Strong Authentication at Fermilab
Strong authentication is a form of computer security in which the identities
of networked users, clients and servers are verified without transmitting
passwords over the network.
The Kerberos Network Authentication Service V5 is the network
authentication program that Fermilab uses to implement strong
authentication. In addition to establishing identity (authentication), it
supports encrypted network connections, thereby providing confidentiality.
Fermilab employs Kerberos to authenticate users who want to access
computer systems at the lab. A user must have a valid kerberos
ticket before he can login to a machine. Tickets can be obtained by
using the kinit client application on the user's workstation, or the
user may obtain a ticket during the login process by using a
cryptocard. Tickets expire in 24 hours, but generally can be
renewed before expiration for a period of 7 days. Only users who
have current (unexpired) kerberos principals issued by Fermilab can
obtain kerberos tickets.
Kerberos clients include telnet, ftp, rsh, rcp, rlogin, and, if
specially built, ssh and slogin. All of these clients can encrypt
communications.
All computer users at Fermilab have a responsibility to understand the
broad outlines of
Fermilab's Strong Authentication policy, and to comply
with the policy.
Please refer to the following web page for more technical details:
Introduction to Strong Authentication
Kerberos Software Installation: Unix and Windows+Cygwin
Many UNIX systems already have kerberos installed. Use "which
kinit" to see whether this software is already in your path. If not,
check if /usr/krb5 or /usr/kerberos directories
exist on your workstation - if so, add /usr/kerberos/bin (or the
equivalent for krb5 ) to the front of your path.
On RedHat Linux systems, you will need to install the following
RPM's (versions will vary):
- krb5-libs
- krb5-workstation
- pam_krb5
You may also download kerberos software from Fermilab. "Lite" versions
of Linux and Windows clients have been made available. You can
download the software by following this link:
ftp://ftp.fnal.gov/pub/fnal-kerberos-clientonly/current/.
After untarring the Linux version, or unzipping the Windows version, follow
the instructions which accompany the software.
If you have an older version of Linux, you can download a statically-linked
version of the kerberos clients using this link:
krb5.static.tgz. You will also need
the krb5.conf file.
Please refer to the following webpage for more details on installing and using this software:
kerberos-instruction.html.
If kerberos software is already installed on your system, you will need to
modify the configuration file so that your machine knows how to contact the
Fermilab key servers. If you will only access Fermilab via kerberos, install
krb5.conf in
/etc . If you are already using kerberos to access another site,
for example, NCSA, you will need to modify your existing
/etc/krb5.conf file as follows:
- In the
[realms] section, add
FNAL.GOV = {
kdc = krb-fnal-1.fnal.gov:88
kdc = krb-fnal-2.fnal.gov:88
kdc = krb-fnal-3.fnal.gov:88
kdc = krb-fnal-4.fnal.gov:88
kdc = krb-fnal-5.fnal.gov:88
kdc = krb-fnal-6.fnal.gov:88
admin_server = krb-fnal-admin.fnal.gov
master_kdc = krb-fnal-admin.fnal.gov:88
default_domain = fnal.gov
}
WIN.FNAL.GOV = {
kdc = littlebird.win.fnal.gov:88
kdc = bigbird.win.fnal.gov:88
default_domain = fnal.gov
}
- In a
[domain_realm] section, add
.fnal.gov = FNAL.GOV
.dhcp.fnal.gov = FNAL.GOV
fsus01.fnal.gov = FNAL.GOV
fsus03.fnal.gov = FNAL.GOV
fsus04.fnal.gov = FNAL.GOV
Kerberos Software Installation: Mac OS X
These instructions have been kindly provided by Brant Roberson, who, in reward, should be bothered with all questions.
For Mac OS 10.4 and 10.5, Kerberos comes installed and the pre-installed ssh program is Kerberos-ized. The default krb5.conf file is not /etc/krb5.conf . The Kerberos configuration file is called /Library/Preferences/edu.mit.Kerberos .
The edu.mit.Kerberos file must be created by the user (via sudo ). The following /Library/Preferences/edu.mit.Kerberos file works for me for both Mac OS 10.4 and 10.5:
[domain_realm]
.fnal.gov = FNAL.GOV
.dhcp.fnal.gov = FNAL.GOV
fsus01.fnal.gov = FNAL.GOV
fsus03.fnal.gov = FNAL.GOV
fsus04.fnal.gov = FNAL.GOV
[libdefaults]
dns_fallback = "yes"
default_realm = FNAL.GOV
noaddresses = TRUE
[realms]
FNAL.GOV = {
kdc = krb-fnal-1.fnal.gov:88
kdc = krb-fnal-2.fnal.gov:88
kdc = krb-fnal-3.fnal.gov:88
kdc = krb-fnal-4.fnal.gov:88
kdc = krb-fnal-5.fnal.gov:88
kdc = krb-fnal-6.fnal.gov:88
admin_server = krb-fnal-admin.fnal.gov
master_kdc = krb-fnal-admin.fnal.gov:88
default_domain = fnal.gov
}
WIN.FNAL.GOV = {
kdc = littlebird.win.fnal.gov:88
kdc = bigbird.win.fnal.gov:88
default_domain = fnal.gov
}
Which is just adapted from the krb5.conf file provided for Linux users on the webpage.
There is also a gui program preinstalled in Mac OS X for viewing
Kerberos tickets. It is located in an unusual place (/System/Library/CoreServices/Kerberos ), but it has a nice visualization of
the tickets that are easy to understand. It is probably worthwhile
for users to
cd /Applications
sudo ln -s /System/Library/CoreServices/Kerberos.app Kerberos.app
to create a link in the normal location for Applications to make it easier to find.
Authentication with Cryptocard
Cryptocards generate passwords which are only valid for a single use. If
kerberos client software isn't available, using a cryptocard is the only other
means of accessing Fermilab systems. These cards look like a calculator:
Two styles of cryptocard have been issued by Fermilab, and unfortunately their
usage is different. The Computing Division has a good
chapter
in their kerberos
documentation which explains how to use both types of cards.
|