In order to enhance system security, the tech team has implemented Kerberos across tech supported Linux systems. Our Windows systems already use Kerberos.

The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network.

Kerberos is an authentication protocol that works using tickets. When you login to an EECS Linux system, you will be automatically issued a Kerberos ticket. This ticket is used to gain access to resources such as your home directory, or other systems.

Kerberos tickets have a 10 hour lifetime. When they expire, you will lose access to /eecs, including system software, and your home directory, until you get a new ticket.

You will not be affected by this change if you fall into the following categories:

1) If your login session is less than 10 hours in duration, you won't be affected by this change no matter which system you use.

2) Login sessions to indigo/indigo1/navy (research) or red/red1/crimson (education) are not affected by Kerberos ticket expiry.

You will be affected by this change if you fall into the following categories:

1) If your login sessions are typically longer than 10 hours, you will be affected by this change.

2) If you run compute intensive jobs that will run for more than 10 hours, you will be affected by this change.

In order to view your Kerberos Tickets, use the “klist” command from a “Terminal” or SSH session:

% klist
Ticket cache: FILE:/tmp/krb5cc_9999
Default principal: bob@AD.EECS.YORKU.CA

Valid starting       Expires              Service principal
12/16/2020 09:52:21  12/16/2020 19:52:20  krbtgt/AD.EECS.YORKU.CA@AD.EECS.YORKU.CA
	renew until 12/23/2020 09:52:21

Here, we see that user “bob” has a Kerberos ticket created on December 16, 2020 at 9:52:21 AM when he logged in to an EECS Linux system. That ticket will expire in 10 hours, and is renewable for up to 7 days.

Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days.

Kerberos tickets expire every 10 hours. Before the ticket expires, you can run the “kinit -R” command which will renew your ticket for another 10 hours.

After 7 days, or if you don't renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one!

You can get a new Kerberos ticket at any time. Simply run the command “kinit”, enter your password interactively when prompted, and you'll get a new Kerberos ticket that will be valid for 10 hours, and automatically renewed for up to 7 days. It's really that simple.

% kinit
Password for bob@AD.EECS.YORKU.CA: 
% klist
Ticket cache: FILE:/tmp/krb5cc_9999
Default principal: bob@AD.EECS.YORKU.CA

Valid starting       Expires              Service principal
12/16/2020 10:13:25  12/16/2020 20:13:25  krbtgt/AD.EECS.YORKU.CA@AD.EECS.YORKU.CA
	renew until 12/23/2020 10:13:23

You can run “kinit” any time you wish to generate a new Kerberos ticket that is valid for an additional 7 days.

You can manually destroy your ticket at any time using the “kdestroy” command. For example:

% kdestroy
% klist
klist: No credentials cache found (filename: /tmp/krb5cc_9999)

Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. However, the next time Bob logs in, he will get a new ticket, and access will resume.

If your login session will last more than 7 days, you will have to renew your ticket every 10 hours with “kinit -R”. After 7 days, simply use the “kinit” command, re-enter your password, and you'll get a new 7 day ticket.

If you will be running unattended scripts such as compute jobs, there are several categories of jobs:

For compute jobs that will run for less than 7 days (on compute servers other than , follow this procedure:

Run your job using krenew:

krenew -- <cmd>

This will run <cmd> in the foreground. It will wake up every hour, and check the expiry of your Kerberos ticket. It will renew your ticket before the 10 hour expiry, up to the 7 days.

krenew can also be used to run <cmd> in the background like this:

krenew -b -- <cmd>

Note that <cmd> must include the full path to the command.

For compute jobs that will run for more than 7 days follow this procedure:

First, you will create a custom keytab file using the ktutil command, replacing <user> with your username:

% ktutil
ktutil: addent -password -p <user> -k 1 -e aes256-cts
Password for <user>@AD.EECS.YORKU.CA: [enter your password]
ktutil: wkt /eecs/home/<user>/<user>.keytab
ktutil: quit

The keytab file will be written to a file called <user>.keytab in your home directory. You can name the file whatever you like. The permission on the file will be 600. That is, the file will be readable by you, and only you. Please don't change the permission on this file. If someone gets a hold of this file, they will be able to access your files!

Test that the keytab file can be used to authenticate as you. First, run “kdestroy” to destroy your current Kerberos ticket:

% kdestroy

Now run kinit, passing in the keytab file:

% kinit bob -k -t /eecs/home/bob/bob.keytab

If you see the following error:

kinit: Pre-authentication failed: No key table entry found for <user>@AD.EECS.YORKU.CA while getting initial credentials

… then your password is too old. Please use the “passwd” command to change your system password, then re-issue the ktutil command above, and it will work now.

Now, you will run your job using k5start:

k5start -f <keytab file> <user>  -- <cmd>

This will run <cmd> in the foreground. It will wake up every hour, and check the expiry of your Kerberos ticket. Your ticket will be renewed indefinately using your keytab.

k5start can also be used to run <cmd> in the background like this:

k5start -f <keytab file> <user> -b -- <cmd>

If you're interested in learning more about Kerberos, you can read this or watch this video.

As always, be sure to email tech with any questions that you might have.