Differences

This shows you the differences between two versions of the page.

--- login:kerberos [2021/07/08 13:58] – jas
+++ login:kerberos [2024/01/22 09:25] (current) – jas
@@ Line 5: / Line 5: @@
 The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network.
-Kerberos is an authentication protocol that works using tickets.  When you login to an EECS Linux system, you will be automatically issued a Kerberos ticket.  This ticket is used to gain access to resources such as your home directory, or other systems.
+Kerberos is an authentication protocol that works using tickets.  When you login to an EECS Linux system, you will be automatically issued a Kerberos ticket.  This ticket is used to gain access to resources such as your home directory, software, or other systems.
-===== How Does this Affect Me? =====
+===== How does this affect me? =====
-Kerberos tickets have a 10 hour lifetime.  When they expire, you will lose access to /eecs, including system software, and your home directory, until you get a new ticket.
+Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter a password.  When your Kerberos ticket expires, you will temporarily lose access to the filesystem path /eecs, which includes your home directory, software, and more.
-You will not be affected by this change if you fall into the following categories:
+You will **not** be affected by this change if your usage falls into one of the following categories:
-) If your login session is less than 10 hours in duration, you won't be affected by this change no matter which system you use.
+) Login sessions to indigo/indigo1 (research) or red/red1/crimson (education) are not affected by this change.
-) Login sessions to indigo/indigo1/navy (research) or red/red1/crimson (education) are not affected by Kerberos ticket expiry.
+) Local logins to office or lab workstations, or logins via remotelab are not affected by this change.
-You **will** be affected by this change if you fall into the following categories:
+) Login sessions less than 10 hours in duration will not be affected by this change.
-) If your login sessions are typically longer than 10 hours, you will be affected by this change.
+You **will** be affected by this change if your usage falls into one of the following categories:
-) If you run compute intensive jobs that will run for more than 10 hours, you will be affected by this change.
+) If you SSH to any tech-managed systems other than indigo/indigo1 (research), or red/red1/crimson (education), you will be affected by this change.
-===== View Your Kerberos Ticket =====
+) If your login sessions are typically longer than 10 hours in duration where usage does not fall within the cases unaffected by the change above, you will be affected by this change.
+) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change.
+If your system use falls into these categories, you will need to renew your Kerberos ticket either manually, or automatically.  Please continue to read this document for additional details.
+===== How can I view my Kerberos ticket? =====
 In order to view your Kerberos Tickets, use the "klist" command from a "Terminal" or SSH session:
@@ Line 43: / Line 49: @@
 Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days.
-Kerberos tickets expire every 10 hours.  Before the ticket expires, you can run the "kinit -R" command which will renew your ticket for another 10 hours.
+Before the ticket 10 hour expiry, run the "kinit -R" command which will renew your ticket for another 10 hours.  You will not be required to re-enter your password.
-After 7 days, or if you don't renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one!
+After 7 days, or, if you do not renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one!
 ===== How do I get a new Kerberos ticket? =====
-You can get a new Kerberos ticket at any time.  Simply run the command "kinit", enter your password interactively when prompted, and you'll get a new Kerberos ticket that will be valid for 10 hours, and automatically renewed for up to 7 days.  It's really that simple.
+You can get a new Kerberos ticket at any time.  Simply run the "kinit" command, enter your password interactively when prompted, and you'll get a new Kerberos ticket that will be valid for 10 hours with a new 7 day expiry.  Your ticket doesn't even need to expire before it can be renewed.  For example:
 <code>
@@ Line 62: / Line 68: @@
 	renew until 12/23/2020 10:13:23
 </code>
-You can run "kinit" any time you wish to generate a new Kerberos ticket that is valid for an additional 7 days.
 ===== How do I destroy my Kerberos ticket? =====
@@ Line 78: / Line 81: @@
 Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory.  However, the next time Bob logs in, he will get a new ticket, and access will resume.
+===== Processes That Run for Up To 7 Days =====
+For processes that will run for up to 7 days where it would be impractical to manually renew the Kerberos ticket every 10 hours, follow this procedure:
-===== Unattended Scripts or At/Cron Jobs =====
+Run your job using krenew:
-If you will be running unattended scripts such as compute jobs, there are several categories of jobs:
+  krenew -- <command>
-==== Compute Jobs that will run for less than 7 days ====
+This will run <command> in the foreground.  It will renew your ticket before the 10 hour expiry, for up to 7 days.  After 7 days, your Kerberos ticket will expire, and your process will lose access to /eecs.
-For compute jobs that will run for less than 7 days (on compute servers other than , follow this procedure:
+krenew can also be used to run the command in the background like this:
-Run your job using krenew:
+  krenew -b -- <full path to command>
-  krenew -- <cmd>
+Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session to automatically remain valid for up to 7 days, just run "krenew" like this:
-This will run <cmd> in the foreground.  It will wake up every hour, and check the expiry of your Kerberos ticket.  It will renew your ticket before the 10 hour expiry, up to the 7 days.
+  krenew -K 60 -b
-krenew can also be used to run <cmd> in the background like this:
+krenew will run in the background, automatically renewing your Kerberos ticket for your login session.  That session will remain valid for up to 7 days.  As always, use "klist" to view your Kerberos tickets at any time.
-  krenew -b -- <cmd>
+===== Processes That Run for More Than 7 Days =====
-Note that <cmd> must include the full path to the command.
+For processes that will run for more than 7 days, where it is obviously impractical to constantly renew your Kerberos ticket every 10 hours, follow this procedure:
-==== Compute Jobs that will run for more than 7 days ====
-For compute jobs that will run for more than 7 days follow this procedure:
 First, you will create a custom keytab file using the ktutil command, replacing <user> with your username:
@@ Line 114: / Line 115: @@
 </code>
-The keytab file will be written to a file called <user>.keytab in your home directory.  You can name the file whatever you like.  The permission on the file will be 600.  That is, the file will be readable by you, and only you.  Please don't change the permission on this file.  If someone gets a hold of this file, they will be able to access your files!
+The keytab file will be written to a file called <user>.keytab in your home directory.  You can name the file whatever you like.  The permission on the file will be 600.  That is, the file will be readable by you, and only you.  Please don't change the permission on this file.  If someone gets a hold of this file, they will be able to access your files, so please protect this file, and delete it, if possible, after your long running process completes.
 Test that the keytab file can be used to authenticate as you.  First, run "kdestroy" to destroy your current Kerberos ticket:
@@ Line 122: / Line 123: @@
 </code>
-Now run kinit, passing in the keytab file:
+You can optionally test your keytab file by passing it to kinit like this:
 <code>
-% kinit bob -k -t /eecs/home/bob/bob.keytab
+% kinit <user> -k -t /eecs/home/<user>/<user>.keytab
 </code>
+Note that you will not be asked to enter your password because the keytab file includes what is required for kinit to initialize your Kerberos ticket.
 If you see the following error:
@@ Line 136: / Line 139: @@
 ... then your password is too old.  Please use the "passwd" command to change your system password, then re-issue the ktutil command above, and it will work now.
-Now,  you will run your job using k5start:
+You should be able to list your new Kerberos ticket using the "klist" command.  You will see that it is valid for 10 hours with a 7 day expiry.
+Now, you can run your job using k5start:
+  k5start -f <full path to keytab file> <user>  -- <full path to command>
+This will run the command in the foreground.  Your command will continue to run with a ticket that will be renewed indefinately using your keytab file.  Stop the k5start process, and your ticket will no longer be renewed.
+k5start can also be used to run your command in the background like this:
+  k5start -f <full path to keytab file> <user> -b -- <full path to command>
-  k5start -f <keytab file> <user>  -- <cmd>
+Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session to remain valid indefinately, just run "k5start" like this:
-This will run <cmd> in the foreground.  It will wake up every hour, and check the expiry of your Kerberos ticket.  Your ticket will be renewed indefinately using your keytab.
+  k5start -f <full path to keytab file> -K 60 <user> -b
-k5start can also be used to run <cmd> in the background like this:
+Now, k5start will use your keytab file to renew your Kerberos ticket for this session indefinately.
-  k5start -f <keytab file> <user> -b -- <cmd>
+Please note that if you change your password at any point in time, you will also need to regenerate your keytab file.
-====== Additional Information ======
+===== Additional Information =====
 If you're interested in learning more about Kerberos, you can read [[https://phoenixnap.com/blog/kerberos-authentication|this]] or watch [[https://www.youtube.com/watch?v=kp5d8Yv3-0c|this]] video.