School of Engineering >> IT Services

School IT Help Line

Submit Request

SeeSup@ed

phone 505636

Using IT Helpline

School Helpdesk
For Collection/Drop Off and for New Users
10:00/12:00
14:00/16:00
(not Wed pm)

SEE IT Rules - Security Issues and Regulations
Change SEE Password - Password Change Page
Change EASE Password - Password Change Page
Network Services - "the network is the computer" - Network Connections, mail, web, printing, etc
Client Support - The machine on your desk
Applications - Applications and software for research and teaching
Teaching Facilities - Information for Undergraduates and MScs
Research Facilities - Information for Research Postgraduates and RAs
User Accounts - Accounts, Passwords, access to Services
Purchases - Purchasing Hardware, Software and Services
How To? - Common Unix Q & A's
FAQ - Frequently Asked Questions
Glossary - A few specific terms used in SEE IT.
Search

Useful Links

Kerberos - Single-Sign-On within SEE

Kerberos is a secure method for authenticating to a computer network. Kerberos lets a user request an encrypted "ticket" for a kerberos realm which can then be used to connect to a service. The user's password does not have to pass through the network, and only needs to be entered once to get the initial ticket.

SEE computers which have kerberos enabled use the EASE kerberos realm - this means you use your EASE password to get a kerberos ticket.

Kerberised Services

The following services within SEE use kerberos for authentication:

SSH (currently only to VLX pool).
Subversion

Additionally, the following central services also use kerberos:

Staffmail/SMS Email
EASE websites (through a cookie-based system called CoSign)

Setting up Kerberos

Managed Linux (LCFG)

SEE managed linux computers should automatically receive the correct Kerberos configuration for the EASE realm. You shouldn't need to do any configuration on the computer.

Managed Windows (Machination)

In the Machination Package Manager, install the MIT Kerberos for Windows application.

Unmanaged Linux

You will need to download the following files:

krb5.conf - save as /etc/krb5.conf.

Unmanaged Windows

you will need to download and install the MIT Kerberos for Windows

Using Kerberos

Getting a Kerberos Ticket

Linux

On LCFG managed linux computers, you will get a ticket automatically at login, provided you have logged in using your EASE password to login.

If you need to get a ticket manually, open a terminal window and type:

kinit username@EASE.ED.AC.UK

To check the status of your ticket, run:

klist

To remove your ticket, run:

kdestroy

Again, you can use klist to confirm this has been successful.

Windows

MIT Kerberos for Windows should start automatically at login - if it doesn't start it now.
On the system tray, there should be a small white cube - double-click on this.
Select Obtain New Credentials, then enter your username, and set the realm to EASE.ED.AC.UK.

When properly connected, the white cube should show the silhouette of a person, representing your ticket.

you can remove your ticket by double-clicking on the white cube, selecting the ticket and choosing Destroy Credentials.

Specific Applications

SSH

SSH Connections within SEE can now authenticate using kerberos. When you connect to a remote SEE computer, your kerberos ticket travels with you, meaning you don't need to re-enter a password for ongoing connections to other computers.

Linux SSH (OpenSSH)

For unmanaged Linux computers (not LCFG) You will need to download a specific ssh configuration file for ssh:

ssh_config - save as ~/.ssh/config, or system-wide for all users as /etc/ssh/ssh_config.

You will not see a prompt for Host-authentication as this is handled by the kerberos service.

Windows SSH (Putty)

You will need to download a specific version of putty which is kerberos-enabled - Putty. Simply save this file, and double-click to run it:

In Connection -> Data menu, set Auto-login username to be your username.
In Connection -> SSH -> Auth tick Allow Kerberos 5 GSSAPI/SSPI Auth (in SSH-2) and Allow Kerberos 5 ticket forwarding in GSSAPI/SSPI (in SSH-2).

Staffmail/SMS Email with Thunderbird

Follow the instructions on configuring Thunderbird at the UCS Email Configurator, making sure to select Off-campus, or for roaming or mobile use. However, you should make the following changes to the instructions as you proceed:

10.b - Ensure that Use Secure Authentication is ticked.

Thunderbird on Windows

As well as the above configuration, you will need to make an additional step:

Go to the Edit Menu, and select Preferences -> Advanced
Click the Config Editor... button.
Type sspi into the Filter box and the option network.auth.use-sspi should appear.
Right click on this option and select Toggle to set the value to false.

This tells Thunderbird to use the MIT Kerberos for Windows. You should now restart Thunderbird, and you should be able to check your email without needing a password, providing you have a kerberos ticket.

The School of Engineering, The University of Edinburgh, Kings Buildings, Mayfield Road, Edinburgh, EH9 3JL
School IT Team Tel: 0131 650 5636 Fax: 0131 650 6554 Email: SeeSup@ed.ac.uk
© 2002-2008 Copyright The University of Edinburgh. All rights reserved.

Last modified Tuesday, 26-May-2009 13:34:55 BST