Wilson HPC Computing Facility

Home

Cluster Status

New Users

User Authentication

Kerberos & SSH Troubleshooting

CPU Cluster: Building code - The Runtime Environment

CPU Cluster: Submitting jobs to the batch system

CPU Cluster: Hardware Details

PHI & GPU Cluster

KNL Cluster

All Clusters: Filesystem Details

All Clusters: Allocated Projects

Strong Authentication at Fermilab

Strong authentication is a form of computer security in which the identities of networked users, clients and servers are verified without transmitting passwords over the network.

The Kerberos Network Authentication Service V5 is the network authentication program that implements strong authentication. In addition to establishing identity (authentication), it supports encrypted network connections, thereby providing confidentiality.

Fermilab employs Kerberos to authenticate users who want to access computer systems at the lab. A user must have a valid kerberos ticket before he can login to a machine. Tickets can be obtained by using the kinit client application on the user's workstation, or the user may obtain a ticket during the login process by using a cryptocard. Tickets expire in 24 hours, but generally can be renewed before expiration for a period of 7 days. Only users who have current (unexpired) kerberos principals issued by Fermilab can obtain kerberos tickets.

Kerberos clients include telnet, ftp, rsh, rcp, rlogin, and, if specially built, ssh and slogin. All of these clients can encrypt communications.

All computer users at Fermilab have the responsibility to understand the broad outlines of Fermilab's Policy on Computing, and to comply with the policy.

Please refer to the following web page for more technical details: Introduction to Strong Authentication

Contents

• Set-up: Kerberos Software Installation
• Connecting: User Authentication using Kerberos
• Alternate: User Authentication using Cryptocard
• Kerberos for Macintosh
• Kerberos for Windows

Set-up: Kerberos Software Installation

Many UNIX systems already have kerberos installed. Use "which kinit" to see whether this software is already in your path. If not, check if /usr/krb5 or /usr/kerberos directories exist on your workstation - if so, add /usr/kerberos/bin (or the equivalent for krb5) to the front of your path.

On RedHat Linux systems, you will need to install the following RPM's (versions will vary):

• krb5-libs
• krb5-workstation
• pam_krb5

You may also download kerberos software from Fermilab. "Lite" versions of Linux and Windows clients have been made available. You can download the software here. There is a Windows XP and 7 cygwin client available here. After untarring the Linux version, or unzipping the Windows version, follow the instructions which accompany the software.

If you have an older version of Linux, you can download a statically-linked version of the kerberos clients here. You will also need the latest krb5.conf file. Please click here for more details on installing and using this software.

If kerberos software is already installed on your system, you may need to modify the configuration file so that your machine knows how to contact the Fermilab key servers. If you will only access Fermilab via kerberos, download and save the latest krb5.conf in /etc. If you are already using kerberos to access another site, for example, NCSA, you will need to modify your existing /etc/krb5.conf file as follows:

In the [realms] section, add

   
FNAL.GOV = {
  kdc = krb-fnal-1.fnal.gov:88
  kdc = krb-fnal-2.fnal.gov:88
  kdc = krb-fnal-3.fnal.gov:88
  kdc = krb-fnal-4.fnal.gov:88
  kdc = krb-fnal-5.fnal.gov:88
  kdc = krb-fnal-6.fnal.gov:88
  admin_server = krb-fnal-admin.fnal.gov
  master_kdc = krb-fnal-admin.fnal.gov:88
  default_domain = fnal.gov

WIN.FNAL.GOV = {
  kdc = littlebird.win.fnal.gov:88
  kdc = bigbird.win.fnal.gov:88
  default_domain = fnal.gov
  }
}
	      

In a [domain_realm] section, add

.fnal.gov      = FNAL.GOV
.dhcp.fnal.gov = FNAL.GOV
	      

Connecting: User Authentication using Kerberos

Here is a sample session showing a typical kerberos dialog. johndoe@FNAL.GOV is the kerberos principal. "which rlogin" is used to verify that the kerberized version of rlogin is used (the non-kerberized version will be rejected).

	      
dalrott:~$ kinit -r 7d johndoe@FNAL.GOV
Password for johndoe@FNAL.GOV:

dalrott:~$ which rlogin
/usr/krb5/bin/rlogin

dalrott:~$ rlogin tev.fnal.gov
This rlogin session is using DES encryption for all data transmissions.

Scientific Linux Fermi SLF release 5.5 (Lederman)
.
.
.
tev:~$
	      

Kerberos Authentication Usage Notes

• You should only kinit on your local machine, from its console. Don't use kinit over a network connection, since this can expose your kerberos password.
• You will probably want to request renewable tickets, since tickets expire 24 hours after they are issued/renewed if they are not renewed with "kinit -R" Tickets can be renewed for up to 7 days if you use "kinit -r 7d". The maximum renewable period is 7 days.
• Use klist to check whether you hold a valid ticket. For example:

        dalrott:/slack/johndoe$ klist
        Ticket cache: /tmp/krb5cc_tty1
        Default principal: johndoe@FNAL.GOV
  
        Valid starting     Expires            Service principal
        05/15/15 15:57:37  05/16/15 17:57:37  krbtgt/FNAL.GOV@FNAL.GOV
  		  

If you are connecting from home via a firewall which uses NAT (network address translation), you'll need to use addressless tickets. The Fermilab version of kerberos will give you addressless tickets if you use the "-n" switch. Other versions of kerberos may use the "-A" switch. Check your man page for kinit or use "kinit --help" to see which switch is supported. With addressless tickets, unfortunately rsh/rcp/rlogin will not work when traversing a NAT. However, telnet and ssh/scp do work. The Fermilab lite version of kerberos for Windows supports addressless tickets. The lite version for Linux currently does not. An unofficial cut of the Linux lite version (use at your own risk) which does support the "-n" switch is available here.

Alternate: User Authentication using Cryptocard

If kerberos client software isn't available, using a cryptocard is the only other means of accessing Fermilab systems. Cryptocards generate passwords which are only valid for a single use. These cards look like a calculator:

Two styles of cryptocard have been issued by Fermilab, and unfortunately their usage is different. The Computing Division has a good chapter in their kerberos documentation which explains how to use both types of cards.

Here's a typical session with a cryptocard:

dalrott:~$ ssh tev.fnal.gov

login: johndoe
Press ENTER and compare this challenge to the one on your display: [00160613]
Enter the displayed response: a37ddb18

Scientific Linux Fermi SLF release 5.5 (Lederman)

                              NOTICE TO USERS

...

tev:~$ 
	      

In this example, the ssh server on tev.fnal.gov issued a cryptocard challenge. After turning on an old-style cryptocard and entering a valid pin, Fermilab is displayed. Hitting ENT displays a number which (almost always) matches the challenge. Hitting ENT again displays the response which must be typed at workstation. With the new-style cryptocards, the challenge is not displayed, only the response. For detailed instructions, see this link.

Cryptocard Authentication Notes

• When you use ssh to login to tev.fnal.gov just hit enter if you get the password prompt - do not type in a password. This will cause a cryptocard challenge. If you type in a password, you will get a "Permission denied, please try again" error, followed by another password prompt. Only a blank password will result in a cryptocard challenge.
• The advantage of using ssh is that X-window forwarding will allow you to open windows from tev.fnal.gov on your workstation. However, when your ticket expires this stops working. If you remember to renew your ticket before expiration with "kinit -R", the X forwarding will continue to work.

Kerberos for Macintosh

Step 1. Download and install the Kerberos client software. OS X 10.5 and 10.6 comes with Kerberos installed and if that applies to you then skip to the next step. This page has instructions on installing Kerberos on a MAC OS X 10.

Step 2. Configure the Kerberos client. For this either install krb5.conf file from Fermilab (download) or add the FNAL.GOV realm information to an existing /etc/krb5.conf as instructed here. Please note that there maybe two locations and names for the krb5.conf,

 /etc/krb5.conf
   and
 /Library/Preferences/edu.mit.Kerberos
	      

Note: the file in /Library is named edu.mit.Kerberos, not krb5.conf.

Either will work, but you should only have one.

Step 3. Obtaining a valid Kerberos ticket. If you are behind a firewall at home and your OS X version is less than 10.5 then you should request an addressless ticket as follows:

kinit -A -fr 7d johndoe@FNAL.GOV
	      

Verify that you have obtained a valid ticket as follows:

lqcdmac:~$ klist -f
Ticket cache: /tmp/krb5cc_1234
Default principal: johndoe@FNAL.GOV
Valid starting    Expires           Service principal 
08/17/15 09:31:16 08/18/15 11:31:16 krbtgt/FNAL.GOV@FNAL.GOV
renew until 08/24/15 09:31:09, Flags: FRIA
	      

Normal output, indicating that a forwardable, renewable, ticket exists. Check the expiration time - if the current time is past the expiration, login attempts will fail.

Kerberos for Windows

Note: This software is not officially supported by Fermilab but it is known to work in most versions of Windows currently in use.

The easiest way to get Putty working with kerberos on a windows machine is to follow the instructions available on the following webpage: Installing, Configuring, and Using PuTTY+Kerberos Please download and install the following two packages:

• Kerberos for Windows
• Putty

You will also need to download the latest version of krb5.conf and configure it as the settings file for Kerberos.