Achtung:

Sie haben Javascript deaktiviert!
Sie haben versucht eine Funktion zu nutzen, die nur mit Javascript möglich ist. Um sämtliche Funktionalitäten unserer Internetseite zu nutzen, aktivieren Sie bitte Javascript in Ihrem Browser.

Studierende in den Seminarräumen des O-Gebäudes, Foto: Universität Paderborn, Fotografin: Judith Kraft Show image information

Studierende in den Seminarräumen des O-Gebäudes, Foto: Universität Paderborn, Fotografin: Judith Kraft

Kerberos Login for Servers, Pool Computers, and Webservices

Most of the IRB Webservices support passwordless Single Sign-On via Kerberos. This is not only more convenient than conventional username and password login, but also significantly more secure.

In addition, we have disabled authentication with usernames and passwords on our servers and pool computers to further secure logins and offer additional protection of your user credentials.

Note that key-based SSH Login isn't possible on Pool Computers, so we recommend the use of Kerberos. Servers kan be accessed with both Kerberos and SSH Keys, though we recommend the use of Kerberos.

Please find a list of tutorials regarding the configuration of Kerberos for different Operating Systems and Software below.

Setup for Linux / SSH

Configuring Kerberos

To set up kerberos on linux, first install the necessary software. It's usually available in the repositories of your distribution as "krb5" (archlinux, nixos) or "krb5-user" (debian, ubuntu). To simpify day-to-day use, consider placing the following in the file "/etc/krb5.conf":

[libdefaults]

default_realm = UNI-PADERBORN.DE

forwardable = true

ticket_lifetime = 10h

renew_lifetime = 7d

dns_lookup_realm = true

dns_lookup_kdc = true

You will then need to obtain a Kerberos Ticket before your first login. You can do so with the command "kinit example" (or "kinit -f example@UNI-PADERBORN.DE" if you did not configure Kerberos as described above), where "example" is the username of your IMT account. Please provide your IMT password when prompted. Your ticket will be valid for 10 hours.

Login via SSH

To use Kerberos for SSH logins, you will need to explicitly enable the GSSAPI authentication method. This can be done by adding the following to the file "~/.ssh/config", replacing "example" with your IMT username.

Host *.cs.upb.de *.cs.uni-paderborn.de

    GSSAPIAuthentication yes

    GSSAPIDelegateCredentials yes

    User example

Host *.cs.upb.de *.cs.uni-paderborn.de,!sshgate.*,!git.*

    ProxyJump sshgate.cs.uni-paderborn.de

You should now be able to log in (assuming you have obtained a Kerberos Ticket as described above) with the command "ssh example.cs.uni-paderborn.de" even without VPN.

Setup for Windows / SSH

Configuring Kerberos

Currently, the configuration of Kerberos for Windows is described only in German language. Please use the guideline of the IMT to configure single-sign-on (German).

The configuration as a first step requires the installation of the software package "MIT Kerberos for Windows". Afterwards you can acquire Kerberos tickets via the software. When you request a ticket you will be prompted for the following information:

Field Required input value
Principal <your IMT username>@UNI-PADERBORN.DE
Password <your IMT password>

Login via SSH

You will require further software packages to create a connection to your VM via SSH. One such software package is PuTTY. Please refer to the guideline of the IMT to configure PuTTY (German).

Setup for Firefox

Firefox supports Kerberos Login natively. To enable it, you will need to set the option "network.negotiate-auth.trusted-uris" to  "uni-paderborn.de,upb.de,cs.uni-paderborn.de" on the page "about:config".

If you've configured Kerberos and have a valid Ticket (see the OS-specific instructions above) then the Login to Kerberos-enabled IRB Services shouldwork without further password prompts.

The University for the Information Society