Professor's guide to Using Kerberos at D0

Heidi Schellman

v1.1 - December 16, 2000

Contents

• Contents
• 1. Huh?
• 2. How to get a 'principal'
• 3. How to get a cryptocard and a principal
  • 3.1 Using your new card
• 4. How to get your 'ticket'
  • 4.1 Other cool features
• 5. Access Methods

1. Huh?

Fermilab is going to be using Kerberos for user authentication. Right now we are testing this system but it will be the main way to access D0 computers by December 18th.

There is a lot of documentation on Kerberos at Fermilab at:

http://www.fnal.gov/docs/strongauth Look at the UPDATED docs first.

The basic idea of Kerberos is that there is a central Fermilab server for user authentication. You give it a combination of username and passphrase (your kerberos principal) and it tells all participating Fermilab computers that you are an authorized user. A software 'ticket' is created for you which is transparently passed along to other machines at Fermilab which run kerberos. No more multiple passwords, or typing in a password every time you move from one machine to another.

Once you get used to it, it's not bad but it is different.

Advantages

• One password which you only have to type in once a day.
• No password file on D0 systems to crack.
• Works on all kerberized D0 systems
• Shared accounts are easier to manage, you just need to be in the .k5login file for the account.

Disadvantages

• Harder to get into from outside - need new software or crypto-card. This is however, sort of the point, keeping hackers out is hard and real users unfortunately have to do more and more to prove they're not hackers.
• 'Tickets' expire after 1-4 days, have to log in again.
• It's something new to learn.

Everyone using D0 computers will need to have a principal by December 18th and most people will need a cryptocard.

2. How to get a 'principal'

Principal is Kerberos-speak for your Kerberos authentication account.

If you are going to use this system, you need to get signed up for it.

1. First look at your Fermi ID - is it still valid? If so, go to step 5
2. If your Fermi ID has expired, you need to renew it. You will need to get the spokesperson or other authorized person to swear that you are in fact a D0 collaborator. This is a new rule - it means getting the user registration form first, getting the appropriate signature and then bringing it to the user's office.

   Here is what you need to do this:

   http://www-d0.fnal.gov/computing/systems/id-ver.html

3. If you do not have a Fermilab User ID, get one if possible, fill out the forms described in section 2.

4. If you cannot come to Fermilab, send a message to: d0_accounts@fnal.gov containing the information found at:

   http://www-d0.fnal.gov/computing/systems/id-ver.html

   and we will help you. This service is not for those who just don't want to give up that prime DAB parking space by driving to the High Rise and back.

5. If you only want a kerberos principal and don't need a cryptocard go to the

   D0 Account Request Form- Kerberos/Crypto and fill it out.

   otherwise, and we recommend this strongly, also follow the procedure in section 3 below.

6. Tell your institutional representative what's up. They are helping to assure that everyone gets the proper credentials and knowing your status will help them keep track.

You will be issued a Kerberos principal with an email containing instructions on how to get your password (you'll need to phone to get it) and how to change it. Do not ignore this email - if you do not find out and change the password within 30 days, it will expire and you will be without a working principal.

You need to change this password within a month to something with 10 or more characters and 2 or more types of character (lower, upper, numeric, symbol,...)

After 30 days the initial password expires and you must contact the computing division accounts manager (630-840-8118; compdiv@fnal.gov) to have your password reset.

3. How to get a cryptocard and a principal

This is what we recommend for most users.

• Remember to follow steps 1-5 of section 2

• Fill out the form at:

  http://www-d0.fnal.gov/computing/systems/kprincipal_cryptocard.html

  Your principal name should be your d0mino user name but it must be 8 characters or less. If your d0mino account is more than 8 characters, ask Alan Jonckheere for advice.

• It takes a couple days to set up a card. Generally one has to pick these up in person at Feynman but special arrangements can be made for people who will not be at Fermilab. We are using the Institutional Board representatives (or someone they designate for your institution) as coordinators. Contact your IB rep and/or send email to d0_accounts@fnal.gov if you need to have a crypto-card sent to you.

  The institutional representative or a designated representative can fill out a form for a set of users:

  http://www-d0.fnal.gov/computing/systems/ib_kprin_cryp.html

  and pick up the group of cards or authorize a representative to pick up these cards at Fermilab and take/send them to you. If you want Fermilab to Air Freight them to you or a designated representative at your insitution, the name and address where the cards should be sent must be listed on the form.

3.1 Using your new card

Instructions for using a cryptocard are at:

http://www.fnal.gov/docs/strongauth/ then go to the CryptoCard section.

Cryptocards are issued to people - they are tied to your account and will only give valid passwords for your account. They are protected by a PIN number.

4. How to get your 'ticket'

1. Get onto a 'trusted' machine, either via the console or using a cryptocard

   
   telnet d0mino.fnal.gov
   login: schellma
   Press ENTER and compare this challenge to the one on your display: [42352559]
   Enter the displayed response: A2942CBC  << fake response
   

   You're in!

   If you came in with a cryptocard - you should have your tickets made for you. If you came in through a console (NT (WRQ) or Linux) which doesn't forward tickets, you may have to:

2. Use kinit to introduce yourself Here is an example session:

   
   <.... tell kerberos about myself ....>
   < Don't do this from an xterm - do it from something encrypted or your console >
   
   <d0mino> kinit
   Password for schellma@PILOT.FNAL.GOV: <I entered my kerberos password>
   

3. Tickets only last 26 hours, you may want to renew by typing

   
   kinit -R
   

   Right now this can keep going for 96 hours.

4. Telnet (yes, you can do it!) to another secure machine

   
   <d0mino> telnet d0test
   Trying 131.225.224.77...
   Connected to d0test.fnal.gov (131.225.224.77).
   Escape character is '^]'.
   [ Kerberos V5 accepts you as ``schellma@PILOT.FNAL.GOV'' ]
   [ Kerberos V5 accepted forwarded credentials ]
   WARNING NOTICE!
   
   <.... I'm logged in ....>
   

   No password needed to be entered.

4.1 Other cool features

ksu username sets you up as username if you are in that account's .k5login access list. It does not run the login for that account.

Full documentation on the Kerberos security system is available at:

http://www.fnal.gov/docs/strongauth

5. Access Methods

• On Windows: For $230 you can purchase a license for WRQ which allows kerberized access from PC's without a cryptocard. This works quite well. You can find instructions for purchasing WRQ licenses through Fermilab at:

  http://www-d0.fnal.gov/computing/wrq.html

  You can also contact the company directly - they sell a 10-pack for academic use for $109/seat. Fermilab cannot get this deal.

  Exceed 6.2 is rumored to be kerberos compatible but the installation is not for the faint of heart or short of time. Rich Partridge has figure out a way to make MIT kerberos work with Exceed 7 which is now documented at:

  http://www-d0.fnal.gov/computing/systems/exceed7.txt

  Unless you enjoy messing with NT systems and are willing to tolerate some funky error messages from MIT kerberos, we suggest either buying WRQ or using Exceed as is with the cryptocard.

• On Linux: Onsite linux machines managed by FNAL will have kerberos installed and will have transparent access to the D0 central machines. Machines managed by other groups at D0 need to be made into kerberos trusted machines as well. Onsite instructions are at:

  http://www-d0.fnal.gov/computing/systems/kerberizelinux.html

  Remote users can either use cryptocards for access, or set up a gateway machine with only ssh and kerberos access or become a 'trusted' machine which requires running kerberos only. This may not be popular if you share the machine with other experiments.

  http://www.fnal.gov/docs/strongauth

  has documentation on the procedure and use.

About this document ...

Professor's guide to Using Kerberos at D0

This document was generated using the LaTeX2HTML translator Version 99.1 release (March 30, 1999)

Copyright © 1993, 1994, 1995, 1996, Nikos Drakos, Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney.

The command line arguments were:
latex2html -split 0 -show_section_numbers kerberos_guide

The translation was initiated by WWW Server Account on 2000-12-16