login:kerberos
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
login:kerberos [2021/07/08 16:02] – jas | login:kerberos [2024/01/22 09:25] (current) – jas | ||
---|---|---|---|
Line 5: | Line 5: | ||
The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. | The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. | ||
- | Kerberos is an authentication protocol that works using tickets. | + | Kerberos is an authentication protocol that works using tickets. |
===== How does this affect me? ===== | ===== How does this affect me? ===== | ||
- | Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter | + | Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter |
- | You will **not** be affected by this change if you fall into the following categories: | + | You will **not** be affected by this change if your usage falls into one of the following categories: |
- | 1) If your login session is less than 10 hours in duration, you won't be affected by this change | + | 1) Login sessions to indigo/ |
- | 2) Login sessions | + | 2) Local logins |
- | You **will** be affected by this change | + | 3) Login sessions less than 10 hours in duration |
- | 1) If your login sessions are typically longer than 10 hours, you will be affected by this change. | + | You **will** be affected by this change |
- | 2) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change. | + | 1) If you SSH to any tech-managed systems other than indigo/ |
+ | |||
+ | 2) If your login sessions are typically longer than 10 hours in duration where usage does not fall within the cases unaffected by the change above, you will be affected by this change. | ||
+ | |||
+ | 3) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change. | ||
+ | |||
+ | If your system use falls into these categories, you will need to renew your Kerberos ticket either manually, or automatically. | ||
===== How can I view my Kerberos ticket? ===== | ===== How can I view my Kerberos ticket? ===== | ||
Line 43: | Line 49: | ||
Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days. | Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days. | ||
- | Kerberos tickets expire every 10 hours. | + | Before the ticket |
After 7 days, or, if you do not renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one! | After 7 days, or, if you do not renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one! | ||
Line 49: | Line 55: | ||
===== How do I get a new Kerberos ticket? ===== | ===== How do I get a new Kerberos ticket? ===== | ||
- | You can get a new Kerberos ticket at any time. Simply run the " | + | You can get a new Kerberos ticket at any time. Simply run the " |
< | < | ||
Line 62: | Line 68: | ||
renew until 12/23/2020 10:13:23 | renew until 12/23/2020 10:13:23 | ||
</ | </ | ||
- | |||
- | You will get a new Kerberos ticket any time you login to a system. | ||
===== How do I destroy my Kerberos ticket? ===== | ===== How do I destroy my Kerberos ticket? ===== | ||
Line 77: | Line 81: | ||
Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. | Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory. | ||
- | ===== Unattended | + | ===== Processes That Run for Up To 7 Days ===== |
- | For unattended | + | For processes that will run for up to 7 days where it would be impractical |
Run your job using krenew: | Run your job using krenew: | ||
- | krenew -- <cmd> | + | krenew -- <command> |
- | This will run <cmd> in the foreground. It will wake up every hour, and check the expiry of your Kerberos ticket. It will renew your ticket before the 10 hour expiry, up to the 7 days. After 7 days, your process will lose access to /eecs. | + | This will run <command> in the foreground. |
- | krenew can also be used to run < | + | krenew can also be used to run the command |
- | krenew -b -- <cmd> | + | krenew -b -- <full path to command> |
- | Note that <cmd> must include | + | Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session |
- | ===== Unattended Processes That Run for More Than 7 Days ===== | + | krenew -K 60 -b |
- | For processes that will run for more than 7 days, follow this procedure: | + | krenew will run in the background, automatically renewing your Kerberos ticket for your login session. |
+ | |||
+ | ===== Processes That Run for More Than 7 Days ===== | ||
+ | |||
+ | For processes that will run for more than 7 days, where it is obviously impractical to constantly renew your Kerberos ticket every 10 hours, follow this procedure: | ||
First, you will create a custom keytab file using the ktutil command, replacing < | First, you will create a custom keytab file using the ktutil command, replacing < | ||
Line 107: | Line 115: | ||
</ | </ | ||
- | The keytab file will be written to a file called < | + | The keytab file will be written to a file called < |
Test that the keytab file can be used to authenticate as you. First, run " | Test that the keytab file can be used to authenticate as you. First, run " | ||
Line 115: | Line 123: | ||
</ | </ | ||
- | Now run kinit passing in your newly created | + | You can optionally test your keytab file by passing it to kinit like this: |
< | < | ||
- | % kinit bob -k -t /eecs/home/bob/bob.keytab | + | % kinit < |
</ | </ | ||
+ | |||
+ | Note that you will not be asked to enter your password because the keytab file includes what is required for kinit to initialize your Kerberos ticket. | ||
If you see the following error: | If you see the following error: | ||
Line 129: | Line 139: | ||
... then your password is too old. Please use the " | ... then your password is too old. Please use the " | ||
- | Now, you will run your job using k5start: | + | You should be able to list your new Kerberos ticket using the " |
+ | |||
+ | Now, you can run your job using k5start: | ||
+ | |||
+ | k5start -f <full path to keytab file> < | ||
+ | |||
+ | This will run the command in the foreground. | ||
- | | + | k5start |
- | This will run <cmd> in the foreground. | + | k5start -f <full path to keytab |
- | k5start can also be used to run <cmd> in the background | + | Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session |
- | k5start -f <keytab file> < | + | k5start -f <full path to keytab file> |
- | You must include the full path to the <keytab file> and full path to <cmd>. | + | Now, k5start will use your keytab file to renew your Kerberos ticket for this session indefinately. |
Please note that if you change your password at any point in time, you will also need to regenerate your keytab file. | Please note that if you change your password at any point in time, you will also need to regenerate your keytab file. |
login/kerberos.1625774550.txt.gz · Last modified: 2021/07/08 16:02 by jas