FNAL - KICP Joint Cluster

User Authentication using Kerberos

Here is a sample session showing a typical kerberos dialog. djholm@FNAL.GOV is the kerberos principal. "which ssh" is used to verify that the kerberized version of ssh is used (the non-kerberized version will be rejected).

dalrott:~$ kinit -r 7d djholm@FNAL.GOV
Password for djholm@FNAL.GOV:

dalrott:~$ which ssh
/usr/krb5/bin/ssh

dalrott:~$ ssh fulla.fnal.gov
Fermi Linux lts30 INSTALL for Astro via CDROM on Mon Aug  7 11:59:55 CDT 2006
                              NOTICE TO USERS
.
.
.
fulla:~$ 

Kerberized version of SSH. If your SSH is not kerberized, you can download one here:

• ssh.rhes4: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), stripped
• ssl_sl5: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), not stripped

Kerberos Authentication Usage Notes

• You should only kinit on your local machine, from its console. Don't use kinit over a network connection, since this can expose your kerberos password.
• You will probably want to request renewable tickets, since tickets expire 24 hours after they are issued. Tickets can be renewed for up to 7 days if you use "kinit -r 7d". The maximum renewable period is 7 days.
• Use klist to check whether you hold a valid ticket. For example:

  dalrott:/slack/djholm$ klist
  Ticket cache: /tmp/krb5cc_tty1
  Default principal: djholm@FNAL.GOV
  
  Valid starting     Expires            Service principal
  05/15/07 15:57:37  05/16/07 17:57:37  krbtgt/FNAL.GOV@FNAL.GOV
  

If you are connecting from home via a firewall which uses NAT (network address translation), you'll need to use addressless tickets. The Fermilab version of kerberos will give you addressless tickets if you use the "-n" switch. Other versions of kerberos may use the "-A" switch. Check your man page for kinit or use "kinit --help" to see which switch is supported. With addressless tickets, unfortunately rsh/rcp/rlogin will not work when traversing a NAT. However, telnet and ssh/scp do work. The Fermilab lite version of kerberos for Windows supports addressless tickets. The lite version for Linux currently does not. An unofficial cut of the Linux lite version (use at your own risk) which does support the "-n" switch is available here.

Here's a typical session with a cryptocard:

dalrott:~$ ssh fulla.fnal.gov

login: djholm
Press ENTER and compare this challenge to the one on your display: [00160613]
Enter the displayed response: a37ddb18
Fermi Linux lts30 INSTALL for Astro via CDROM on Mon Aug  7 11:59:55 CDT 2006
                              NOTICE TO USERS
.
.
.
fulla:~$

In this example, the ssh server on fulla issued a cryptocard challenge. After turning on an old-style cryptocard and entering a valid pin, Fermilab is displayed. Hitting ENT displays a number which (almost always) matches the challenge. Hitting ENT again displays the response which must be typed at workstation. With the new-style cryptocards, the challenge is not displayed, only the response. For detailed instructions, see this link.

Cryptocard Authentication Notes

• When you use ssh to login to fulla just hit enter if you get the password prompt - do not type in a password. This will cause a cryptocard challenge. If you type in a password, you will get a "Permission denied, please try again" error, followed by another password prompt. Only a blank password will result in a cryptocard challenge.
• The advantage of using ssh is that X-window forwarding will allow you to open windows from fulla.fnal.gov on your workstation. However, when your ticket expires this stops working. If you remember to renew your ticket before expiration with "kinit -R", the X forwarding will continue to work.