Kerberos Software Installation
Many UNIX systems already have kerberos installed. Use "which
kinit" to see whether this software is already in your path. If not,
check if /usr/krb5 or /usr/kerberos directories
exist on your workstation - if so, add /usr/kerberos/bin (or the
equivalent for krb5) to the front of your path.
On RedHat Linux systems, you will need to install the following
RPM's (versions will vary):
- krb5-libs
- krb5-workstation
- pam_krb5
You may also download kerberos software from Fermilab. "Lite" versions
of Linux and Windows clients have been made available. You can
download the software
here.
After untarring the Linux version, or unzipping the Windows version, follow
the instructions which accompany the software.
If you have an older version of Linux, you can download a statically-linked
version of the kerberos clients
here. You will also need
the krb5.conf file.
Please click here for more details on installing and using this software.
If kerberos software is already installed on your system, you will need to
modify the configuration file so that your machine knows how to contact the
Fermilab key servers. If you will only access Fermilab via kerberos, install
krb5.conf in
/etc. If you are already using kerberos to access another site,
for example, NCSA, you will need to modify your existing
/etc/krb5.conf file as follows:
- In the
[realms] section, add
FNAL.GOV = {
kdc = krb-fnal-1.fnal.gov:88
kdc = krb-fnal-2.fnal.gov:88
kdc = krb-fnal-3.fnal.gov:88
kdc = krb-fnal-4.fnal.gov:88
kdc = krb-fnal-5.fnal.gov:88
kdc = krb-fnal-6.fnal.gov:88
admin_server = krb-fnal-admin.fnal.gov
master_kdc = krb-fnal-admin.fnal.gov:88
default_domain = fnal.gov
WIN.FNAL.GOV = {
kdc = littlebird.win.fnal.gov:88
kdc = bigbird.win.fnal.gov:88
default_domain = fnal.gov
}
}
- In a
[domain_realm] section, add
.fnal.gov = FNAL.GOV
.dhcp.fnal.gov = FNAL.GOV
SSH with Kerberos Support
The SSH that is distributed as a part of the Fermi Linux Distributions
contains the Kerberos-enabled SSH needed to connect to the Fermilab LQCD cluster head nodes.
If you are using a distribution of Linux which doesn't include Kerberos-enabled SSH, please download one of the following versions of SSH and use that SSH to connect to the LQCD Cluster head nodes:
- ssh.rhes4: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), stripped
- ssh_sl5: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), not stripped
If you still unable to install a SSH client for your distribution of Linux, please email us at lqcd-admin@fnal.gov.
User Authentication using Kerberos
Here is a sample session showing a typical kerberos dialog.
djholm@FNAL.GOV is the kerberos principal. "which
rlogin" is used to verify that the kerberized version of
rlogin is used (the non-kerberized version will be rejected).
dalrott:~$ kinit -r 7d djholm@FNAL.GOV
Password for djholm@FNAL.GOV:
dalrott:~$ which rlogin
/usr/krb5/bin/rlogin
dalrott:~$ rlogin lqcd.fnal.gov
This rlogin session is using DES encryption for all data transmissions.
Scientific Linux Fermi LTS release 4.4 (Wilson)
.
.
.
lqcd:~$
Kerberos Authentication Usage Notes
If you are connecting from home via a firewall which uses NAT (network address
translation), you'll need to use addressless tickets. The Fermilab version of
kerberos will give you addressless tickets if you use the "-n" switch. Other
versions of kerberos may use the "-A" switch. Check your man page for kinit or
use "kinit --help" to see which switch is supported. With addressless tickets,
unfortunately rsh/rcp/rlogin will not work when traversing a NAT. However,
telnet and ssh/scp do work. The Fermilab lite version of kerberos for
Windows supports addressless tickets. The lite version for Linux currently
does not. An unofficial cut of the Linux lite version (use at your own risk)
which does support the "-n" switch is available here.
User Authentication using Cryptocard
Cryptocards generate passwords which are only valid for a single use. If
kerberos client software isn't available, using a cryptocard is the only other
means of accessing Fermilab systems. These cards look like a calculator:
Two styles of cryptocard have been issued by Fermilab, and unfortunately their
usage is different. The Computing Division has a good
chapter
in their kerberos
documentation which explains how to use both types of cards.
Here's a typical session with a cryptocard:
dalrott:~$ ssh lqcd.fnal.gov
login: djholm
Press ENTER and compare this challenge to the one on your display: [00160613]
Enter the displayed response: a37ddb18
Scientific Linux Fermi LTS release 4.4 (Wilson)
NOTICE TO USERS
...
lqcd:~$
In this example, the ssh server on lqcd issued a cryptocard
challenge. After turning on an old-style cryptocard and entering a valid
pin, Fermilab is displayed. Hitting ENT displays a
number which (almost always) matches the challenge. Hitting ENT
again displays the response which must be typed at workstation. With the
new-style cryptocards, the challenge is not displayed, only the response. For
detailed instructions, see this
link.
Cryptocard Authentication Notes
- When you use
ssh to login to lqcd just hit enter if you get the
password prompt - do not type in a password. This will cause a
cryptocard challenge. If you type in a password, you will get a
"Permission denied, please try again" error, followed by
another password prompt. Only a blank password will result in a
cryptocard challenge.
- The advantage of using
ssh is that X-window forwarding will
allow you to open windows from lqcd.fnal.gov on your
workstation. However, when your ticket expires this stops working. If
you remember to renew your ticket before expiration with "kinit
-R", the X forwarding will continue to work.
|
