{"id":444,"date":"2020-10-02T12:43:59","date_gmt":"2020-10-02T17:43:59","guid":{"rendered":"https:\/\/computing.fnal.gov\/wilsoncluster\/?page_id=444"},"modified":"2024-01-25T10:59:53","modified_gmt":"2024-01-25T16:59:53","slug":"kerberos","status":"publish","type":"page","link":"https:\/\/computing.fnal.gov\/wilsoncluster\/kerberos\/","title":{"rendered":"Kerberos"},"content":{"rendered":"\n

Service desk articles on Kerberos strong authentication<\/h3>\n\n\n\n

Service desk knowledge base articles concerning Kerberos at Fermilab are here.<\/a><\/p>\n\n\n\n

\n

Kerberos software installation<\/span><\/h3>\n

Many UNIX systems already have kerberos installed. Use\u00a0which kinit<\/code>\u00a0to see whether this software is already in your path. If not, check if\u00a0\/usr\/krb5<\/code>\u00a0or\u00a0\/usr\/kerberos<\/code>\u00a0directories exist on your workstation – if so, add\u00a0\/usr\/kerberos\/bin<\/code>\u00a0(or the equivalent for\u00a0krb5<\/code>) to the\u00a0front<\/strong>\u00a0of your path.<\/p>\n

On RedHat Linux systems (MAC read this<\/a>), you will need to install the following RPM’s (versions will vary):<\/p>\n

krb5-libs
krb5-workstation
pam_krb5<\/pre>\n
If kerberos software is already installed on your system, you will need to modify the configuration file so that your machine knows how to contact the Fermilab key authentication servers. Copy your OS-specific\u00a0krb5.conf<\/code><\/a>file in\u00a0\/etc<\/code>.<\/p>\n
If you are already using kerberos to access another site, for example, NCSA, you will need to modify your existing\u00a0\/etc\/krb5.conf<\/code>\u00a0file as follows:<\/p>\n
In the\u00a0[realms]<\/strong>\u00a0section, add<\/p>\n
FNAL.GOV = {
          kdc = krb-fnal-1.fnal.gov:88
          kdc = krb-fnal-2.fnal.gov:88
          kdc = krb-fnal-3.fnal.gov:88
          kdc = krb-fnal-4.fnal.gov:88
          kdc = krb-fnal-5.fnal.gov:88
          kdc = krb-fnal-6.fnal.gov:8
          admin_server = krb-fnal-admin.fnal.gov
          master_kdc = krb-fnal-admin.fnal.gov:88
          default_domain = fnal.gov
}

WIN.FNAL.GOV = {
          kdc = littlebird.win.fnal.gov:88
          kdc = bigbird.win.fnal.gov:88
          default_domain = fnal.gov
}\u00a0<\/code><\/pre>\n<\/div><\/div>\n\n\n
In the\u00a0[domain_realm<\/strong>] section, add<\/p>\n
.fnal.gov = FNAL.GOV
.dhcp.fnal.gov = FNAL.GOV<\/pre>\n
A user must have a valid kerberos ticket before they can login to a Fermilab machine. Here is a sample session showing a typical kerberos dialog to obtain a kerberos ticket. johndoe@FNAL.GOV<\/code> is the kerberos principal. You must use Secure SHell (SSH) that supports Kerberos to remote login.<\/p>\n
dalrott:~$ kinit -r 7d johndoe@FNAL.GOV
Password for johndoe@FNAL.GOV:

# The -K flag forwards your kerberos ticket and is needed to access \/nashome
dalrott:~$ ssh -K wc.fnal.gov

Scientific Linux Fermi SLF release 7.7 (Nitrogen)

NOTICE TO USERS

This is a Federal computer (and\/or it is directly connected to aFermilab local network system) that is the property of the UnitedStates Government. It is for . . . .\u00a0
<---snip--->

wc:~$<\/pre>\n
Please note:<\/p>\n
    \n
  1. You should only\u00a0kinit<\/code>\u00a0on your local machine, from its console.\u00a0Do not execute\u00a0kinit<\/code>\u00a0over a network connection (e.g. computer at your local library, public access computer at a hotel business center, etc.), since this can expose your kerberos password.<\/li>\n
  2. You will probably want to request renewable tickets since tickets by default expire 24 hours after they are issued unless renewed with\u00a0kinit -R<\/code>. Tickets can be renewed for up to 7 days if you request a ticket using\u00a0kinit -r 7d<\/code>. The maximum renewable period is 7 days.<\/li>\n
  3. Use\u00a0klist -f<\/code> to check whether you hold a valid ticket. The\u00a0-f<\/code>\u00a0switch shows whether the ticket is forwardable.<\/li>\n
  4. If you are connecting from home behind a firewall which uses NAT (Network Address Translation), you’ll need to use address-less tickets. Most versions of kerberos will give you address-less tickets if you use the\u00a0-n<\/code>\u00a0switch. Other versions of kerberos may use the\u00a0-A<\/code>\u00a0switch. Check your man page for\u00a0kinit<\/code>\u00a0or use\u00a0kinit --help<\/code>\u00a0to see which switch is supported<\/li>\n<\/ol>","protected":false},"excerpt":{"rendered":"
    Service desk articles on Kerberos strong authentication Service desk knowledge base articles concerning Kerberos at Fermilab are here. Kerberos software installation Many UNIX systems already have kerberos installed. Use\u00a0which kinit\u00a0to see whether this software is already in your path. If not, check if\u00a0\/usr\/krb5\u00a0or\u00a0\/usr\/kerberos\u00a0directories exist on your workstation – if so, add\u00a0\/usr\/kerberos\/bin\u00a0(or the equivalent for\u00a0krb5) to…  More »<\/a><\/p>\n","protected":false},"author":15,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-444","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/computing.fnal.gov\/wilsoncluster\/wp-json\/wp\/v2\/pages\/444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computing.fnal.gov\/wilsoncluster\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/computing.fnal.gov\/wilsoncluster\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/computing.fnal.gov\/wilsoncluster\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/computing.fnal.gov\/wilsoncluster\/wp-json\/wp\/v2\/comments?post=444"}],"version-history":[{"count":22,"href":"https:\/\/computing.fnal.gov\/wilsoncluster\/wp-json\/wp\/v2\/pages\/444\/revisions"}],"predecessor-version":[{"id":7322,"href":"https:\/\/computing.fnal.gov\/wilsoncluster\/wp-json\/wp\/v2\/pages\/444\/revisions\/7322"}],"wp:attachment":[{"href":"https:\/\/computing.fnal.gov\/wilsoncluster\/wp-json\/wp\/v2\/media?parent=444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}