EECS Technical Database

User Tools

Site Tools

You are here: Technical Database » Login and Remote Access » Kerberos for EECS Linux Systems
Trace:
login:kerberos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
login:kerberos [2021/07/08 15:51] jaslogin:kerberos [2024/01/22 09:25] (current) jas
Line 5: Line 5:
 The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network.
  
-Kerberos is an authentication protocol that works using tickets.  When you login to an EECS Linux system, you will be automatically issued a Kerberos ticket.  This ticket is used to gain access to resources such as your home directory, or other systems.+Kerberos is an authentication protocol that works using tickets.  When you login to an EECS Linux system, you will be automatically issued a Kerberos ticket.  This ticket is used to gain access to resources such as your home directory, software, or other systems.
  
-===== How Does this Affect Me? =====+===== How does this affect me? =====
  
-Kerberos tickets have a 10 hour lifetime.  When they expire, you will lose access to /eecs, including system software, and your home directory, until you get a new ticket +Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter a password.  When your Kerberos ticket expires, you will temporarily lose access to the filesystem path /eecs, which includes your home directory, software, and more
  
-You will not be affected by this change if you fall into the following categories:+You will **not** be affected by this change if your usage falls into one of the following categories:
  
-1) If your login session is less than 10 hours in duration, you won't be affected by this change no matter which system you use.+1) Login sessions to indigo/indigo1 (research) or red/red1/crimson (education) are not affected by this change. 
  
-2) Login sessions to indigo/indigo1/navy (research) or red/red1/crimson (education) are not affected by Kerberos ticket expiry+2) Local logins to office or lab workstations, or logins via remotelab are not affected by this change.
  
-You **will** be affected by this change if you fall into the following categories:+3) Login sessions less than 10 hours in duration will not be affected by this change.
  
-1) If your login sessions are typically longer than 10 hours, you will be affected by this change.+You **will** be affected by this change if your usage falls into one of the following categories:
  
-2) If you run compute intensive jobs that will run for more than 10 hours that you wish to run unattended, you will be affected by this change.+1) If you SSH to any tech-managed systems other than indigo/indigo1 (research), or red/red1/crimson (education), you will be affected by this change.
  
-===== How Can View My Kerberos Ticket? =====+2) If your login sessions are typically longer than 10 hours in duration where usage does not fall within the cases unaffected by the change above, you will be affected by this change. 
 + 
 +3) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change. 
 + 
 +If your system use falls into these categories, you will need to renew your Kerberos ticket either manually, or automatically.  Please continue to read this document for additional details. 
 + 
 +===== How can view my Kerberos ticket? =====
  
 In order to view your Kerberos Tickets, use the "klist" command from a "Terminal" or SSH session: In order to view your Kerberos Tickets, use the "klist" command from a "Terminal" or SSH session:
Line 43: Line 49:
 Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days. Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days.
  
-Kerberos tickets expire every 10 hours.  Before the ticket expiresyou can run the "kinit -R" command which will renew your ticket for another 10 hours.+Before the ticket 10 hour expiry, run the "kinit -R" command which will renew your ticket for another 10 hours.  You will not be required to re-enter your password.
  
-After 7 days, or if you don'renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one!+After 7 days, orif you do not renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one!
  
 ===== How do I get a new Kerberos ticket? ===== ===== How do I get a new Kerberos ticket? =====
  
-You can get a new Kerberos ticket at any time.  Simply run the command "kinit", enter your password interactively when prompted, and you'll get a new Kerberos ticket that will be valid for 10 hours, and automatically renewed for up to days.  It's really that simple.+You can get a new Kerberos ticket at any time.  Simply run the "kinit" command, enter your password interactively when prompted, and you'll get a new Kerberos ticket that will be valid for 10 hours with a new day expiry.  Your ticket doesn't even need to expire before it can be renewed For example:
  
 <code> <code>
Line 62: Line 68:
  renew until 12/23/2020 10:13:23  renew until 12/23/2020 10:13:23
 </code> </code>
- 
-You can run "kinit" any time you wish to generate a new Kerberos ticket that is valid for an additional 7 days. 
- 
  
 ===== How do I destroy my Kerberos ticket? ===== ===== How do I destroy my Kerberos ticket? =====
Line 78: Line 81:
 Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory.  However, the next time Bob logs in, he will get a new ticket, and access will resume. Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory.  However, the next time Bob logs in, he will get a new ticket, and access will resume.
  
-===== Processes That Run for Less Than 7 Days =====+===== Processes That Run for Up To 7 Days =====
  
-For processes that will run for less than 7 days where you are unable to manually renew the Kerberos ticket every 10 hours, follow this procedure:+For processes that will run for up to 7 days where it would be impractical to manually renew the Kerberos ticket every 10 hours, follow this procedure:
  
 Run your job using krenew: Run your job using krenew:
  
-  krenew -- <cmd>+  krenew -- <command>
  
-This will run <cmd> in the foreground.  It will wake up every hour, and check the expiry of your Kerberos ticket.  It will renew your ticket before the 10 hour expiry, up to the 7 days.+This will run <command> in the foreground.  It will renew your ticket before the 10 hour expiry, for up to 7 days.  After 7 days, your Kerberos ticket will expire, and your process will lose access to /eecs.
  
-krenew can also be used to run <cmd> in the background like this:+krenew can also be used to run the command in the background like this:
  
-  krenew -b -- <cmd>+  krenew -b -- <full path to command>
  
-Note that <cmd> must include the full path to the command.+Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session to automatically remain valid for up to 7 days, just run "krenew" like this: 
 + 
 +  krenew -K 60 -b 
 + 
 +krenew will run in the background, automatically renewing your Kerberos ticket for your login session.  That session will remain valid for up to 7 days.  As always, use "klist" to view your Kerberos tickets at any time.
  
 ===== Processes That Run for More Than 7 Days ===== ===== Processes That Run for More Than 7 Days =====
  
-For processes that will run for more than 7 days, follow this procedure:+For processes that will run for more than 7 days, where it is obviously impractical to constantly renew your Kerberos ticket every 10 hours, follow this procedure:
  
 First, you will create a custom keytab file using the ktutil command, replacing <user> with your username: First, you will create a custom keytab file using the ktutil command, replacing <user> with your username:
Line 108: Line 115:
 </code> </code>
  
-The keytab file will be written to a file called <user>.keytab in your home directory.  You can name the file whatever you like.  The permission on the file will be 600.  That is, the file will be readable by you, and only you.  Please don't change the permission on this file.  If someone gets a hold of this file, they will be able to access your files!+The keytab file will be written to a file called <user>.keytab in your home directory.  You can name the file whatever you like.  The permission on the file will be 600.  That is, the file will be readable by you, and only you.  Please don't change the permission on this file.  If someone gets a hold of this file, they will be able to access your files, so please protect this file, and delete it, if possible, after your long running process completes.
  
 Test that the keytab file can be used to authenticate as you.  First, run "kdestroy" to destroy your current Kerberos ticket: Test that the keytab file can be used to authenticate as you.  First, run "kdestroy" to destroy your current Kerberos ticket:
Line 116: Line 123:
 </code> </code>
  
-Now run kinit, passing in the keytab file:+You can optionally test your keytab file by passing it to kinit like this:
  
 <code> <code>
-% kinit bob -k -t /eecs/home/bob/bob.keytab+% kinit <user> -k -t /eecs/home/<user>/<user>.keytab
 </code> </code>
 +
 +Note that you will not be asked to enter your password because the keytab file includes what is required for kinit to initialize your Kerberos ticket.  
  
 If you see the following error: If you see the following error:
Line 130: Line 139:
 ... then your password is too old.  Please use the "passwd" command to change your system password, then re-issue the ktutil command above, and it will work now. ... then your password is too old.  Please use the "passwd" command to change your system password, then re-issue the ktutil command above, and it will work now.
  
-Now,  you will run your job using k5start:+You should be able to list your new Kerberos ticket using the "klist" command.  You will see that it is valid for 10 hours with a 7 day expiry. 
 + 
 +Now, you can run your job using k5start
 + 
 +  k5start -f <full path to keytab file> <user>  -- <full path to command> 
 + 
 +This will run the command in the foreground.  Your command will continue to run with a ticket that will be renewed indefinately using your keytab file.  Stop the k5start process, and your ticket will no longer be renewed. 
 + 
 +k5start can also be used to run your command in the background like this:
  
-  k5start -f <keytab file> <user>  -- <cmd>+  k5start -f <full path to keytab file> <user> -b -- <full path to command>
  
-This will run <cmd> in the foreground.  It will wake up every hourand check the expiry of your Kerberos ticket.  Your ticket will be renewed indefinitely using your keytab.+Finallyif instead of running a process, you want the Kerberos ticket of your SSH login session to remain valid indefinately, just run "k5start" like this:
  
-k5start can also be used to run <cmdin the background like this:+  k5start -f <full path to keytab file> -K 60 <user-b
  
-  k5start -f <keytab file> <user> -b -- <cmd>+Now, k5start will use your keytab file to renew your Kerberos ticket for this session indefinately.
  
-You must include the full path to the <keytab file> and full path to <cmd>+Please note that if you change your password at any point in time, you will also need to regenerate your keytab file.
-aNote that <cmd> must include the full path to the command.+
  
 ===== Additional Information ===== ===== Additional Information =====
login/kerberos.1625773866.txt.gz · Last modified: 2021/07/08 15:51 by jas