Home Project Allocations Software Hardware Globus Online

Fermilab employs Kerberos to authenticate remote users who want to access computer systems at the lab and this web-page lists Kerberos client installation and usage instructions.

Strong Authentication at Fermilab

Strong authentication is a form of computer security in which the identities of networked users, clients and servers are verified without transmitting passwords over the network.

The Kerberos Network Authentication Service V5 is the network authentication program that implements strong authentication. In addition to establishing identity (authentication), it supports encrypted network connections, thereby providing confidentiality.

Fermilab employs Kerberos to authenticate users who want to access computer systems at the lab. A user must have a valid kerberos ticket before he can login to a machine. Tickets can be obtained by using the kinit client application on the user's workstation, or the user may obtain a ticket during the login process by using a RSA SecurID. Tickets expire in 24 hours, but generally can be renewed before expiration for a period of 7 days. Only users who have current (unexpired) kerberos principals issued by Fermilab can obtain kerberos tickets.

Kerberos clients include telnet, ftp, rsh, rcp, rlogin, and, if specially built, ssh and slogin. All of these clients can encrypt communications.

All computer users at Fermilab have the responsibility to understand the broad outlines of Fermilab's Policy on Computing, and to comply with the policy.

Please refer to the following web page for more technical details: Introduction to Strong Authentication

Step 1. Kerberos Software Installation

Many UNIX systems already have kerberos installed. Use which kinit to see whether this software is already in your path. If not, check if /usr/krb5 or /usr/kerberos directories exist on your workstation - if so, add /usr/kerberos/bin (or the equivalent for krb5) to the front of your path.

On RedHat Linux systems (MAC read this), you will need to install the following RPM's (versions will vary):

  • krb5-libs
  • krb5-workstation
  • pam_krb5

If kerberos software is already installed on your system, you will need to modify the configuration file so that your machine knows how to contact the Fermilab key servers. If you will only access Fermilab via kerberos, copy your OS-specific krb5.conf file in /etc. If you are already using kerberos to access another site, for example, NCSA, you will need to modify your existing /etc/krb5.conf file as follows:

  • In the [realms] section, add
    	FNAL.GOV = {  
    kdc = krb-fnal-1.fnal.gov:88
    kdc = krb-fnal-2.fnal.gov:88
    kdc = krb-fnal-3.fnal.gov:88
    kdc = krb-fnal-4.fnal.gov:88
    kdc = krb-fnal-5.fnal.gov:88
    kdc = krb-fnal-6.fnal.gov:88
    admin_server = krb-fnal-admin.fnal.gov
    master_kdc = krb-fnal-admin.fnal.gov:88
    default_domain = fnal.gov

    WIN.FNAL.GOV = {
    kdc = littlebird.win.fnal.gov:88
    kdc = bigbird.win.fnal.gov:88
    default_domain = fnal.gov
  • In a [domain_realm] section, add
    	.fnal.gov       = FNAL.GOV
    .dhcp.fnal.gov = FNAL.GOV

Step 2. User Authentication using Kerberos

NOTE: If you ordered a RSA SecurID and plan to use it in lieu of rlogin, telnet or SSH then go to Step 3.

Fermilab employs Kerberos to authenticate users who want to access computer systems at the lab. A user must have a valid kerberos ticket before he can login to a machine. Here is a sample session showing a typical kerberos dialog to obtain a kerberos ticket. johndoe@FNAL.GOV is the kerberos principal. which rlogin is used to verify that the kerberized version of rlogin is used (the non-kerberized version will be rejected). You may also use Secure SHell (SSH that supports Kerberos) to remote login and SSH troubleshooting notes can be found here in case there are errors.

dalrott:~$ kinit -r 7d johndoe@FNAL.GOV
Password for johndoe@FNAL.GOV:

dalrott:~$ which rlogin

dalrott:~$ rlogin lqcd.fnal.gov

This rlogin session is using DES encryption for all data transmissions.
Scientific Linux Fermi SLF release 5.7 (Lederman)

Please note:

  • You should only kinit on your local machine, from its console. Don't use kinit over a network connection, since this can expose your kerberos password.
  • You will probably want to request renewable tickets, since tickets expire 24 hours after they are issued/renewed if they are not renewed with kinit -R. Tickets can be renewed for up to 7 days if you use kinit -r 7d. The maximum renewable period is 7 days.
  • Use klist to check whether you hold a valid ticket. For example:
    dalrott:/slack/johndoe$ klist
    Ticket cache: /tmp/krb5cc_tty1
    Default principal: johndoe@FNAL.GOV
    Valid starting Expires Service principal
    05/15/12 15:57:37 05/16/12 17:57:37 krbtgt/FNAL.GOV@FNAL.GOV
  • If you are connecting from home via a firewall which uses NAT (network address translation), you'll need to use addressless tickets. The Fermilab version of kerberos will give you addressless tickets if you use the -n switch. Other versions of kerberos may use the -A switch. Check your man page for kinit or use kinit --help to see which switch is supported. With addressless tickets, unfortunately rsh/rcp/rlogin will not work when traversing a NAT. However, telnet and ssh/scp do work. An unofficial cut of the Linux lite version (use at your own risk) which does support the -n switch is available here.

Step 3. User Authentication using RSA SecurID

NOTE: This section only applies to you if you ordered or plan to order a RSA SecurID and will use it in lieu of Kerberos. This also applies in cases where you are unable to get Kerberos clients (such as kinit, klist etc.) to work or are unable to use SSH that supports Kerberos authenitcation.

Before RSA SecurID's Fermilab issued Cryptocards which are no longer supported. If you need a replacement card i.e. a RSA SecurID (Figure 1), please email us at lqcd-admin@fnal.gov with your username and physical mailing address and we will request a RSA SecurID on your behalf.

Fermilab currently supports two types of token generators: 1. the physical token generator (Figure 1) 2. RSA SecurID app from the Apple Store which you can download and install on your iOS device. When your RSA Token request is fulfilled by the Fermilab Service Desk you will be asked to setup a PIN for the token generator(s) and will also be provided with a web link that will import the token into your iOS device for the RSA SecurID app. Once setup with your token generator(s) you will SSH to the machine fnalu.fnal.gov using your assigned username. You will be prompted for a PASSCODE and the number to enter will be your PIN+TokenCode. For e.g. if your PIN is 1234 and the token code displayed on the token generator is 279 920, the PASSCODE is 1234279920.

Once logged into fnalu.fnal.gov you will execute kinit to obtain a valid Kerberos ticket and then SSH to any LQCD machine that you need access to.

Figure 1. RSA SecureID token generator

We highly recommend using Kerberos clients and SSH that supports Kerberos whenever possible. If you need any help setting this up please email us at lqcd-admin@fnal.gov or visit the following pages on installation or trouble shooting for more information.

Kerberos for Macintosh

Step 1. Download and install the Kerberos client software. OS X 10.5 and 10.6 comes with Kerberos installed and if that applies to you then skip to the next step. This page has instructions on installing Kerberos on a MAC OS X 10.

Step 2.Configure the Kerberos client. For this either copy krb5.conf file from Fermilab (download) or add the FNAL.GOV realm information to an existing /etc/krb5.conf as instructed here. Please note that there maybe two locations and names for the krb5.conf,


Note: the file in /Library is named edu.mit.Kerberos, not krb5.conf.

Either will work, but you should only have one. Updated 10/11/2012: Several Mac OS X 10.6.8 users have reported that only the /etc/krb5.conf file worked for them.

Step 3. Obtaining a valid Kerberos ticket. If you are behind a firewall at home and your OS X version is less than 10.5 then you should request an addressless ticket as follows:

kinit -A -fr 7d username@FNAL.GOV

Verify that you have obtained a valid ticket as follows:

lqcdmac:~$ klist -f
Ticket cache: /tmp/krb5cc_1234
Default principal: username@FNAL.GOV
Valid starting Expires Service principal
08/17/12 09:31:16 08/18/12 11:31:16 krbtgt/FNAL.GOV@FNAL.GOV
renew until 08/24/12 09:31:09, Flags: FRIA

Normal output, indicating that a forwardable, renewable, ticket exists. Check the expiration time - if the current time is past the expiration, login attempts will fail.

Kerberos for Windows

Note:This software is not officially support by Fermilab but it is known to work on most versions of Windows.

Follow instructions listed here to download and install Cygwin and add Kerberos support.