login:kerberos
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
login:kerberos [2021/07/03 11:17] – jas | login:kerberos [2024/01/22 09:25] (current) – jas | ||
---|---|---|---|
Line 5: | Line 5: | ||
The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. | The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. | ||
- | Kerberos is an authentication protocol that works using tickets. | + | Kerberos is an authentication protocol that works using tickets. |
- | ===== How Does this Affect Me? ===== | + | ===== How does this affect me? ===== |
- | Kerberos tickets have a 10 hour lifetime. | + | Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter a password. |
- | 1) If your login session is less than 10 hours in duration, you won' | + | You will **not** |
- | 2) Login sessions to indigo/ | + | 1) Login sessions to indigo/ |
- | 3) In general, Kerberos tickets can be manually renewed for up to 7 days. However, on our system, all active Kerberos tickets will be **automatically** renewed for 7 days without any user intervention. | + | 2) Local logins |
- | 4) Every time you login to our system using your password, you get a new Kerberos ticket which is also valid for an additional 7 days. | + | 3) Login sessions less than 10 hours in duration will not be affected by this change. |
- | Now let's review the cases where users **will** be affected by this change, and possible solutions: | + | You **will** be affected by this change |
- | (a) You have login sessions that will last longer than 7 days to systems other than indigo/ | + | 1) If you SSH to any tech-managed |
- | If your login session will last longer than 7 days, you will be affected by this change. Simply run the " | + | 2) If your login sessions are typically |
- | (b) You are running an unattended | + | 3) If you run unattended |
- | If you will be running an unattended script which will run for longer than 7 days, you may be affected by this change. | + | If your system use falls into these categories, |
- | Otherwise, run the " | + | ===== How can I view my Kerberos |
- | + | ||
- | Alternatively, | + | |
- | + | ||
- | (c) You are running cron/at jobs on a system other than indigo/ | + | |
- | + | ||
- | All cron/at jobs run as you. Without a Kerberos ticket, the cron job will not be able to access /eecs or your home directory unless you keep your Kerberos ticket active. | + | |
- | + | ||
- | Alternatively, | + | |
- | + | ||
- | It is preferable, if possible, to run your at/cron jobs on indigo/ | + | |
- | + | ||
- | ===== View Your Kerberos | + | |
In order to view your Kerberos Tickets, use the " | In order to view your Kerberos Tickets, use the " | ||
Line 55: | Line 43: | ||
</ | </ | ||
- | Here, we see that user " | + | Here, we see that user " |
- | ===== Destroy Your Kerberos | + | ===== How do I renew my Kerberos |
- | Bob can destroy his Kerberos ticket | + | Every time you login to a system, you get a new Kerberos ticket |
- | < | + | Before the ticket 10 hour expiry, run the "kinit -R" command which will renew your ticket for another 10 hours. |
- | % kdestroy | + | |
- | % klist | + | |
- | klist: No credentials cache found (filename: / | + | |
- | </ | + | |
- | Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. | + | After 7 days, or, if you do not renew your ticket before |
- | You don't need to destroy your Kerberos ticket | + | ===== How do I get a new Kerberos ticket? ===== |
- | ===== Get A New Kerberos Ticket ===== | + | You can get a new Kerberos ticket at any time. Simply run the " |
- | + | ||
- | You can get a new Kerberos ticket at any time. Simply run the command | + | |
< | < | ||
Line 87: | Line 69: | ||
</ | </ | ||
- | You can run " | + | ===== How do I destroy my Kerberos ticket? ===== |
- | ===== Unattended Scripts or At/Cron Jobs ===== | + | You can manually destroy your ticket at any time using the " |
- | If you need to run a long-term unattended script or at/cron job for longer than 7 days on a system other than indigo/indigo1/navy/ | + | < |
+ | % kdestroy | ||
+ | % klist | ||
+ | klist: No credentials cache found (filename: | ||
+ | </code> | ||
+ | |||
+ | Although the ticket | ||
+ | |||
+ | ===== Processes That Run for Up To 7 Days ===== | ||
+ | |||
+ | For processes | ||
+ | |||
+ | Run your job using krenew: | ||
+ | |||
+ | krenew -- < | ||
+ | |||
+ | This will run < | ||
+ | |||
+ | krenew | ||
+ | |||
+ | krenew -b -- <full path to command> | ||
+ | |||
+ | Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session | ||
+ | |||
+ | krenew -K 60 -b | ||
+ | |||
+ | krenew will run in the background, automatically renewing your Kerberos ticket | ||
+ | |||
+ | ===== Processes That Run for More Than 7 Days ===== | ||
- | ==== Creating a Keytab ==== | + | For processes that will run for more than 7 days, where it is obviously impractical to constantly renew your Kerberos ticket every 10 hours, follow this procedure: |
- | In order to create a custom keytab file, run the ktutil command, replacing < | + | First, you will create a custom keytab file using the ktutil command, replacing < |
< | < | ||
Line 105: | Line 115: | ||
</ | </ | ||
- | The keytab file will be written to a file called < | + | The keytab file will be written to a file called < |
Test that the keytab file can be used to authenticate as you. First, run " | Test that the keytab file can be used to authenticate as you. First, run " | ||
Line 113: | Line 123: | ||
</ | </ | ||
- | Now run kinit, passing in the keytab file: | + | You can optionally test your keytab file by passing it to kinit like this: |
< | < | ||
- | % kinit bob -k -t /eecs/home/bob/bob.keytab | + | % kinit < |
</ | </ | ||
+ | |||
+ | Note that you will not be asked to enter your password because the keytab file includes what is required for kinit to initialize your Kerberos ticket. | ||
If you see the following error: | If you see the following error: | ||
Line 127: | Line 139: | ||
... then your password is too old. Please use the " | ... then your password is too old. Please use the " | ||
- | ==== Renewing Your Kerberos | + | You should be able to list your new Kerberos |
- | Once you can successfully pass your newly created keytab file to kinit without error, now you can make it run daily via a cron job. Run " | + | Now, you can run your job using k5start: |
- | <code> | + | k5start -f <full path to keytab file> < |
- | 0 23 * * * kinit < | + | |
- | </code> | + | This will run the command in the foreground. |
+ | |||
+ | k5start can also be used to run your command in the background like this: | ||
+ | |||
+ | k5start -f <full path to keytab file> < | ||
+ | |||
+ | Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session to remain valid indefinately, | ||
+ | |||
+ | k5start -f <full path to keytab file> -K 60 < | ||
+ | |||
+ | Now, k5start will use your keytab file to renew your Kerberos ticket for this session indefinately. | ||
- | Here, kinit runs at 11:00 PM nightly to renew the users Kerberos ticket for 7 days using the keytab file that you setup. | + | Please note that if you change your password at any point in time, you will also need to regenerate your keytab file. |
- | NOTE: If the system is rebooted, you will have to login manually one time, then the cron job will take care of ensuring your ticket is renewed from that point forward. | + | ===== Additional Information ===== |
- | Once again, please only use this procedure if absolutely necessary, and delete the keytab file and cron job when you no longer need to run the script anymore. | ||
- | |||
If you're interested in learning more about Kerberos, you can read [[https:// | If you're interested in learning more about Kerberos, you can read [[https:// | ||
As always, be sure to email tech with any questions that you might have. | As always, be sure to email tech with any questions that you might have. | ||
login/kerberos.1625325429.txt.gz · Last modified: 2021/07/03 11:17 by jas