GSSAPI is an authentication interface supported by Microsoft Windows, MacOS, Linux, BSD and many other operating systems and software packages. This interface is enabled for the following services on our systems:
If you use an NIH-operated Windows workstation, your system is already configured to make use of GSSAPI-enabled clients. MacOS and Linux systems may or may not be configured to use Kerberos.
Following is a (non-exhaustive) list of clients that can be used to gain GSSAPI/Kerberos (passwordless) access to various Helix services (including Biowulf).
To see your Kerberos tickets, run the klist command.
To get or renew a Kerberos ticket, run the kinit command.
kinit your_nih_username@NIH.GOV
Note: MacOS and Linux users may need to install additional packages to run these commands.
Individuals that use their NIH-issued PIV card or NIH.GOV password to log into their workstation will have GSSAPI access to Helix/Biowulf using:
The SSH client needs to be configured to use GSSAPI. In both cases, it's a single configuration item, see the client documentation for instructions on enabling GSSAPI. Individuals that use hpcdrive.nih.gov to map network drives will not be prompted for a password when accessing their network shares when logged into the domain.
Users connecting via command line can pass "-o GSSAPIAuthentication=yes" into their SSH command to enable Kerberos authentication.
Windows users should automatically get a Kerberos ticket when they logon to their system. They do not need to manually run the kinit command.
MacOS Workstations that are configured for the NIH.GOV domain, or are configured to use PIV cards for log-in, will have GSSAPI access to Helix/Biowulf using:
If your workstation is correctly configured to use the NIH.GOV domain, each of these clients should automatically use GSSAPI if it is available.
If you wish to connect to Helix, Biowulf, or HPCLoginTest using Kerberos over SSH in a terminal, you must run kinit before attempting to connect.
Your macOS workstation may not automatically renew your Kerberos tickets. You must remember to use the klist and kinit commands before connecting to Biowulf, Helix, or HPCLoginTest via SSH.
Users connecting via command line can pass "-o GSSAPIAuthentication=yes" into their SSH command to enable Kerberos authentication.
Unix/Linux/*BSD workstations can be configured for the NIH domain per the Linux section of these instructions. Once that's done the following clients can use GSSAPI to access Helix services: