login:kerberos
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
login:kerberos [2021/07/08 13:57] – jas | login:kerberos [2024/01/22 09:25] (current) – jas | ||
---|---|---|---|
Line 5: | Line 5: | ||
The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. | The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. | ||
- | Kerberos is an authentication protocol that works using tickets. | + | Kerberos is an authentication protocol that works using tickets. |
- | ===== How Does this Affect Me? ===== | + | ===== How does this affect me? ===== |
- | Kerberos tickets have a 10 hour lifetime. | + | Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter a password. When your Kerberos ticket expires, you will temporarily |
- | You will not be affected by this change if you fall into the following categories: | + | You will **not** be affected by this change if your usage falls into one of the following categories: |
- | 1) If your login session is less than 10 hours in duration, you won't be affected by this change | + | 1) Login sessions to indigo/ |
- | 2) Login sessions | + | 2) Local logins |
- | You **will** be affected by this change | + | 3) Login sessions less than 10 hours in duration |
- | 1) If your login sessions are typically longer than 10 hours, you will be affected by this change. | + | You **will** be affected by this change |
- | 2) If you run compute intensive jobs that will run for more than 10 hours, you will be affected by this change. | + | 1) If you SSH to any tech-managed systems other than indigo/ |
- | ===== View Your Kerberos | + | 2) If your login sessions are typically longer than 10 hours in duration where usage does not fall within the cases unaffected by the change above, you will be affected by this change. |
+ | |||
+ | 3) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change. | ||
+ | |||
+ | If your system use falls into these categories, you will need to renew your Kerberos ticket either manually, or automatically. | ||
+ | |||
+ | ===== How can I view my Kerberos | ||
In order to view your Kerberos Tickets, use the " | In order to view your Kerberos Tickets, use the " | ||
Line 43: | Line 49: | ||
Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days. | Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days. | ||
- | Kerberos tickets expire every 10 hours. | + | Before the ticket |
- | After 7 days, or if you don' | + | After 7 days, or, if you do not renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one! |
===== How do I get a new Kerberos ticket? ===== | ===== How do I get a new Kerberos ticket? ===== | ||
- | You can get a new Kerberos ticket at any time. Simply run the command | + | You can get a new Kerberos ticket at any time. Simply run the " |
< | < | ||
Line 62: | Line 68: | ||
renew until 12/23/2020 10:13:23 | renew until 12/23/2020 10:13:23 | ||
</ | </ | ||
- | |||
- | You can run " | ||
- | |||
===== How do I destroy my Kerberos ticket? ===== | ===== How do I destroy my Kerberos ticket? ===== | ||
Line 78: | Line 81: | ||
Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. | Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. | ||
- | ===== Login Sessions | + | ===== Processes |
- | If your login session | + | For processes that will run for up to 7 days where it would be impractical |
- | ===== Unattended Scripts or At/Cron Jobs ===== | + | Run your job using krenew: |
- | If you will be running unattended scripts such as compute jobs, there are several categories of jobs: | + | krenew -- < |
- | ==== Compute Jobs that will run for less than 7 days ==== | + | This will run < |
- | For compute jobs that will run for less than 7 days (on compute servers other than , follow | + | krenew can also be used to run the command in the background like this: |
- | Run your job using krenew: | + | |
- | | + | Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session to automatically remain valid for up to 7 days, just run "krenew" like this: |
- | This will run <cmd> in the foreground. | + | krenew -K 60 -b |
- | krenew | + | krenew |
- | krenew -b -- <cmd> | + | ===== Processes That Run for More Than 7 Days ===== |
- | Note that <cmd> must include the full path to the command. | + | For processes |
- | + | ||
- | ==== Compute Jobs that will run for more than 7 days ==== | + | |
- | + | ||
- | For compute jobs that will run for more than 7 days follow this procedure: | + | |
First, you will create a custom keytab file using the ktutil command, replacing < | First, you will create a custom keytab file using the ktutil command, replacing < | ||
Line 116: | Line 115: | ||
</ | </ | ||
- | The keytab file will be written to a file called < | + | The keytab file will be written to a file called < |
Test that the keytab file can be used to authenticate as you. First, run " | Test that the keytab file can be used to authenticate as you. First, run " | ||
Line 124: | Line 123: | ||
</ | </ | ||
- | Now run kinit, passing in the keytab file: | + | You can optionally test your keytab file by passing it to kinit like this: |
< | < | ||
- | % kinit bob -k -t /eecs/home/bob/bob.keytab | + | % kinit < |
</ | </ | ||
+ | |||
+ | Note that you will not be asked to enter your password because the keytab file includes what is required for kinit to initialize your Kerberos ticket. | ||
If you see the following error: | If you see the following error: | ||
Line 138: | Line 139: | ||
... then your password is too old. Please use the " | ... then your password is too old. Please use the " | ||
- | Now, you will run your job using k5start: | + | You should be able to list your new Kerberos ticket using the " |
+ | |||
+ | Now, you can run your job using k5start: | ||
+ | |||
+ | k5start -f <full path to keytab file> < | ||
+ | |||
+ | This will run the command in the foreground. | ||
+ | |||
+ | k5start can also be used to run your command in the background like this: | ||
+ | |||
+ | k5start -f <full path to keytab file> < | ||
- | | + | Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session to remain valid indefinately, |
- | This will run <cmd> in the foreground. | + | k5start -f <full path to keytab |
- | k5start | + | Now, k5start |
- | k5start -f <keytab file> < | + | Please note that if you change your password at any point in time, you will also need to regenerate your keytab file. |
- | ====== Additional Information | + | ===== Additional Information ===== |
If you're interested in learning more about Kerberos, you can read [[https:// | If you're interested in learning more about Kerberos, you can read [[https:// |
login/kerberos.1625767074.txt.gz · Last modified: 2021/07/08 13:57 by jas