Kerberos Login for Servers, Pool Computers, and Webservices
Most of the IRB Webservices support passwordless Single Sign-On via Kerberos. This is not only more convenient than conventional username and password login, but also significantly more secure.
In addition, we have disabled authentication with usernames and passwords on our servers and pool computers to further secure logins and offer additional protection of your user credentials.
Note that key-based SSH Login isn't possible on Pool Computers, so we recommend the use of Kerberos. Servers kan be accessed with both Kerberos and SSH Keys, though we recommend the use of Kerberos.
Please find a list of tutorials regarding the configuration of Kerberos for different Operating Systems and Software below.
Configuring Kerberos
To set up kerberos on linux, first install the necessary software. It's usually available in the repositories of your distribution as "krb5" (archlinux, nixos) or "krb5-user" (debian, ubuntu). To simpify day-to-day use, consider placing the following in the file "/etc/krb5.conf":
[libdefaults] default_realm = UNI-PADERBORN.DE forwardable = true ticket_lifetime = 10h renew_lifetime = 7d dns_lookup_realm = true dns_lookup_kdc = true |
You will then need to obtain a Kerberos Ticket before your first login. You can do so with the command "kinit example" (or "kinit -f example@UNI-PADERBORN.DE" if you did not configure Kerberos as described above), where "example" is the username of your IMT account. Please provide your IMT password when prompted. Your ticket will be valid for 10 hours.
Login via SSH
To use Kerberos for SSH logins, you will need to explicitly enable the GSSAPI authentication method. This can be done by adding the following to the file "~/.ssh/config", replacing "example" with your IMT username.
Host *.cs.upb.de *.cs.uni-paderborn.de GSSAPIAuthentication yes GSSAPIDelegateCredentials yes User example Host *.cs.upb.de *.cs.uni-paderborn.de,!sshgate.*,!git.* ProxyJump sshgate.cs.uni-paderborn.de |
You should now be able to log in (assuming you have obtained a Kerberos Ticket as described above) with the command "ssh example.cs.uni-paderborn.de" even without VPN.
Configuring Kerberos
Currently, the configuration of Kerberos for Windows is described only in German language. Please use the guideline of the IMT to configure single-sign-on (German).
The configuration as a first step requires the installation of the software package "MIT Kerberos for Windows". Afterwards you can acquire Kerberos tickets via the software. When you request a ticket you will be prompted for the following information:
| Field | Required input value |
| Principal | <your IMT username>@UNI-PADERBORN.DE |
| Password | <your IMT password> |
Login via SSH
You will require further software packages to create a connection to your VM via SSH. One such software package is PuTTY. Please refer to the guideline of the IMT to configure PuTTY (German).
Firefox supports Kerberos Login natively. To enable it, you will need to set the option "network.negotiate-auth.trusted-uris" to "uni-paderborn.de,upb.de,cs.uni-paderborn.de" on the page "about:config".
If you've configured Kerberos and have a valid Ticket (see the OS-specific instructions above) then the Login to Kerberos-enabled IRB Services shouldwork without further password prompts.
To use Kerberos with Google Chrome the "AuthServerAllowlist"-policy has to be configured. Create a JSON-file (e.g. kerberos.json) in /etc/opt/chrome/policies/managed/ (or /etc/chromium/policies/managed/ for Chromium):
| { "AuthServerAllowlist": "*.uni-paderborn.de" } |
Additionally krb5 should be installed on your system.