EECS Technical Database

User Tools

Site Tools

You are here: Technical Database » Login and Remote Access » Kerberos for EECS Linux Systems
Trace:
login:kerberos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
login:kerberos [2021/07/12 09:20] jaslogin:kerberos [2024/01/22 09:25] (current) jas
Line 5: Line 5:
 The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network. The Kerberos protocol uses strong cryptography to allow a client and server to prove their identity to each other over the network.
  
-Kerberos is an authentication protocol that works using tickets.  When you login to an EECS Linux system, you will be automatically issued a Kerberos ticket.  This ticket is used to gain access to resources such as your home directory, or other systems.+Kerberos is an authentication protocol that works using tickets.  When you login to an EECS Linux system, you will be automatically issued a Kerberos ticket.  This ticket is used to gain access to resources such as your home directory, software, or other systems.
  
 ===== How does this affect me? ===== ===== How does this affect me? =====
  
-Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter your password.  When your Kerberos ticket expires, you will temporarily lose access to the filesystem path /eecs, which includes your home directory, software, and more. +Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter password.  When your Kerberos ticket expires, you will temporarily lose access to the filesystem path /eecs, which includes your home directory, software, and more. 
  
-You will **not** be affected by this change if you fall into the following categories:+You will **not** be affected by this change if your usage falls into one of the following categories:
  
-1) Login sessions to indigo/indigo1/navy (research) or red/red1/crimson (education) are not affected by this change. +1) Login sessions to indigo/indigo1 (research) or red/red1/crimson (education) are not affected by this change. 
  
-2) Local logins to office or lab workstations, or via remotelab are not affected by this change.+2) Local logins to office or lab workstations, or logins via remotelab are not affected by this change.
  
-3) If your login session is less than 10 hours in duration, you won'be affected by this change no matter which system you use.+3) Login sessions less than 10 hours in duration will not be affected by this change.
  
-You **will** be affected by this change if you fall into the following categories:+You **will** be affected by this change if your usage falls into one of the following categories:
  
-1) If your login sessions are typically longer than 10 hours, you will be affected by this change.+1) If you SSH to any tech-managed systems other than indigo/indigo1 (research), or red/red1/crimson (education), you will be affected by this change.
  
-2) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change.+2) If your login sessions are typically longer than 10 hours in duration where usage does not fall within the cases unaffected by the change above, you will be affected by this change. 
 + 
 +3) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change
 + 
 +If your system use falls into these categories, you will need to renew your Kerberos ticket either manually, or automatically.  Please continue to read this document for additional details.
  
 ===== How can I view my Kerberos ticket? ===== ===== How can I view my Kerberos ticket? =====
Line 45: Line 49:
 Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days. Every time you login to a system, you get a new Kerberos ticket that will expire in 10 hours, and can be renewed up to 7 days.
  
-Kerberos tickets expire every 10 hours.  Before the ticket expiresyou can run the "kinit -R" command which will renew your ticket for another 10 hours.  You will not be required to re-enter your password.+Before the ticket 10 hour expiry, run the "kinit -R" command which will renew your ticket for another 10 hours.  You will not be required to re-enter your password.
  
 After 7 days, or, if you do not renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one! After 7 days, or, if you do not renew your ticket before the 10 hour expiry, your ticket is no longer renewable and you need a new one!
Line 51: Line 55:
 ===== How do I get a new Kerberos ticket? ===== ===== How do I get a new Kerberos ticket? =====
  
-You can get a new Kerberos ticket at any time.  Simply run the "kinit" command, enter your password interactively when prompted, and you'll get a new Kerberos ticket that will be valid for 10 hours, and automatically renewed for up to days.  It's really that simple.+You can get a new Kerberos ticket at any time.  Simply run the "kinit" command, enter your password interactively when prompted, and you'll get a new Kerberos ticket that will be valid for 10 hours with a new day expiry.  Your ticket doesn't even need to expire before it can be renewed For example:
  
 <code> <code>
Line 64: Line 68:
  renew until 12/23/2020 10:13:23  renew until 12/23/2020 10:13:23
 </code> </code>
- 
-You will get a new Kerberos ticket any time you login to a system.   
  
 ===== How do I destroy my Kerberos ticket? ===== ===== How do I destroy my Kerberos ticket? =====
Line 79: Line 81:
 Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory.  However, the next time Bob logs in, he will get a new ticket, and access will resume. Although the ticket remains cached in memory for some time, Bob will eventually lose access to his home directory.  However, the next time Bob logs in, he will get a new ticket, and access will resume.
  
-===== Unattended Processes That Run for Less Than 7 Days =====+===== Processes That Run for Up To 7 Days =====
  
-For unattended processes that will run for less than 7 days where you are unable to manually renew the Kerberos ticket every 10 hours, follow this procedure:+For processes that will run for up to 7 days where it would be impractical to manually renew the Kerberos ticket every 10 hours, follow this procedure:
  
 Run your job using krenew: Run your job using krenew:
  
-  krenew -- <cmd>+  krenew -- <command>
  
-This will run <cmd> in the foreground.  It will wake up every hour, and check the expiry of your Kerberos ticket.  It will renew your ticket before the 10 hour expiry, up to the 7 days.  After 7 days, your process will lose access to /eecs.+This will run <command> in the foreground.  It will renew your ticket before the 10 hour expiry, for up to 7 days.  After 7 days, your Kerberos ticket will expire, and your process will lose access to /eecs.
  
-krenew can also be used to run <cmd> in the background like this:+krenew can also be used to run the command in the background like this:
  
-  krenew -b -- <cmd>+  krenew -b -- <full path to command>
  
-Note that <cmd> must include the full path to the command.+Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session to automatically remain valid for up to 7 days, just run "krenew" like this:
  
-===== Unattended Processes That Run for More Than 7 Days =====+  krenew -K 60 -b
  
-For processes that will run for more than 7 days, follow this procedure:+krenew will run in the background, automatically renewing your Kerberos ticket for your login session.  That session will remain valid for up to 7 days.  As always, use "klist" to view your Kerberos tickets at any time. 
 + 
 +===== Processes That Run for More Than 7 Days ===== 
 + 
 +For processes that will run for more than 7 days, where it is obviously impractical to constantly renew your Kerberos ticket every 10 hours, follow this procedure:
  
 First, you will create a custom keytab file using the ktutil command, replacing <user> with your username: First, you will create a custom keytab file using the ktutil command, replacing <user> with your username:
Line 109: Line 115:
 </code> </code>
  
-The keytab file will be written to a file called <user>.keytab in your home directory.  You can name the file whatever you like.  The permission on the file will be 600.  That is, the file will be readable by you, and only you.  Please don't change the permission on this file.  If someone gets a hold of this file, they will be able to access your files!+The keytab file will be written to a file called <user>.keytab in your home directory.  You can name the file whatever you like.  The permission on the file will be 600.  That is, the file will be readable by you, and only you.  Please don't change the permission on this file.  If someone gets a hold of this file, they will be able to access your files, so please protect this file, and delete it, if possible, after your long running process completes.
  
 Test that the keytab file can be used to authenticate as you.  First, run "kdestroy" to destroy your current Kerberos ticket: Test that the keytab file can be used to authenticate as you.  First, run "kdestroy" to destroy your current Kerberos ticket:
Line 117: Line 123:
 </code> </code>
  
-Now run kinit passing in your newly created keytab file:+You can optionally test your keytab file by passing it to kinit like this:
  
 <code> <code>
-% kinit bob -k -t /eecs/home/bob/bob.keytab+% kinit <user> -k -t /eecs/home/<user>/<user>.keytab
 </code> </code>
 +
 +Note that you will not be asked to enter your password because the keytab file includes what is required for kinit to initialize your Kerberos ticket.  
  
 If you see the following error: If you see the following error:
Line 131: Line 139:
 ... then your password is too old.  Please use the "passwd" command to change your system password, then re-issue the ktutil command above, and it will work now. ... then your password is too old.  Please use the "passwd" command to change your system password, then re-issue the ktutil command above, and it will work now.
  
-Now,  you will run your job using k5start:+You should be able to list your new Kerberos ticket using the "klist" command.  You will see that it is valid for 10 hours with a 7 day expiry. 
 + 
 +Now, you can run your job using k5start: 
 + 
 +  k5start -f <full path to keytab file> <user>  -- <full path to command> 
 + 
 +This will run the command in the foreground.  Your command will continue to run with a ticket that will be renewed indefinately using your keytab file.  Stop the k5start process, and your ticket will no longer be renewed.
  
-  k5start -f <keytab file> <user>  -- <cmd>+k5start can also be used to run your command in the background like this:
  
-This will run <cmd> in the foreground.  It will wake up every hour, and check the expiry of your Kerberos ticket.  Your ticket will be renewed indefinitely using your keytab+  k5start -f <full path to keytab file> <user> -b -- <full path to command>
  
-k5start can also be used to run <cmd> in the background like this:+Finally, if instead of running a process, you want the Kerberos ticket of your SSH login session to remain valid indefinately, just run "k5start" like this:
  
-  k5start -f <keytab file> <user> -b -- <cmd>+  k5start -f <full path to keytab file> -K 60 <user> -b
  
-You must include the full path to the <keytab file> and full path to <cmd> +Now, k5start will use your keytab file to renew your Kerberos ticket for this session indefinately.
  
 Please note that if you change your password at any point in time, you will also need to regenerate your keytab file. Please note that if you change your password at any point in time, you will also need to regenerate your keytab file.
login/kerberos.1626096005.txt.gz · Last modified: 2021/07/12 09:20 by jas