Single Sign-On with ERISTwo for passwordless connections

Overview

Some services at Mass General Brigham allow connections without supplying your password if you have already authenticated. For example if you are logged in to a Mass General Brigham standard build PC you will be able to connect to your Home Drive without supplying a password, because you are already authenticated to the PARTNERS domain on the PC.  This is an example of "Single Sign-on".

Single Sign-on works with the ERISTwo Computing Cluster also.  This is valuable if you regularly connect to the cluster, or connect from the cluster to other services at Mass General Brigham that allow Single Sign-on using Mass General Brigham credentials.

ERISTwo cluster services that support Single Sign-on are

  • SSH to the ERISTwo cluster here
  • Network file sharing on here

How-to guide

Note that your username with Single Sign-on is different to your email and your Mass General Brigham ID.  The username is your Mass General Brigham ID followed by '@PARTNERS.ORG'.  If your Mass General Brigham ID is abc123 then your username for single sign-on will be @email.  On ERISTwo the domain part can be omitted, in which case your Single Sign-on ID can be given simply as your Mass General Brigham ID.

Connecting TO ERISTwo cluster services using Single Sign-On

From computers running Microsoft Windows

No setup is required if the computer is a Mass General Brigham standard build PC, or if it is joined to the PARTNERS domain.  

If the computer is not joined to the PARTNERS domain, it is still possible to use Single Sign-on by setting up MIT Kerberos for Windows according to the following steps:

  • Download and install "MIT Kerberos for Windows 4.0.1" (or newer version) from http://web.mit.edu/kerberos/dist/index.html
  • Open the "Network Identity Manager" from the "Kerberos for Windows" item in the Programs menu
  • Under the Options menu, select "Identities"
  • Click "Add new identity..."
  • Enter your username, and the Realm "PARTNERS.ORG" and click OK

Connections to eristwofs.partners.org network shares will now automatically sign-on. 

The PUTTY SSH client will use Single Sign-on automatically with eristwo.partners.org

From computers running Mac OS X

No setup is required if the computer is joined to the PARTNERS domain. 

If it is not already in the domain, use the Ticket Viewer application to manage your authentication credentials:

One-time setup
  • Open the Finder and select "Go To Folder..." from the "Go" menu
  • Enter "/System/Library/CoreServices" in the "Go to the folder:" dialog box and click "Go"
  • Find the "Ticket Viewer" application and double-click to open
  • Right-click on the "Ticket Viewer" icon in the Dock, and select "Options" and "Keep in Dock"
    • This step ensures the application can always be opened directly from the Dock in future
  • In the Ticket Viewer application, click "Add Identity" and insert your Single Sign-on ID (like @email) as the Identity, and enter Mass General Brigham password.  Press Continue
Regular usage

Authentication tokens need to be acquired each time you reboot your computer, and also may need to be refreshed after they expire once per day.  To acquire or refresh your token

  • open the Ticket Viewer app
  • click the circular arrow symbol next to your Mass General Brigham Single Sign-on identity

The SSH client in the Terminal App will now use Single Sign-On with the following options enabled (assuming username abc123).

ssh -l abc123 -o GSSAPIAuthentication=yes -o GSSAPITrustDNS=yes  -o GSSAPIDelegateCredentials=yes eristwo.partners.org

Permanently enable these SSH options for eristwo.partners.org by editing your SSH config file

While it is possible to use the command-line tool "kinit" on a Mac, we recommend using the Ticket Viewer app instead

From computers running Linux

No setup is required if the computer is joined to the PARTNERS domain. 

If it is not already in the domain, install the kerberos client packages from your Linux distribution

Acquire an authentication token using the 'kinit' command and then SSH with Single Sign-On to eristwo.partners.org

kinit abc123@PARTNERS.ORG ssh -l abc123 -o GSSAPIAuthentication=yes -o GSSAPITrustDNS=yes  -o GSSAPIDelegateCredentials=yes eristwo.partners.org 

Permanently enable these SSH options for eristwo.partners.org by editing your SSH config file.  Set the default domain to PARTNERS.ORG by configuring /etc/krb5.conf to include the settings shown in the Appendix B at the end of this article

Connecting FROM the ERISTwo cluster to other Mass General Brigham services using Single Sign-On

  • Acquire an SSH terminal on the ERISTwo cluster,
    • The terminal should be on one of the login nodes, remote desktop nodes or filemove nodes (names beginning with eris1n, rgs and eris1fs )
  • Now acquire an authentication token
kinit
Password for abc123@PARTNERS.ORG:
  • View the authentication tokens available to you, and their expiry dates
klist Ticket cache: FILE:/tmp/krb5cc_1234567 Default principal: abc123@PARTNERS.ORG
  • Use the token to connect to a file share without supplying a password
    • In this example adding the -k flag to the smbclient command):

smbclient -U PARTNERS/abc123 //SFA9.PARTNERS.ORG/ashare$ -k
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]
smb: \> ls

References:

Helpful articles from the Web:

Appendix A: Making Single Sign-on the default for SSH on Mac OS X and Linux

In the file ".ssh/config" in your home directory, append these lines of text in order to enable Single Sign-on by default.  Assumes a Mass General Brigham ID of abc123

Host eristwo.partners.org
  User abc123
  GSSAPIAuthentication yes
  GSSAPITrustDNS yes
  GSSAPIDelegateCredentials yes

Appendix B: Configuration settings for the PARTNERS domain

[libdefaults]
 default_realm = PARTNERS.ORG
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 10h
 forwardable = true

[domain_realm]
 partners.org = PARTNERS.ORG
 .partners.org = PARTNERS.ORG
Go to KB0028030 in the IS Service Desk

Related articles