Wilson HPC Computing Facility

Fermilab employs Kerberos to authenticate remote users who want to access computer systems at the lab. This web-page lists Kerberos client installation and usage instructions.

Strong Authentication at Fermilab

Strong authentication is a form of computer security in which the identities of networked users, clients and servers are verified without transmitting passwords over the network.

The Kerberos Network Authentication Service is the network authentication program that implements strong authentication. In addition to establishing identity (authentication), it supports encrypted network connections, thereby providing confidentiality.

A user must have a valid kerberos ticket before he can login to a machine. Tickets can be obtained by using the kinit client application on the user's workstation. Tickets expire in 24 hours, but generally can be renewed before expiration for a period of 7 days. Only users who have current (unexpired) kerberos principals issued by Fermilab can obtain kerberos tickets.

Kerberos clients include telnet, ftp, rsh, rcp, rlogin, and if specially built, ssh and slogin. All of these clients can encrypt communications.

All computer users at Fermilab have the responsibility to understand the broad outlines of Fermilab's Policy on Computing, and to comply with the policy.

Please refer to the following web page for more technical details: Introduction to Strong Authentication

Contents


Set-up: Kerberos Software Installation

Many UNIX systems already have kerberos installed. Use "which kinit" to see whether this software is already in your path. If not, check if /usr/krb5 or /usr/kerberos directories exist on your workstation - if so, add /usr/kerberos/bin (or the equivalent for krb5) to the front of your path.

On RedHat Linux systems, you will need to install the following RPM's (versions will vary):

  • krb5-libs
  • krb5-workstation
  • pam_krb5

If kerberos software is already installed on your system, you may need to modify the configuration file so that your machine knows how to contact the Fermilab key servers. The article "The Kerberos Configuration File: krb5.conf" has detailed infomation. If you will only access Fermilab via kerberos, download and save the latest krb5.conf in /etc. If you are already using kerberos to access another site, for example, NCSA, you will need to modify your existing /etc/krb5.conf file as follows:

In the [realms] section, add

   
FNAL.GOV = {
  kdc = krb-fnal-1.fnal.gov:88
  kdc = krb-fnal-2.fnal.gov:88
  kdc = krb-fnal-3.fnal.gov:88
  kdc = krb-fnal-4.fnal.gov:88
  kdc = krb-fnal-5.fnal.gov:88
  kdc = krb-fnal-6.fnal.gov:88
  admin_server = krb-fnal-admin.fnal.gov
  master_kdc = krb-fnal-admin.fnal.gov:88
  default_domain = fnal.gov

WIN.FNAL.GOV = {
  kdc = littlebird.win.fnal.gov:88
  kdc = bigbird.win.fnal.gov:88
  default_domain = fnal.gov
  }
}
	    

In a [domain_realm] section, add

.fnal.gov      = FNAL.GOV
.dhcp.fnal.gov = FNAL.GOV
	    

Connecting: User Authentication using Kerberos

Here is a sample session showing a typical kerberos dialog. johndoe@FNAL.GOV is the kerberos principal. "which rlogin" is used to verify that the kerberized version of rlogin is used (the non-kerberized version will be rejected).

	      
dalrott:~$ kinit -r 7d johndoe@FNAL.GOV
Password for johndoe@FNAL.GOV:

dalrott:~$ which rlogin
/usr/krb5/bin/rlogin

dalrott:~$ rlogin tev.fnal.gov
This rlogin session is using DES encryption for all data transmissions.

Scientific Linux Fermi SLF release 5.5 (Lederman)
.
.
.
tev:~$
	    

Kerberos Authentication Usage Notes

  • You should only kinit on your local machine, from its console. Don't use kinit over a network connection, since this can expose your kerberos password.
  • You will probably want to request renewable tickets, since tickets expire 24 hours after they are issued/renewed if they are not renewed with "kinit -R". Tickets can be renewed for up to 7 days if you use "kinit -r 7d". The maximum renewable period is 7 days.
  • Use klist to check whether you hold a valid ticket. For example:
      dalrott:/slack/johndoe$ klist
      Ticket cache: /tmp/krb5cc_tty1
      Default principal: johndoe@FNAL.GOV
    
      Valid starting     Expires            Service principal
      05/15/15 15:57:37  05/16/15 17:57:37  krbtgt/FNAL.GOV@FNAL.GOV
    		  		

If you are connecting from home via a firewall which uses NAT (network address translation), you'll need to use addressless tickets. The Fermilab version of kerberos will give you addressless tickets if you use the "-n" switch. Other versions of kerberos may use the "-A" switch. Check your man page for kinit or use "kinit --help" to see which switch is supported. With addressless tickets, unfortunately rsh/rcp/rlogin will not work when traversing a NAT. However, telnet and ssh/scp do work. The Fermilab lite version of kerberos for Windows supports addressless tickets. The lite version for Linux currently does not. An unofficial cut of the Linux lite version (use at your own risk) which does support the "-n" switch is available here.


Kerberos for Macintosh

Step 1. Download and install the Kerberos client software. OS X 10.5 and 10.6 comes with Kerberos installed and if that applies to you then skip to the next step. This page has instructions on installing Kerberos on a MAC OS X 10.

Step 2. Configure the Kerberos client. For this either install krb5.conf file from Fermilab (download) or add the FNAL.GOV realm information to an existing /etc/krb5.conf as instructed here. Please note that there maybe two locations and names for the krb5.conf,

 /etc/krb5.conf
   and
 /Library/Preferences/edu.mit.Kerberos
	      

Note: the file in /Library is named edu.mit.Kerberos, not krb5.conf.

Either will work, but you should only have one.

Step 3. Obtaining a valid Kerberos ticket. If you are behind a firewall at home and your OS X version is less than 10.5 then you should request an addressless ticket as follows:

kinit -A -fr 7d johndoe@FNAL.GOV
	      

Verify that you have obtained a valid ticket as follows:

lqcdmac:~$ klist -f
Ticket cache: /tmp/krb5cc_1234
Default principal: johndoe@FNAL.GOV
Valid starting    Expires           Service principal 
08/17/15 09:31:16 08/18/15 11:31:16 krbtgt/FNAL.GOV@FNAL.GOV
renew until 08/24/15 09:31:09, Flags: FRIA
	      

Normal output, indicating that a forwardable, renewable, ticket exists. Check the expiration time - if the current time is past the expiration, login attempts will fail.


Kerberos for Windows

Note: This software is not officially supported by Fermilab but it is known to work in most versions of Windows currently in use.

Follow instructions listed here to download and install Cygwin and add Kerberos support.

Contact: Amitoj Singh
Last modified: Nov 6, 2017