GSSAPI (Kerberos) Access to Helix and Biowulf

GSSAPI is an authentication interface supported by Microsoft Windows, MacOS, Linux, BSD and many other operating systems and software packages. This interface is enabled for the following services on our systems:

• SSH (log-in)
• File Services (mapped network drives)

If you use an NIH-operated Windows workstation, your system is already configured to make use of GSSAPI-enabled clients. MacOS and Linux systems may or may not be configured to use Kerberos.

Supported Clients

Following is a (non-exhaustive) list of clients that can be used to gain GSSAPI/Kerberos (passwordless) access to various Helix services (including Biowulf).

Command Commands

MacOS and Linux users can run these commands from most terminal emulators once the required packages are installed.

To see your Kerberos tickets, run the klist command.

To get or renew a Kerberos ticket, run the kinit command. You will be prompted for your NIH password.

Windows (Windows 10 and Windows 11)

Individuals that use their NIH-issued PIV card or NIH.GOV password to log into their workstation will have GSSAPI access to Helix/Biowulf using:

• PuTTY (v0.62 or better) for SSH (log-in) access and
• Map Network Drive for file access.

The SSH client needs to be configured to use GSSAPI. In both cases, it's a single configuration item, see the client documentation for instructions on enabling GSSAPI. Individuals that use hpcdrive.nih.gov to map network drives will not be prompted for a password when accessing their network shares when logged into the domain.

Users connecting via command line can pass "-o GSSAPIAuthentication=yes" into their SSH command to enable Kerberos authentication.

MacOS

MacOS Workstations that are configured for the NIH.GOV domain, or are configured to use PIV cards for log-in, will have GSSAPI access to Helix/Biowulf using:

• The bundled OpenSSH client for SSH (log-in) access,
• "Connect to server" when accessing HPCDrive

If your workstation is correctly configured to use the NIH.GOV domain, each of these clients should automatically use GSSAPI if it is available.

Your macOS workstation may not automatically renew your Kerberos tickets. You must remember to use the klist and kinit commands before connecting to Biowulf, Helix, or HPCLoginTest via SSH.

Users connecting via command line can pass "-o GSSAPIAuthentication=yes" into their SSH command to enable Kerberos authentication.

Unix, Linux, BSD, possibly others

Unix/Linux/*BSD workstations can be configured for the NIH domain per the Linux section of these instructions. Once that's done the following clients can use GSSAPI to access Helix services:

• OpenSSH suite (ssh, scp) for log-in and file transfer.
• The GNOME3 shell supports Kerberos/GSSAPI auth when using "Connect to Server" to map Windows Shares.
• Using Linux, the "mount.cifs" command supports the "sec=krb5i" option for properly mounting CIFS (windows) shares to the file system.