In order to enhance system security, the tech team has implemented Kerberos across tech supported Linux systems. Our Windows systems already use Kerberos.

The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network.

Kerberos is an authentication protocol that works using tickets. When you login to an EECS Linux system, you will be automatically issued a Kerberos ticket. This ticket is used to gain access to resources such as your home directory, or other systems.

Kerberos tickets have a 10 hour lifetime. Typically, when they expire, you lose access to your home directory until you get a new ticket. Most of our users will be unaffected by this change for these reasons:

1) If your login session is less than 10 hours in duration, you won't be affected by this change no matter which system you use.

2) Login sessions to indigo/indigo1/navy (research) or red/red1/crimson (education) are not affected by Kerberos ticket expiry.

3) In general, Kerberos tickets can be manually renewed for up to 7 days. However, on our system, all active Kerberos tickets will be automatically renewed for 7 days without any user intervention. This means that if your login session to any system is less than 7 days in duration, you also won't be affected by this change.

4) Every time you login to our system using your password, you get a new Kerberos ticket which is also valid for an additional 7 days.

Now let's review the cases where users will be affected by this change, and possible solutions:

(a) You have login sessions that will last longer than 7 days to systems other than indigo/indigo1/navy (research) or red/red1/crimson (education):

If your login session will last longer than 7 days, you will be affected by this change. Simply run the “kinit” command before your ticket expires. You will be prompted to enter your password, and you will get a new Kerberos ticket that lasts for 7 days from that point. If you forget to renew your ticket before it expires, the programs that you're running will lose access to your home directory, but you can still run kinit at that point and regain access.

(b) You are running an unattended script which will run for more than 7 days:

If you will be running an unattended script which will run for longer than 7 days, you may be affected by this change. If your script is running on the compute server “navy”, you will not be affected by this change.

Otherwise, run the “kinit” command before your ticket expires in 7 days, and you will get a new ticket that lasts for 7 days. Your script will continue to run for another 7 days without intervention. If you forget, and your ticket expires, your unattended script will not be able to access software in /eecs/local, or access your home directory until you type “kinit” and renew your ticket.

Alternatively, you can create a cron job which will renew your ticket automatically. Please see below for more details on completing this step, or consult with tech.

© You are running cron/at jobs on a system other than indigo/indigo1/navy (research), or red/red1/crimson (education):

All cron/at jobs run as you. Without a Kerberos ticket, the cron job will not be able to access /eecs or your home directory unless you keep your Kerberos ticket active. As long as you login with your password once every 7 days, your cron job will continue to run.

Alternatively, you can create a cron job which will renew your ticket automatically. Please see below for more details on completing this step, or consult with tech.

It is preferable, if possible, to run your at/cron jobs on indigo/indigo1/navy/red/red1/crimson because these systems are not affected by the expiry of your Kerberos ticket.

In order to view your Kerberos Tickets, use the “klist” command from a “Terminal” or SSH session:

% klist
Ticket cache: FILE:/tmp/krb5cc_9999
Default principal: bob@AD.EECS.YORKU.CA

Valid starting       Expires              Service principal
12/16/2020 09:52:21  12/16/2020 19:52:20  krbtgt/AD.EECS.YORKU.CA@AD.EECS.YORKU.CA
	renew until 12/23/2020 09:52:21

Here, we see that user “bob” has a Kerberos ticket created on December 16, 2020 at 9:52:21 AM when he logged in to an EECS Linux system. That ticket will expire in 10 hours, and is renewable for up to 7 days. Bob can ignore the 10 hour ticket expiry because our system will renew the ticket for him right until the expiry in 7 days. If Bob's typical login session is less than 7 days, Bob's ticket will not expire during his login session, so there's nothing special he needs to do.

Bob can destroy his Kerberos ticket at any time using the “kdestroy” command:

% kdestroy
% klist
klist: No credentials cache found (filename: /tmp/krb5cc_9999)

Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. However, the next time Bob logs in, he will get a new ticket, and access will resume.

You don't need to destroy your Kerberos ticket because it will be destroyed automatically.

You can get a new Kerberos ticket at any time. Simply run the command “kinit”, enter your password interactively when prompted, and you'll get a new Kerberos ticket that will be valid for 10 hours, and automatically renewed for up to 7 days. It's really that simple.

% kinit
Password for bob@AD.EECS.YORKU.CA: 
% klist
Ticket cache: FILE:/tmp/krb5cc_9999
Default principal: bob@AD.EECS.YORKU.CA

Valid starting       Expires              Service principal
12/16/2020 10:13:25  12/16/2020 20:13:25  krbtgt/AD.EECS.YORKU.CA@AD.EECS.YORKU.CA
	renew until 12/23/2020 10:13:23

You can run “kinit” any time you wish to generate a new Kerberos ticket that is valid for an additional 7 days.

If you need to run a long-term unattended script or at/cron job for longer than 7 days on a system other than indigo/indigo1/navy/red/red1/crimson, and you won't be logging in to check on it once every 7 days (thereby renewing your Kerberos ticket), you can set up a cron job to automatically renew your Kerberos ticket for you. To do this, you will create a “keytab” file that you will be able to pass to “kinit” via a cron job which will renew your ticket for 7 days. The keytab file does not contain your password, but a key that is derived from your password. Since the key can be passed to kinit in order to authenticate as you, it must be kept secure. Only create a keytab file if absolutely necessary, and delete it if you no longer need to run unattended scripts that run unattended for longer than 7 days.

In order to create a custom keytab file, run the ktutil command, replacing <user> with your username:

% ktutil
ktutil: addent -password -p <user> -k 1 -e aes256-cts
Password for <user>@AD.EECS.YORKU.CA: [enter your password]
ktutil: wkt /eecs/home/<user>/<user>.keytab
ktutil: quit

The keytab file will be written to a file called <user>.keytab in your home directory. You can name the file whatever you like. The permission on the file will be 600. That is, the file will be readable by you, and only you. Please don't change the permission on this file. If someone gets a hold of this file, they will be able to access your files!

Test that the keytab file can be used to authenticate as you. First, run “kdestroy” to destroy your current Kerberos ticket:

% kdestroy

Now run kinit, passing in the keytab file:

% kinit bob -k -t /eecs/home/bob/bob.keytab

If you see the following error:

kinit: Pre-authentication failed: No key table entry found for <user>@AD.EECS.YORKU.CA while getting initial credentials

… then your password is too old. Please use the “passwd” command to change your system password, then re-issue the ktutil command above, and it will work now.

Once you can successfully pass your newly created keytab file to kinit without error, now you can make it run daily via a cron job. Run “crontab -e” to open your list of cron jobs in an editor, then add a line like this, replacing <user> with your username:

0 23 * * * kinit <user> -k -t /eecs/home/<user>/<user>.keytab

Here, kinit runs at 11:00 PM nightly to renew the users Kerberos ticket for 7 days using the keytab file that you setup. It doesn't really need to run nightly since the ticket has a 7 day expiry, but it doesn't hurt either. Select any time that you like, and be sure that you specify the correct filename for the keytab file.

NOTE: If the system is rebooted, you will have to login manually one time, then the cron job will take care of ensuring your ticket is renewed from that point forward.

Once again, please only use this procedure if absolutely necessary, and delete the keytab file and cron job when you no longer need to run the script anymore. This helps to improve the security of your account and our system.

If you're interested in learning more about Kerberos, you can read this or watch this video.

As always, be sure to email tech with any questions that you might have.