login:kerberos
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
login:kerberos [2021/07/08 15:19] – jas | login:kerberos [2024/01/22 09:25] (current) – jas | ||
---|---|---|---|
Line 5: | Line 5: | ||
The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. | The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. | ||
- | Kerberos is an authentication protocol that works using tickets. | + | Kerberos is an authentication protocol that works using tickets. |
- | ===== How Does this Affect Me? ===== | + | ===== How does this affect me? ===== |
- | Kerberos tickets have a 10 hour lifetime. | + | Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter a password. When your Kerberos ticket expires, you will temporarily |
- | You will not be affected by this change if you fall into the following categories: | + | You will **not** be affected by this change if your usage falls into one of the following categories: |
- | 1) If your login session is less than 10 hours in duration, you won't be affected by this change | + | 1) Login sessions to indigo/ |
- | 2) Login sessions | + | 2) Local logins |
- | You **will** be affected by this change | + | 3) Login sessions less than 10 hours in duration |
- | 1) If your login sessions are typically longer than 10 hours, you will be affected by this change. | + | You **will** be affected by this change |
- | 2) If you run compute intensive jobs that will run for more than 10 hours that you wish to run unattended, you will be affected by this change. | + | 1) If you SSH to any tech-managed systems other than indigo/ |
- | ===== View Your Kerberos | + | 2) If your login sessions are typically longer than 10 hours in duration where usage does not fall within the cases unaffected by the change above, you will be affected by this change. |
+ | |||
+ | 3) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change. | ||
+ | |||
+ | If your system use falls into these categories, you will need to renew your Kerberos ticket either manually, or automatically. | ||
+ | |||
+ | ===== How can I view my Kerberos | ||
In order to view your Kerberos Tickets, use the " | In order to view your Kerberos Tickets, use the " | ||
Line 43: | Line 49: | ||
Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days. | Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days. | ||
- | Kerberos tickets expire every 10 hours. | + | Before the ticket |
- | After 7 days, or if you don' | + | After 7 days, or, if you do not renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one! |
===== How do I get a new Kerberos ticket? ===== | ===== How do I get a new Kerberos ticket? ===== | ||
- | You can get a new Kerberos ticket at any time. Simply run the command | + | You can get a new Kerberos ticket at any time. Simply run the " |
< | < | ||
Line 62: | Line 68: | ||
renew until 12/23/2020 10:13:23 | renew until 12/23/2020 10:13:23 | ||
</ | </ | ||
- | |||
- | You can run " | ||
- | |||
===== How do I destroy my Kerberos ticket? ===== | ===== How do I destroy my Kerberos ticket? ===== | ||
Line 78: | Line 81: | ||
Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. | Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. | ||
- | ===== Processes That Run for Less Than 7 Days ===== | + | ===== Processes That Run for Up To 7 Days ===== |
- | For processes that will run for less than 7 days where you are unable | + | For processes that will run for up to 7 days where it would be impractical |
Run your job using krenew: | Run your job using krenew: | ||
- | krenew -- <cmd> | + | krenew -- <command> |
- | This will run <cmd> in the foreground. It will wake up every hour, and check the expiry of your Kerberos ticket. It will renew your ticket before the 10 hour expiry, up to the 7 days. | + | This will run <command> in the foreground. |
- | krenew can also be used to run < | + | krenew can also be used to run the command |
- | krenew -b -- <cmd> | + | krenew -b -- <full path to command> |
- | Note that <cmd> must include | + | Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session |
+ | |||
+ | krenew -K 60 -b | ||
+ | |||
+ | krenew will run in the background, automatically renewing your Kerberos ticket for your login session. | ||
===== Processes That Run for More Than 7 Days ===== | ===== Processes That Run for More Than 7 Days ===== | ||
- | For processes that will run for more than 7 days, follow this procedure: | + | For processes that will run for more than 7 days, where it is obviously impractical to constantly renew your Kerberos ticket every 10 hours, follow this procedure: |
First, you will create a custom keytab file using the ktutil command, replacing < | First, you will create a custom keytab file using the ktutil command, replacing < | ||
Line 108: | Line 115: | ||
</ | </ | ||
- | The keytab file will be written to a file called < | + | The keytab file will be written to a file called < |
Test that the keytab file can be used to authenticate as you. First, run " | Test that the keytab file can be used to authenticate as you. First, run " | ||
Line 116: | Line 123: | ||
</ | </ | ||
- | Now run kinit, passing in the keytab file: | + | You can optionally test your keytab file by passing it to kinit like this: |
< | < | ||
- | % kinit bob -k -t /eecs/home/bob/bob.keytab | + | % kinit < |
</ | </ | ||
+ | |||
+ | Note that you will not be asked to enter your password because the keytab file includes what is required for kinit to initialize your Kerberos ticket. | ||
If you see the following error: | If you see the following error: | ||
Line 130: | Line 139: | ||
... then your password is too old. Please use the " | ... then your password is too old. Please use the " | ||
- | Now, you will run your job using k5start: | + | You should be able to list your new Kerberos ticket using the " |
+ | |||
+ | Now, you can run your job using k5start: | ||
+ | |||
+ | k5start -f <full path to keytab file> < | ||
+ | |||
+ | This will run the command in the foreground. | ||
+ | |||
+ | k5start can also be used to run your command in the background like this: | ||
- | k5start -f <keytab file> < | + | k5start -f <full path to keytab file> < |
- | This will run <cmd> in the foreground. | + | Finally, if instead |
- | k5start | + | |
- | | + | Now, k5start |
- | You must include the full path to the <keytab file> and full path to < | + | Please note that if you change your password at any point in time, you will also need to regenerate your keytab file. |
- | aNote that <cmd> must include the full path to the command. | + | |
- | ====== Additional Information | + | ===== Additional Information ===== |
If you're interested in learning more about Kerberos, you can read [[https:// | If you're interested in learning more about Kerberos, you can read [[https:// |
login/kerberos.1625771969.txt.gz · Last modified: 2021/07/08 15:19 by jas