login:kerberos
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
login:kerberos [2021/07/08 13:52] – jas | login:kerberos [2024/01/22 09:25] (current) – jas | ||
---|---|---|---|
Line 5: | Line 5: | ||
The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. | The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. | ||
- | Kerberos is an authentication protocol that works using tickets. | + | Kerberos is an authentication protocol that works using tickets. |
- | ===== How Does this Affect Me? ===== | + | ===== How does this affect me? ===== |
- | Kerberos tickets have a 10 hour lifetime. | + | Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter a password. When your Kerberos ticket expires, you will temporarily |
- | You will not be affected by this change if you fall into the following categories: | + | You will **not** be affected by this change if your usage falls into one of the following categories: |
- | 1) If your login session is less than 10 hours in duration, you won't be affected by this change | + | 1) Login sessions to indigo/ |
- | 2) Login sessions | + | 2) Local logins |
- | You **will** be affected by this change | + | 3) Login sessions less than 10 hours in duration |
- | 1) If your login sessions are typically longer than 10 hours, you will be affected by this change. | + | You **will** be affected by this change |
- | 2) If you run compute intensive jobs that will run for more than 10 hours, you will be affected by this change. | + | 1) If you SSH to any tech-managed systems other than indigo/ |
- | ===== View Your Kerberos | + | 2) If your login sessions are typically longer than 10 hours in duration where usage does not fall within the cases unaffected by the change above, you will be affected by this change. |
+ | |||
+ | 3) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change. | ||
+ | |||
+ | If your system use falls into these categories, you will need to renew your Kerberos ticket either manually, or automatically. | ||
+ | |||
+ | ===== How can I view my Kerberos | ||
In order to view your Kerberos Tickets, use the " | In order to view your Kerberos Tickets, use the " | ||
Line 43: | Line 49: | ||
Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days. | Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days. | ||
- | Kerberos tickets expire every 10 hours. | + | Before the ticket |
- | After 7 days, your ticket is no longer renewable and you need a new one! | + | After 7 days, or, if you do not renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one! |
- | ===== How do I get a new Kerberos ticket ===== | + | ===== How do I get a new Kerberos ticket? ===== |
- | You can get a new Kerberos ticket at any time. Simply run the command | + | You can get a new Kerberos ticket at any time. Simply run the " |
< | < | ||
Line 62: | Line 68: | ||
renew until 12/23/2020 10:13:23 | renew until 12/23/2020 10:13:23 | ||
</ | </ | ||
- | |||
- | You can run " | ||
- | |||
===== How do I destroy my Kerberos ticket? ===== | ===== How do I destroy my Kerberos ticket? ===== | ||
Line 78: | Line 81: | ||
Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. | Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. | ||
- | ===== Login Sessions | + | ===== Processes |
- | If your login session | + | For processes that will run for up to 7 days where it would be impractical |
- | ===== Unattended Scripts or At/Cron Jobs ===== | + | Run your job using krenew: |
- | If you will be running unattended scripts such as compute jobs, there are several categories of jobs: | + | krenew -- < |
- | ==== Compute Jobs that will run for less than 7 days ==== | + | This will run < |
- | + | ||
- | For compute jobs that will run for less than 7 days (on compute servers other than , follow this procedure: | + | |
- | + | ||
- | Run your job using krenew: | + | |
- | | + | krenew |
- | This will run <cmd> in the foreground. | + | krenew -b -- <full path to command> |
- | krenew can also be used to run <cmd> in the background | + | Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session |
- | krenew -b -- <cmd> | + | krenew |
- | Note that <cmd> must include | + | krenew will run in the background, automatically renewing your Kerberos ticket for your login session. |
- | ==== Compute Jobs that will run for more than 7 days ==== | + | ===== Processes That Run for More Than 7 Days ===== |
- | For compute jobs that will run for more than 7 days follow this procedure: | + | For processes |
First, you will create a custom keytab file using the ktutil command, replacing < | First, you will create a custom keytab file using the ktutil command, replacing < | ||
Line 116: | Line 115: | ||
</ | </ | ||
- | The keytab file will be written to a file called < | + | The keytab file will be written to a file called < |
Test that the keytab file can be used to authenticate as you. First, run " | Test that the keytab file can be used to authenticate as you. First, run " | ||
Line 124: | Line 123: | ||
</ | </ | ||
- | Now run kinit, passing in the keytab file: | + | You can optionally test your keytab file by passing it to kinit like this: |
< | < | ||
- | % kinit bob -k -t /eecs/home/bob/bob.keytab | + | % kinit < |
</ | </ | ||
+ | |||
+ | Note that you will not be asked to enter your password because the keytab file includes what is required for kinit to initialize your Kerberos ticket. | ||
If you see the following error: | If you see the following error: | ||
Line 138: | Line 139: | ||
... then your password is too old. Please use the " | ... then your password is too old. Please use the " | ||
- | Now, you will run your job using k5start: | + | You should be able to list your new Kerberos ticket |
- | | + | Now, you can run your job using k5start: |
- | k5start -- <cmd> | + | |
- | This will run <cmd> in the foreground. | + | k5start -f <full path to keytab file> <user> |
- | krenew can also be used to run < | + | This will run the command |
- | krenew -b -- <cmd> | + | k5start can also be used to run your command in the background like this: |
+ | k5start -f <full path to keytab file> < | ||
- | If you need to run a long-term unattended script for 7 days on a system other than indigo/ | + | Finally, if instead of running |
- | ==== Creating a Keytab ==== | + | k5start -f <full path to keytab file> -K 60 < |
+ | Now, k5start will use your keytab file to renew your Kerberos ticket for this session indefinately. | ||
- | ==== Renewing Your Kerberos Ticket via Cron ==== | + | Please note that if you change |
- | + | ||
- | Once you can successfully pass your newly created keytab file to kinit without error, now you can make it run daily via a cron job. Run " | + | |
- | + | ||
- | < | + | |
- | 0 23 * * * kinit < | + | |
- | </ | + | |
- | + | ||
- | Here, kinit runs at 11:00 PM nightly to renew the users Kerberos ticket for 7 days using the keytab file that you setup. | + | |
- | NOTE: If the system is rebooted, you will have to login manually one time, then the cron job will take care of ensuring your ticket is renewed from that point forward. | + | ===== Additional Information ===== |
- | Once again, please only use this procedure if absolutely necessary, and delete the keytab file and cron job when you no longer need to run the script anymore. | ||
- | |||
If you're interested in learning more about Kerberos, you can read [[https:// | If you're interested in learning more about Kerberos, you can read [[https:// | ||
As always, be sure to email tech with any questions that you might have. | As always, be sure to email tech with any questions that you might have. | ||
login/kerberos.1625766743.txt.gz · Last modified: 2021/07/08 13:52 (external edit)