Strong Authentication at Fermilab

Strong authentication is a form of computer security in which the identities of networked users, clients and servers are verified without transmitting passwords over the network.

The Kerberos Network Authentication Service V5 is the network authentication program that implements strong authentication. In addition to establishing identity (authentication), it supports encrypted network connections, thereby providing confidentiality.

Fermilab employs Kerberos to authenticate users who want to access computer systems at the lab. A user must have a valid kerberos ticket before he can login to a machine. Tickets can be obtained by using the kinit client application on the user's workstation, or the user may obtain a ticket during the login process by using a cryptocard. Tickets expire in 24 hours, but generally can be renewed before expiration for a period of 7 days. Only users who have current (unexpired) kerberos principals issued by Fermilab can obtain kerberos tickets.

Kerberos clients include telnet, ftp, rsh, rcp, rlogin, and, if specially built, ssh and slogin. All of these clients can encrypt communications.

All computer users at Fermilab have the responsibility to understand the broad outlines of Fermilab's Policy on Computing, and to comply with the policy.

Please refer to the following web page for more technical details: Introduction to Strong Authentication

Step 1.Kerberos Software Installation

Many UNIX systems already have kerberos installed. Use which kinit to see whether this software is already in your path. If not, check if /usr/krb5 or /usr/kerberos directories exist on your workstation - if so, add /usr/kerberos/bin (or the equivalent for krb5) to the front of your path.

On RedHat Linux systems (MAC read this and Windows read this), you will need to install the following RPM's (versions will vary):

• krb5-libs
• krb5-workstation
• pam_krb5

You may also download kerberos software from Fermilab. "Lite" versions of Linux and Windows clients have been made available and you can download the software here. After untarring the Linux version, or unzipping the Windows version, follow the instructions which accompany the software.

If kerberos software is already installed on your system, you will need to modify the configuration file so that your machine knows how to contact the Fermilab key servers. If you will only access Fermilab via kerberos, install krb5.conf in /etc. If you are already using kerberos to access another site, for example, NCSA, you will need to modify your existing /etc/krb5.conf file as follows:

• In the [realms] section, add

  	FNAL.GOV = {  
  	  kdc = krb-fnal-1.fnal.gov:88
  	  kdc = krb-fnal-2.fnal.gov:88
  	  kdc = krb-fnal-3.fnal.gov:88
  	  kdc = krb-fnal-4.fnal.gov:88
  	  kdc = krb-fnal-5.fnal.gov:88
  	  kdc = krb-fnal-6.fnal.gov:88
  	  admin_server = krb-fnal-admin.fnal.gov
  	  master_kdc = krb-fnal-admin.fnal.gov:88
  	  default_domain = fnal.gov
  	}
  
  	WIN.FNAL.GOV = {
  	  kdc = littlebird.win.fnal.gov:88
  	  kdc = bigbird.win.fnal.gov:88
  	  default_domain = fnal.gov
  	}
  

• In a [domain_realm] section, add

  	.fnal.gov       = FNAL.GOV
  	.dhcp.fnal.gov  = FNAL.GOV
  

Step 2.User Authentication using Kerberos

NOTE: If you ordered a Cryptocard and plan to use it in lieu of rlogin, telnet or SSH then go to Step 3.

Fermilab employs Kerberos to authenticate users who want to access computer systems at the lab. A user must have a valid kerberos ticket before he can login to a machine. Here is a sample session showing a typical kerberos dialog to obtain a kerberos ticket. djholm@FNAL.GOV is the kerberos principal. which rlogin is used to verify that the kerberized version of rlogin is used (the non-kerberized version will be rejected). You may also use Secure SHell (SSH that supports Kerberos) to remote login and SSH troublshooting notes can be found here in case there are errors.

dalrott:~$ kinit -r 7d djholm@FNAL.GOV
Password for djholm@FNAL.GOV:

dalrott:~$ which rlogin
/usr/krb5/bin/rlogin

dalrott:~$ rlogin lqcd.fnal.gov

This rlogin session is using DES encryption for all data transmissions.
Scientific Linux Fermi LTS release 4.4 (Wilson)
.
.
.
lqcd:~$

Please note:

• You should only kinit on your local machine, from its console. Don't use kinit over a network connection, since this can expose your kerberos password.
• You will probably want to request renewable tickets, since tickets expire 24 hours after they are issued/renewed if they are not renewed with kinit -R. Tickets can be renewed for up to 7 days if you use kinit -r 7d. The maximum renewable period is 7 days.
• Use klist to check whether you hold a valid ticket. For example:

  dalrott:/slack/djholm$ klist
   Ticket cache: /tmp/krb5cc_tty1
   Default principal: djholm@FNAL.GOV
   Valid starting     Expires            Service principal
   05/15/07 15:57:37  05/16/07 17:57:37  krbtgt/FNAL.GOV@FNAL.GOV
  

• If you are connecting from home via a firewall which uses NAT (network address translation), you'll need to use addressless tickets. The Fermilab version of kerberos will give you addressless tickets if you use the -n switch. Other versions of kerberos may use the -A switch. Check your man page for kinit or use kinit --help to see which switch is supported. With addressless tickets, unfortunately rsh/rcp/rlogin will not work when traversing a NAT. However, telnet and ssh/scp do work. The Fermilab lite version of kerberos for Windows supports addressless tickets. The lite version for Linux currently does not. An unofficial cut of the Linux lite version (use at your own risk) which does support the -n switch is available here.i

Step 3.User Authentication using Cryptocard

NOTE: This section only applies to you if you ordered a Cryptocard and plan to use it in lieu of rlogin, telnet or SSH.

Cryptocards generate passwords which are only valid for a single use. If kerberos client software isn't available, using a cryptocard is the only other means of accessing Fermilab systems. These cards look like a calculator:

Two styles of cryptocard have been issued by Fermilab, and unfortunately their usage is different. The Computing Division has a good chapter in their kerberos documentation which explains how to use both types of cards.

Here's a typical session with a cryptocard:

 
 dalrott:~$ ssh lqcd.fnal.gov
 login: djholm
 Press ENTER and compare this challenge to the one on your display: [00160613]
 Enter the displayed response: a37ddb18

 Scientific Linux Fermi LTS release 4.4 (Wilson)
                              NOTICE TO USERS
...
lqcd:~$

In this example, the ssh server on lqcd issued a cryptocard challenge. After turning on an old-style cryptocard and entering a valid PIN, Fermilab is displayed. Hitting ENT displays a number which (almost always) matches the challenge. Hitting ENT again displays the response which must be typed at workstation. With the new-style cryptocards, the challenge is not displayed, only the response. For detailed instructions, see this link.

Please note

• When you use ssh to login to lqcd.fnal.gov just hit enter if you get the password prompt - do not type in a password. This will cause a cryptocard challenge. If you type in a password, you will get a Permission denied, please try again error, followed by another password prompt. Only a blank password will result in a cryptocard challenge.
• The advantage of using ssh is that X-window forwarding will allow you to open windows from lqcd.fnal.gov on your workstation. However, when your ticket expires this stops working. If you remember to renew your ticket before expiration with kinit -R, the X forwarding will continue to work.

Kerberos for Macintosh

Step 1. Download and install the Kerberos client software. OS X 10.5 and 10.6 comes with Kerberos installed and if that applies to you then skip to the next step. This page has instructions on installing Kerberos on a MAC OS X 10.

Step 2.Configure the Kerberos client. For this either install krb5.conf file from Fermilab (download) or add the FNAL.GOV realm information to an existing /etc/krb5.conf as instructed here. Please note that there maybe two locations and names for the krb5.conf,

 /etc/krb5.conf
  and
 /Library/Preferences/edu.mit.Kerberos

Note: the file in /Library is named edu.mit.Kerberos, not krb5.conf.

Either will work, but you should only have one.

Step 3. Obtaining a valid Kerberos ticket. If you are behind a firewall at home and your OS X version is less than 10.5 then you should request an addressless ticket as follows:

kinit -A -fr 7d username@FNAL.GOV

Verify that you have obtained a valid ticket as follows:

lqcdmac:~$ klist -f
Ticket cache: /tmp/krb5cc_1234
Default principal: username@FNAL.GOV
Valid starting    Expires           Service principal 
08/17/10 09:31:16 08/18/10 11:31:16 krbtgt/FNAL.GOV@FNAL.GOV
renew until 08/24/10 09:31:09, Flags: FRIA

Normal output, indicating that a forwardable, renewable, ticket exists. Check the expiration time - if the current time is past the expiration, login attempts will fail.

Kerberos for Windows

Note:This software is not officially support by Fermilab but it is known to work in all versions of Windows.

Follow instructions listed here to download and install Cygwin and add Kerberos support.

Please download and install the following version of Kerberos for Windows and then use the exe files from the uncompressed PuTTY-0.58-GSSAPI-2005-07-24.zip file:

Kerberos for Windows

Putty
            

You will also need to download the latest version of krb5.conf and configure it as the settings file for Kerberos.

Please follow the instructions available on the following webpage to setup putty: Installing, Configuring, and Using PuTTY+Kerberos