HomeCluster StatusNew UsersUser AuthenticationKerberos & SSH TroubleshootingCPU Cluster: Building code - The Runtime EnvironmentCPU Cluster: Submitting jobs to the batch systemCPU Cluster: Hardware DetailsPHI & GPU ClusterKNL ClusterAll Clusters: Filesystem DetailsAll Clusters: Allocated Projects |
Strong Authentication at FermilabStrong authentication is a form of computer security in which the identities of networked users, clients and servers are verified without transmitting passwords over the network. The Kerberos Network Authentication Service V5 is the network authentication program that implements strong authentication. In addition to establishing identity (authentication), it supports encrypted network connections, thereby providing confidentiality. Fermilab employs Kerberos to authenticate users who want to access computer systems at the lab. A user must have a valid kerberos ticket before he can login to a machine. Tickets can be obtained by using the kinit client application on the user's workstation, or the user may obtain a ticket during the login process by using a cryptocard. Tickets expire in 24 hours, but generally can be renewed before expiration for a period of 7 days. Only users who have current (unexpired) kerberos principals issued by Fermilab can obtain kerberos tickets. Kerberos clients include telnet, ftp, rsh, rcp, rlogin, and, if specially built, ssh and slogin. All of these clients can encrypt communications. All computer users at Fermilab have the responsibility to understand the broad outlines of Fermilab's Policy on Computing, and to comply with the policy. Please refer to the following web page for more technical details: Introduction to Strong Authentication Contents
Set-up: Kerberos Software InstallationMany UNIX systems already have kerberos installed.
Use " On RedHat Linux systems, you will need to install the following RPM's (versions will vary):
You may also download kerberos software from Fermilab. "Lite" versions of Linux and Windows clients have been made available. You can download the software here. There is a Windows XP and 7 cygwin client available here. After untarring the Linux version, or unzipping the Windows version, follow the instructions which accompany the software. If you have an older version of Linux, you can download a statically-linked version of the kerberos clients here. You will also need the latest krb5.conf file. Please click here for more details on installing and using this software. If kerberos software is already installed on your system,
you may need to modify the configuration file so that your
machine knows how to contact the Fermilab key servers.
If you will only access Fermilab via kerberos, download and save the latest
krb5.conf
in In the [realms] section, addFNAL.GOV = { kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 kdc = krb-fnal-4.fnal.gov:88 kdc = krb-fnal-5.fnal.gov:88 kdc = krb-fnal-6.fnal.gov:88 admin_server = krb-fnal-admin.fnal.gov master_kdc = krb-fnal-admin.fnal.gov:88 default_domain = fnal.gov WIN.FNAL.GOV = { kdc = littlebird.win.fnal.gov:88 kdc = bigbird.win.fnal.gov:88 default_domain = fnal.gov } } In a [domain_realm] section, add.fnal.gov = FNAL.GOV .dhcp.fnal.gov = FNAL.GOV Connecting: User Authentication using KerberosHere is a sample session showing a typical kerberos dialog.
dalrott:~$ kinit -r 7d johndoe@FNAL.GOV Password for johndoe@FNAL.GOV: dalrott:~$ which rlogin /usr/krb5/bin/rlogin dalrott:~$ rlogin tev.fnal.gov This rlogin session is using DES encryption for all data transmissions. Scientific Linux Fermi SLF release 5.5 (Lederman) . . . tev:~$ Kerberos Authentication Usage Notes
If you are connecting from home via a firewall which
uses NAT (network address translation), you'll need to
use addressless tickets.
The Fermilab version of kerberos will give you
addressless tickets if you use the "-n" switch.
Other versions of kerberos may use the "-A" switch.
Check your man page for kinit or use
" Alternate: User Authentication using CryptocardIf kerberos client software isn't available, using a cryptocard is the only other means of accessing Fermilab systems. Cryptocards generate passwords which are only valid for a single use. These cards look like a calculator: Two styles of cryptocard have been issued by Fermilab, and unfortunately their usage is different. The Computing Division has a good chapter in their kerberos documentation which explains how to use both types of cards. Here's a typical session with a cryptocard: dalrott:~$ ssh tev.fnal.gov login: johndoe Press ENTER and compare this challenge to the one on your display: [00160613] Enter the displayed response: a37ddb18 Scientific Linux Fermi SLF release 5.5 (Lederman) NOTICE TO USERS ... tev:~$ In this example, the ssh server on tev.fnal.gov issued a
cryptocard challenge.
After turning on an old-style cryptocard and entering a
valid pin, Cryptocard Authentication Notes
Kerberos for MacintoshStep 1. Download and install the Kerberos client software. OS X 10.5 and 10.6 comes with Kerberos installed and if that applies to you then skip to the next step. This page has instructions on installing Kerberos on a MAC OS X 10. Step 2. Configure the Kerberos client.
For this either install /etc/krb5.conf and /Library/Preferences/edu.mit.Kerberos Note: the file in Either will work, but you should only have one. Step 3. Obtaining a valid Kerberos ticket. If you are behind a firewall at home and your OS X version is less than 10.5 then you should request an addressless ticket as follows: kinit -A -fr 7d johndoe@FNAL.GOV Verify that you have obtained a valid ticket as follows: lqcdmac:~$ klist -f Ticket cache: /tmp/krb5cc_1234 Default principal: johndoe@FNAL.GOV Valid starting Expires Service principal 08/17/15 09:31:16 08/18/15 11:31:16 krbtgt/FNAL.GOV@FNAL.GOV renew until 08/24/15 09:31:09, Flags: FRIA Normal output, indicating that a forwardable, renewable, ticket exists. Check the expiration time - if the current time is past the expiration, login attempts will fail. Kerberos for WindowsNote: This software is not officially supported by Fermilab but it is known to work in most versions of Windows currently in use. The easiest way to get Putty working with kerberos on a windows machine is to follow the instructions available on the following webpage: Installing, Configuring, and Using PuTTY+Kerberos Please download and install the following two packages: You will also need to download the latest version of krb5.conf and configure it as the settings file for Kerberos. |
The URL for this page is http://wilsonweb.fnal.gov/kerberos.shtml
Contact: Ken Schumacher