Many UNIX systems already have kerberos installed. Use which kinit to see whether this software is already in your path. If not, check if /usr/krb5 or /usr/kerberos directories exist on your workstation - if so, add /usr/kerberos/bin (or the equivalent for krb5) to the front of your path.
On RedHat Linux systems (MAC read this), you will need to install the following RPM's (versions will vary):
- krb5-libs
- krb5-workstation
- pam_krb5
If kerberos software is already installed on your system, you will need to modify the configuration file so that your machine knows how to contact the Fermilab key authentication servers. Copy your OS-specific krb5.conf file in /etc. If you are already using kerberos to access another site, for example, NCSA, you will need to modify your existing /etc/krb5.conf file as follows:
In the [realms] section, add
FNAL.GOV = {
- kdc = krb-fnal-1.fnal.gov:88
- kdc = krb-fnal-2.fnal.gov:88
- kdc = krb-fnal-3.fnal.gov:88
- kdc = krb-fnal-4.fnal.gov:88
- kdc = krb-fnal-5.fnal.gov:88
- kdc = krb-fnal-6.fnal.gov:8
- admin_server = krb-fnal-admin.fnal.gov
- master_kdc = krb-fnal-admin.fnal.gov:88
- default_domain = fnal.gov
}
WIN.FNAL.GOV = {
- kdc = littlebird.win.fnal.gov:88
- kdc = bigbird.win.fnal.gov:88
- default_domain = fnal.gov
}
In the [domain_realm] section, add
- .fnal.gov = FNAL.GOV
- .dhcp.fnal.gov = FNAL.GOV
A user must have a valid kerberos ticket before they can login to a Fermilab machine. Here is a sample session showing a typical kerberos dialog to obtain a kerberos ticket. johndoe@FNAL.GOV is the kerberos principal. You must use Secure SHell (SSH) that supports Kerberos to remote login.
- dalrott:~$ kinit -r 7d johndoe@FNAL.GOV
- Password for johndoe@FNAL.GOV:
dalrott:~$ ssh lq.fnal.gov
Scientific Linux Fermi SLF release 7.7 (Nitrogen)
NOTICE TO USERS
- This is a Federal computer (and/or it is directly connected to a
- Fermilab local network system) that is the property of the United
- States Government. It is for . . . .
<---snip--->
lq:~$
Please note:
- You should only kinit on your local machine, from its console. Do not execute kinit over a network connection (e.g. public wireless access point), since this can expose your kerberos password.
- You will probably want to request renewable tickets since tickets by default expire 24 hours after they are issued unless renewed with kinit -R. Tickets can be renewed for up to 7 days if you request a ticket using kinit -r 7d. The maximum renewable period is 7 days.
- Use klist to check whether you hold a valid ticket.
- If you are connecting from home behind a firewall which uses NAT (Network Address Translation), you'll need to use address-less tickets. Most versions of kerberos will give you address-less tickets if you use the -n switch. Other versions of kerberos may use the -A switch. Check your man page for kinit or use kinit --help to see which switch is supported.
|