Fermilab

Kerberos

Service desk articles on Kerberos strong authentication

Service desk knowledge base articles concerning Kerberos at Fermilab are here.

Kerberos software installation

Many UNIX systems already have kerberos installed. Use which kinit to see whether this software is already in your path. If not, check if /usr/krb5 or /usr/kerberos directories exist on your workstation – if so, add /usr/kerberos/bin (or the equivalent for krb5) to the front of your path.

On RedHat Linux systems (MAC read this), you will need to install the following RPM’s (versions will vary):

krb5-libs
krb5-workstation
pam_krb5

If kerberos software is already installed on your system, you will need to modify the configuration file so that your machine knows how to contact the Fermilab key authentication servers. Copy your OS-specific krb5.conffile in /etc.

If you are already using kerberos to access another site, for example, NCSA, you will need to modify your existing /etc/krb5.conf file as follows:

In the [realms] section, add

FNAL.GOV = {
          kdc = krb-fnal-1.fnal.gov:88
          kdc = krb-fnal-2.fnal.gov:88
          kdc = krb-fnal-3.fnal.gov:88
          kdc = krb-fnal-4.fnal.gov:88
          kdc = krb-fnal-5.fnal.gov:88
          kdc = krb-fnal-6.fnal.gov:8
          admin_server = krb-fnal-admin.fnal.gov
          master_kdc = krb-fnal-admin.fnal.gov:88
          default_domain = fnal.gov
}

WIN.FNAL.GOV = {
          kdc = littlebird.win.fnal.gov:88
          kdc = bigbird.win.fnal.gov:88
          default_domain = fnal.gov

In the [domain_realm] section, add

.fnal.gov = FNAL.GOV
.dhcp.fnal.gov = FNAL.GOV

A user must have a valid kerberos ticket before they can login to a Fermilab machine. Here is a sample session showing a typical kerberos dialog to obtain a kerberos ticket. johndoe@FNAL.GOV is the kerberos principal. You must use Secure SHell (SSH) that supports Kerberos to remote login.

dalrott:~$ kinit -r 7d johndoe@FNAL.GOV
Password for johndoe@FNAL.GOV:

# The -K flag forwards your kerberos ticket and is needed to access /nashome
dalrott:~$ ssh -K wc.fnal.gov

Scientific Linux Fermi SLF release 7.7 (Nitrogen)

NOTICE TO USERS

This is a Federal computer (and/or it is directly connected to aFermilab local network system) that is the property of the UnitedStates Government. It is for . . . . 
<---snip--->

wc:~$

Please note:

  1. You should only kinit on your local machine, from its console. Do not execute kinit over a network connection (e.g. computer at your local library, public access computer at a hotel business center, etc.), since this can expose your kerberos password.
  2. You will probably want to request renewable tickets since tickets by default expire 24 hours after they are issued unless renewed with kinit -R. Tickets can be renewed for up to 7 days if you request a ticket using kinit -r 7d. The maximum renewable period is 7 days.
  3. Use klist -f to check whether you hold a valid ticket. The -f switch shows whether the ticket is forwardable.
  4. If you are connecting from home behind a firewall which uses NAT (Network Address Translation), you’ll need to use address-less tickets. Most versions of kerberos will give you address-less tickets if you use the -n switch. Other versions of kerberos may use the -A switch. Check your man page for kinit or use kinit --help to see which switch is supported