SSH login with Kerberos

You can log into CIP pool computers via SSH using Kerberos (also referred to as GSSAPI).
This is a secure means of authenticating without providing your password to the system you're connecting to (and without having to type in your password each time); instead you use a Kerberos ticket.

For most people this is a niche method, but it is fully supported and may be useful in some cases - particularly if you are working with several SSH connections in a short period of time.

When you log in to a CIP pool computer locally, you will automatically get a Kerberos ticket. In order to get a Kerberos ticket on any other UNIX client (Linux, Mac or WSL on Windows), run

kinit username@fim.uni-passau.de

Insert your FIM username (e.g. gebauers) in place of "username". You may also have to install the "krb5-user" package first.

You will be prompted to enter your FIM password. Once you have done so, you will have a Kerberos ticket that you can use to authenticate to CIP pool computers and other systems that support Kerberos.

To use your Kerberos ticket with SSH, use the "-K" option:

ssh -K username@target.fim.uni-passau.de

Note: Do not use "ssh -K" to connect to machines you do not trust. The "-K" option will pass a copy of your Kerberos ticket to the target machine. A malicious actor with admin access to the target machine can steal that ticket and use it to log in to your FIM account on other Kerberos enabled systems.

By default, your ticket will expire after a few hours and can be renewed for some time (using the "krenew" command) without entering a password again. You can list your current kerberos tickets using the "klist" command.

For further documentation, check the Kerberos website.