Heidi Schellman
v1.1 - December 16, 2000
There is a lot of documentation on Kerberos at Fermilab at:
http://www.fnal.gov/docs/strongauth Look at the UPDATED docs first.
The basic idea of Kerberos is that there is a central Fermilab server for user authentication. You give it a combination of username and passphrase (your kerberos principal) and it tells all participating Fermilab computers that you are an authorized user. A software 'ticket' is created for you which is transparently passed along to other machines at Fermilab which run kerberos. No more multiple passwords, or typing in a password every time you move from one machine to another.
Once you get used to it, it's not bad but it is different.
Everyone using D0 computers will need to have a principal by December 18th and most people will need a cryptocard.
Principal is Kerberos-speak for your Kerberos authentication account.
If you are going to use this system, you need to get signed up for it.
Here is what you need to do this:
http://www-d0.fnal.gov/computing/systems/id-ver.html
http://www-d0.fnal.gov/computing/systems/id-ver.html
and we will help you. This service is not for those who just don't want to give up that prime DAB parking space by driving to the High Rise and back.
D0 Account Request Form- Kerberos/Crypto and fill it out.
otherwise, and we recommend this strongly, also follow the procedure in section 3 below.
You will be issued a Kerberos principal with an email containing instructions on how to get your password (you'll need to phone to get it) and how to change it. Do not ignore this email - if you do not find out and change the password within 30 days, it will expire and you will be without a working principal.
You need to change this password within a month to something with 10 or more characters and 2 or more types of character (lower, upper, numeric, symbol,...)
After 30 days the initial password expires and you must contact the computing division accounts manager (630-840-8118; compdiv@fnal.gov) to have your password reset.
This is what we recommend for most users.
http://www-d0.fnal.gov/computing/systems/kprincipal_cryptocard.html
Your principal name should be your d0mino user name but it must be 8 characters or less. If your d0mino account is more than 8 characters, ask Alan Jonckheere for advice.
The institutional representative or a designated representative can fill out a form for a set of users:
http://www-d0.fnal.gov/computing/systems/ib_kprin_cryp.html
and pick up the group of cards or authorize a representative to pick up these cards at Fermilab and take/send them to you. If you want Fermilab to Air Freight them to you or a designated representative at your insitution, the name and address where the cards should be sent must be listed on the form.
http://www.fnal.gov/docs/strongauth/ then go to the CryptoCard section.
Cryptocards are issued to people - they are tied to your account and will only give valid passwords for your account. They are protected by a PIN number.
telnet d0mino.fnal.gov login: schellma Press ENTER and compare this challenge to the one on your display: [42352559] Enter the displayed response: A2942CBC << fake responseYou're in!
If you came in with a cryptocard - you should have your tickets made for you. If you came in through a console (NT (WRQ) or Linux) which doesn't forward tickets, you may have to:
<.... tell kerberos about myself ....> < Don't do this from an xterm - do it from something encrypted or your console > <d0mino> kinit Password for schellma@PILOT.FNAL.GOV: <I entered my kerberos password>
kinit -RRight now this can keep going for 96 hours.
<d0mino> telnet d0test Trying 131.225.224.77... Connected to d0test.fnal.gov (131.225.224.77). Escape character is '^]'. [ Kerberos V5 accepts you as ``schellma@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] WARNING NOTICE! <.... I'm logged in ....>No password needed to be entered.
ksu username sets you up as username if you are in that account's .k5login access list. It does not run the login for that account.
Full documentation on the Kerberos security system is available at:
http://www.fnal.gov/docs/strongauth
http://www-d0.fnal.gov/computing/wrq.html
You can also contact the company directly - they sell a 10-pack for academic use for $109/seat. Fermilab cannot get this deal.
Exceed 6.2 is rumored to be kerberos compatible but the installation is not for the faint of heart or short of time. Rich Partridge has figure out a way to make MIT kerberos work with Exceed 7 which is now documented at:
http://www-d0.fnal.gov/computing/systems/exceed7.txt
Unless you enjoy messing with NT systems and are willing to tolerate some funky error messages from MIT kerberos, we suggest either buying WRQ or using Exceed as is with the cryptocard.
http://www-d0.fnal.gov/computing/systems/kerberizelinux.html
Remote users can either use cryptocards for access, or set up a gateway machine with only ssh and kerberos access or become a 'trusted' machine which requires running kerberos only. This may not be popular if you share the machine with other experiments.
http://www.fnal.gov/docs/strongauth
has documentation on the procedure and use.
This document was generated using the LaTeX2HTML translator Version 99.1 release (March 30, 1999)
Copyright © 1993, 1994, 1995, 1996,
Nikos Drakos,
Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999,
Ross Moore,
Mathematics Department, Macquarie University, Sydney.
The command line arguments were:
latex2html -split 0 -show_section_numbers kerberos_guide
The translation was initiated by WWW Server Account on 2000-12-16