klist -s
IF NOT ERRORLEVEL 1 GOTO GOTCRED
REM Request a TGT for current/requested user
.\kinit -n %USER%
IF ERRORLEVEL 1 GOTO ABORT
:GOTCRED
.\ssh -X -l %USER% %HOST%
GOTO DONE
:ABORT
ECHO KINIT FAILED!
:DONE
Note 1: If your computer gets a new IP address, but your old
ticket has not expired, the above batch file will not ask you for your
kerberos password because it looks as if you have a valid ticket.
When you try to ssh into a computer, you will be asked for your
password on that computer because the IP address in your ticket is
different than your current IP address. If this happens, use this batch file (saved in the same directory as
the rest of your Cygwin kerberos), to destroy your tickets. When you
run fnal.bat, you will be prompted for your
kerberos password and everything should be fine. If you are still
having troubles and are behind a NAT (e.g. wireless) router, check
that your current IP address is in your krb5.conf
file (as seen above).
Note 2: The ' -n' in the kinit' command should
give you what is called an addressless ticket and therefore not
require you to play with the 'proxy_gateway'.
- You should be ready to go. To make sure that you are tunnelling,
check your display (unix> echo $DISPLAY). If you see
fcdflnx2.fnal.gov:22 where 22 could be any integer
> 10, then you are set and everything should be good to go. If
not...
If you are running Exceed or some other X Window manager, you can
simply start up an xterm from the ssh login (unix> xterm
-ls&). For a free X Window manager, check out Cygwin and XFree86. XFree86 is not perfect,
but it's much, much better than nothing.
Debugging Problems
After editting fnal.bat, it should run simply by
double-clicking on it. If it doesn't work, however, the window will
disappear making debugging the problem difficult.
To get around this problem, run the batch script from the
cmd.exe window. Using the Windows start button, select
Run.... When the window pops up, type cmd.exe. In
the command window, cd "c:\Program Files\Cygwin_kerberos".
Now run fnal.bat. This will at least let you get the error
message.
Some common error messages:
- kinit: Preauthentication failed while getting initial credentials
- It didn't like your password.
- Clock skew too great
- The time on your computer is more than 5 minutes from the
correct time. One common cause of this is not having the correct time
zone set. It doesn't matter which time zone your computer is set for,
but it needs to be consistent. One common problem is that your
computer is set for the correct time at FNAL, but it is set in the EDT
time zone. In any case, if you are getting these errors, check your
clock settings. If you have no other way, this
image has the exact time for Central (FNAL) time zone.
| Official Time |  |
|---|
| Your Computer Time |
|
|---|
Kerberos with Cygwin
Note: This page is no longer maintained. A more recent
set of instructions may be found at
http://home.fnal.gov/~jamieson/cygwin.html.
Cygwin is a unix-like environment
for windows that I highly recommend (please see my Hints for setting up Cygwin page). Not only
does it come with (if you choose) bash, emacs, xterm, latex, gcc,
etc. but you can get special Cygwin versions of root as well as build
your own versions of many linux-based software. Enough of the
advertising.
Before starting, cd to /bin and copy
ssh.exe to ssh_standard.exe. From the Cygwin,
copy the following files to your /bin area (usually found in
c:\Cygwin\bin):
- kinit.exe
- klist.exe
- kdestroy.exe
- ssh.exe
- krb5.conf
Copy the new versions of ssh.exe to ssh_kerb.exe
(When you update Cygwin, it may decide that the kerberized versions of
ssh and scp are simply old and replace them. If this happens, just
copy the _kerb versions back.). Put the following lines in
your .bashrc file: export KRB5_CONFIG=/bin/krb5.conf
export KRB5CCNAME=FILE:/bin/krb5_cc_cache
Start a new bash window, do a kinit and you should be ready
to go with ssh. Remeber, if you are using X-Windows, you
want to use:
ssh -X user@host.edu.
See above for help with the krb5.conf file.
Notes:
- Do NOT put any of the .dlls from the .zip in a
directory that is in path for Cygwin.
- For more kerberos clients (e.g., rcp, ftp) for Cygwin,
see Axel Naumann's download directory.
SCP problems With Cygwin
Version of scp.exe
The version of scp that comes with the FNAL zip file doesn't work with
a full installation of Cygwin (it does work with the command prompt
using this scp.bat batch file if you run it in
the same directory where the kerberos files are installed). If you
are using scp with Cygwin, please grab this version
of scp.exe. Do not grab this version if
you are putting your files in c:\Program
Files\Cygwin_kerberos; keep the version that comes in the tar
ball.
Copying Large Files
I have had problems copying large (> 500 Mb) files
using scp; it gets 99% of the way through and then it hangs.
To get around this, I wrote a simple Perl script,
scp.pl that uses ssh
and tar to pull files from linux computers to my Windows
computer.
cplager@PointyIII> scp.pl
Usage: scp.pl computer.inter.net direc/tory file1 file2 file*3
File Transfers
There is a nice Kerberized FTP client called
Filezilla.
The following instructions are a little
unpolished.
Note: I have not been able to get
Filezilla to work from behind a NAT router. It works great, however
from inside FNAL. Since getting ssh and scp above
to work, however, I have stopped using Filezilla.
- Get Leash32 from MIT.
- Unzip Leash32 and put it somewhere on your computer. Some hints:
- delete the file krbv4w32.dll
- Put the directory with the kerberos executable in your path
- The following instructions work for Windows XP. It is
close for other flavors of windows.
- Right-click on My Computer and choose
Properties
- Choose the Advanced tab and click on Environment
Variables
- Select the Path variable in the list of System
Variables and click on Edit
- Go to the end of the Variable value and add
;c:\MyKerberosDirectory
(Don't forget the ;
(semi-colon) at the beginning and hit Cancel if you are afraid
that you have messed it up.).
- Hit the OK (three times)
- Run Leash32
- In the Options menu, choose Kerberos V5
properties
- Change the configuration file to point at the same
file krb5.conf you used above in ssh installation
- Choose Get Ticket in the Action
menu. Enter username@FNAL.GOV and your password where
appropriate.
- For a different/more complete explination, see Fermi's
Configure Leash32 page
- Click on Filezilla and
download the latest version (you want Filezilla, not
Filezilla Server or System DLL updater).
- Install this program.
- Get kerberos ticket
- Run Filezilla.
- Go to Settings in the Edit file menu.
- Make sure Passive Mode is checked in Firewall
Settings
- Go down to'Connections/GSS support' and make sure
'Enable Kerberos GSS support' is checked. Take out
mit.edu and put in fnal.gov
- Connect to your favorite server.
- Choose Site Manager in the File Menu
- Click new site.
- For Logontype Select Normal and check
Bypass proxy settings
- Enter your username but leave password blank.
- Connect.
Last modified: Mon Aug 20 07:24:09 CDT 2007
by Charles Plager.