Kerberos clients include telnet, ftp, rsh, rcp, rlogin, and, if specially built, ssh and slogin. All of these clients can encrypt communications.
djholm@FNAL.GOV is the kerberos principal. `which
rlogin` is used to verify that the kerberized version of
rlogin is used (the non-kerberized version will be rejected).
dalrott:~$ kinit -r 7d djholm@FNAL.GOV Password for djholm@FNAL.GOV: dalrott:~$ which rlogin /usr/krb5/bin/rlogin dalrott:~$ rlogin lqcd.fnal.gov This rlogin session is using DES encryption for all data transmissions. Red Hat Linux release 7.1 (Seawolf) Kernel 2.4.19-perfctr on a 4-processor i686 . . . lqcd:~$
`which
kinit` to see whether this software is already in your path. If not,
check if /usr/krb5 or /usr/kerberos directories
exist on your workstation - if so, add /usr/kerberos/bin (or the
equivalent for krb5) to the front of your path.
On RedHat Linux systems, you will need to install the following
RPM's (versions will vary):
- krb5-libs-1.2.4-2
- krb5-workstation-1.2.4-2
- pam_krb5-1.55-1
You may also download kerberos software from Fermilab. Recently, "lite" versions of Linux (RedHat 7.x) and Windows clients have been made available. You can download the software by following this link. After untarring the Linux version, or unzipping the Windows version, follow the instructions which accompany the software.
If you are connecting from home via a firewall which uses NAT (network address translation), you'll need to use "addressless" tickets. The Fermilab version of kerberos will give you addressless tickets if you use the "-n" switch. Other versions of kerberos may use the "-A" switch. Check your man page for kinit or use "kinit --help" to see which switch is supported. With addressless tickets, unfortunately rsh/rcp/rlogin will not work when traversing a NAT. However, telnet and ssh/scp do work. The Fermilab "lite" version of kerberos for Windows supports addressless tickets. The "lite" version for Linux currently does not. An unofficial cut of the Linux "lite" version (use at your own risk) which does support the "-n" switch is available here.
If you have an older version of Linux, you can download a statically-linked
version of the kerberos clients using this
link. You will also need
this krb5.conf file.
See these
instructions for installing and using this software.
If kerberos software is already installed on your system, you will need to
modify the configuration file so that your machine knows how to contact the
Fermilab key servers. If you will only access Fermilab via kerberos, install
krb5.conf in
/etc. If you are already using kerberos to access another site,
for example, NCSA, you will need to modify your existing
/etc/krb5.conf file as follows:
[realms] section, add
FNAL.GOV = {
kdc = krb-fnal-1.fnal.gov:88
kdc = krb-fnal-2.fnal.gov:88
kdc = krb-fnal-3.fnal.gov:88
kdc = krb-fnal-4.fnal.gov:88
kdc = krb-fnal-5.fnal.gov:88
kdc = krb-fnal-6.fnal.gov:88
admin_server = krb-fnal-admin.fnal.gov
default_domain = fnal.gov
auth_to_local = DEFAULT
}
[domain_realm] section, add
.fnal.gov = FNAL.GOV
fsus01.fnal.gov = FNAL.GOV
fsus03.fnal.gov = FNAL.GOV
fsus04.fnal.gov = FNAL.GOV
kinit on your local machine, from its
console. Don't use kinit over a network connection, since
this can expose your kerberos password.
`kinit -r 7d`.
The maximum renewable period is 7 days.
klist to check whether you hold a valid ticket. For example:
dalrott:/slack/djholm$ klist Ticket cache: /tmp/krb5cc_tty1 Default principal: djholm@FNAL.GOV Valid starting Expires Service principal 05/15/03 15:57:37 05/16/03 17:57:37 krbtgt/FNAL.GOV@FNAL.GOV
Two styles of cryptocard have been issued by Fermilab, and unfortunately their usage is different. The Computing Division has a good chapter in their kerberos documentation which explains how to use both types of cards.
dalrott:~$ /usr/bin/telnet lqcd.fnal.gov
Trying 131.225.202.12...
Connected to dellquad2.fnal.gov.
Escape character is '^]'.
4.4 BSD UNIX (lqcd.fnal.gov) (26) Portal
Red Hat Linux release 7.1 (Seawolf)
Kernel 2.4.19-perfctr on a 4-processor i686
login: djholm
Press ENTER and compare this challenge to the one on your display: [00160613]
Enter the displayed response: a37ddb18
Fermi Linux 6.1.1 INSTALL for FermiStandAlone via NFS on Fri Jun 1 13:49:03 CDT 2001
NOTICE TO USERS
...
lqcd:~$
In this example, the telnet server on lqcd issued a cryptocard
challenge. After turning on an old-style cryptocard and entering a valid
pin, Fermilab is displayed. Hitting ENT displays a
number which (almost always) matches the challenge. Hitting ENT
again displays the response which must be typed at workstation. With the
new-style cryptocards, the challenge is not displayed, only the response. For
detailed instructions, see this
link.
ssh with a cryptocard to access Fermilab
machines. However, it's a bit tricky. When you get a password prompt,
just hit enter - do not type in a password. This will cause a
cryptocard challenge. If you type in a password, you will get a
"Permission denied, please try again" error, followed by
another password prompt. Only a blank password will result in a
cryptocard challenge.
ssh is that X-window forwarding will
allow you to open windows from lqcd.fnal.gov on your
workstation. However, when your ticket expires this stops working. If
you remember to renew your ticket before expiration with kinit
-R, the X forwarding will continue to work.