User Authentication using Kerberos
Here is a sample session showing a typical kerberos dialog.
djholm@FNAL.GOV is the kerberos principal. "which ssh"
is used to verify that the kerberized version of
ssh is used (the non-kerberized version will be rejected).
dalrott:~$ kinit -r 7d djholm@FNAL.GOV
Password for djholm@FNAL.GOV:
dalrott:~$ which ssh
/usr/krb5/bin/ssh
dalrott:~$ ssh fulla.fnal.gov
Fermi Linux lts30 INSTALL for Astro via CDROM on Mon Aug 7 11:59:55 CDT 2006
NOTICE TO USERS
.
.
.
fulla:~$
Kerberized version of SSH. If your SSH is not kerberized, you can
download one here:
- ssh.rhes4: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), stripped
- ssl_sl5: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), not stripped
Kerberos Authentication Usage Notes
If you are connecting from home via a firewall which uses NAT (network address
translation), you'll need to use addressless tickets. The Fermilab version of
kerberos will give you addressless tickets if you use the "-n" switch. Other
versions of kerberos may use the "-A" switch. Check your man page for kinit or
use "kinit --help" to see which switch is supported. With addressless tickets,
unfortunately rsh/rcp/rlogin will not work when traversing a NAT. However,
telnet and ssh/scp do work. The Fermilab lite version of kerberos for
Windows supports addressless tickets. The lite version for Linux currently
does not. An unofficial cut of the Linux lite version (use at your own risk)
which does support the "-n" switch is available here.
User Authentication using Cryptocard
Here's a typical session with a cryptocard:
dalrott:~$ ssh fulla.fnal.gov
login: djholm
Press ENTER and compare this challenge to the one on your display: [00160613]
Enter the displayed response: a37ddb18
Fermi Linux lts30 INSTALL for Astro via CDROM on Mon Aug 7 11:59:55 CDT 2006
NOTICE TO USERS
.
.
.
fulla:~$
In this example, the ssh server on fulla issued a cryptocard
challenge. After turning on an old-style cryptocard and entering a valid
pin, Fermilab is displayed. Hitting ENT displays a
number which (almost always) matches the challenge. Hitting ENT
again displays the response which must be typed at workstation. With the
new-style cryptocards, the challenge is not displayed, only the response. For
detailed instructions, see this
link.
Cryptocard Authentication Notes
- When you use
ssh to login to fulla just hit enter if you get the
password prompt - do not type in a password. This will cause a
cryptocard challenge. If you type in a password, you will get a
"Permission denied, please try again" error, followed by
another password prompt. Only a blank password will result in a
cryptocard challenge.
- The advantage of using
ssh is that X-window forwarding will
allow you to open windows from fulla.fnal.gov on your
workstation. However, when your ticket expires this stops working. If
you remember to renew your ticket before expiration with "kinit
-R" , the X forwarding will continue to work.
|