September 27, 2023
Overview
Some services at Mass General Brigham allow connections without supplying your password if you have already authenticated. For example if you are logged in to a Mass General Brigham standard build PC you will be able to connect to your Home Drive without supplying a password, because you are already authenticated to the PARTNERS domain on the PC. This is an example of "Single Sign-on".
Single Sign-on works with the ERISOne Computing Cluster also. This is valuable if you regularly connect to the cluster, or connect from the cluster to other services at Mass General Brigham that allow Single Sign-on using Mass General Brigham credentials.
ERISOne cluster services that support Single Sign-on are
- SSH to the ERISOne cluster erisone.partners.org
- Network file sharing on erisonefs.partners.org
How-to guide
Note that your username with Single Sign-on is different to your email and your Mass General Brigham ID. The username is your Mass General Brigham ID followed by '@PARTNERS.ORG'. If your Mass General Brigham ID is abc123 then your username for single sign-on will be abc123@PARTNERS.ORG. On ERISOne the domain part can be omitted, in which case your Single Sign-on ID can be given simply as your Mass General Brigham ID.
Connecting TO ERISOne cluster services using Single Sign-On
From computers running Microsoft Windows
No setup is required if the computer is a Mass General Brigham standard build PC, or if it is joined to the PARTNERS domain.
If the computer is not joined to the PARTNERS domain, it is still possible to use Single Sign-on by setting up MIT Kerberos for Windows according to the following steps:
- Download and install "MIT Kerberos for Windows 4.0.1" (or newer version) from http://web.mit.edu/kerberos/dist/index.html
- Open the "Network Identity Manager" from the "Kerberos for Windows" item in the Programs menu
- Under the Options menu, select "Identities"
- Click "Add new identity..."
- Enter your username, and the Realm "PARTNERS.ORG" and click OK
Connections to erisonefs.partners.org network shares will now automatically sign-on.
The PUTTY SSH client will use Single Sign-on automatically with erisone.partners.org
From computers running Mac OS X
No setup is required if the computer is joined to the PARTNERS domain.
If it is not already in the domain, use the Ticket Viewer application to manage your authentication credentials:
One-time setup
- Open the Finder and select "Go To Folder..." from the "Go" menu
- Enter "/System/Library/CoreServices" in the "Go to the folder:" dialog box and click "Go"
- Find the "Ticket Viewer" application and double-click to open
- Right-click on the "Ticket Viewer" icon in the Dock, and select "Options" and "Keep in Dock"
- This step ensures the application can always be opened directly from the Dock in future
- In the Ticket Viewer application, click "Add Identity" and insert your Single Sign-on ID (like abc123@PARTNERS.ORG) as the Identity, and enter Mass General Brigham password. Press Continue
Regular usage
Authentication tokens need to be acquired each time you reboot your computer, and also may need to be refreshed after they expire once per day. To acquire or refresh your token
- open the Ticket Viewer app
- click the circular arrow symbol next to your Mass General Brigham Single Sign-on identity
The SSH client in the Terminal App will now use Single Sign-On with the following options enabled (assuming username abc123).
ssh -l abc123 -o GSSAPIAuthentication=yes -o GSSAPITrustDNS=yes -o GSSAPIDelegateCredentials=yes erisone.partners.orgPermanently enable these SSH options for erisone.partners.org by editing your SSH config file
While it is possible to use the command-line tool "kinit" on a Mac, we recommend using the Ticket Viewer app instead
From computers running Linux
No setup is required if the computer is joined to the PARTNERS domain.
If it is not already in the domain, install the kerberos client packages from your Linux distribution
Acquire an authentication token using the 'kinit' command and then SSH with Single Sign-On to erisone.partners.org
kinit abc123@PARTNERS.ORG ssh -l abc123 -o GSSAPIAuthentication=yes -o GSSAPITrustDNS=yes -o GSSAPIDelegateCredentials=yes erisone.partners.org Permanently enable these SSH options for erisone.partners.org by editing your SSH config file. Set the default domain to PARTNERS.ORG by configuring /etc/krb5.conf to include the settings shown in the Appendix B at the end of this article
Connecting FROM the ERISOne cluster to other Mass General Brigham services using Single Sign-On
- Acquire an SSH terminal on the ERISOne cluster,
- The terminal should be on one of the login nodes, remote desktop nodes or filemove nodes (names beginning with eris1n, rgs and eris1fs )
- Now acquire an authentication token
kinit
Password for abc123@PARTNERS.ORG:
- View the authentication tokens available to you, and their expiry dates
klist Ticket cache: FILE:/tmp/krb5cc_1234567 Default principal: abc123@PARTNERS.ORG- Use the token to connect to a file share without supplying a password
- In this example adding the -k flag to the smbclient command):
smbclient -U PARTNERS/abc123 //SFA9.PARTNERS.ORG/ashare$ -k
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]
smb: \> ls
References:
Helpful articles from the Web:
- Example Kerberos configuration on Mac OS X: http://computing.help.inf.ed.ac.uk/kerberos-mac-os-x
Appendix A: Making Single Sign-on the default for SSH on Mac OS X and Linux
In the file ".ssh/config" in your home directory, append these lines of text in order to enable Single Sign-on by default. Assumes a Mass General Brigham ID of abc123
Host erisone.partners.org
User abc123
GSSAPIAuthentication yes
GSSAPITrustDNS yes
GSSAPIDelegateCredentials yes
Appendix B: Configuration settings for the PARTNERS domain
[libdefaults]
default_realm = PARTNERS.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 10h
forwardable = true
[domain_realm]
partners.org = PARTNERS.ORG
.partners.org = PARTNERS.ORG