EECS Technical Database

User Tools

Site Tools

You are here: Technical Database » Login and Remote Access » Kerberos for EECS Linux Systems
Trace:
login:kerberos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
login:kerberos [2021/07/13 09:09] jaslogin:kerberos [2024/01/22 09:25] (current) jas
Line 9: Line 9:
 ===== How does this affect me? ===== ===== How does this affect me? =====
  
-Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter your password.  When your Kerberos ticket expires, you will temporarily lose access to the filesystem path /eecs, which includes your home directory, software, and more. +Kerberos tickets have a 10 hour lifetime, and can be renewed for up to 7 days without needing to re-enter password.  When your Kerberos ticket expires, you will temporarily lose access to the filesystem path /eecs, which includes your home directory, software, and more. 
  
 You will **not** be affected by this change if your usage falls into one of the following categories: You will **not** be affected by this change if your usage falls into one of the following categories:
  
-1) Login sessions to indigo/indigo1/navy (research) or red/red1/crimson (education) are not affected by this change. +1) Login sessions to indigo/indigo1 (research) or red/red1/crimson (education) are not affected by this change. 
  
 2) Local logins to office or lab workstations, or logins via remotelab are not affected by this change. 2) Local logins to office or lab workstations, or logins via remotelab are not affected by this change.
Line 21: Line 21:
 You **will** be affected by this change if your usage falls into one of the following categories: You **will** be affected by this change if your usage falls into one of the following categories:
  
-1) If you typically ssh to indigo/indigo1/navy (research) or red/red1/crimson (education) from your system, then ssh to another tech-managed EECS Linux system, you will be affected by this change on the remote system.+1) If you SSH to any tech-managed systems other than indigo/indigo1 (research)or red/red1/crimson (education), you will be affected by this change.
  
-2) If your login sessions are typically longer than 10 hours (excluding those cases referred to above in the section on systems that are not affected), you will be affected by this change.+2) If your login sessions are typically longer than 10 hours in duration where usage does not fall within the cases unaffected by the change above, you will be affected by this change.
  
 3) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change. 3) If you run unattended jobs that will run for more than 10 hours, you will be affected by this change.
Line 99: Line 99:
   krenew -K 60 -b   krenew -K 60 -b
  
-krenew will automatically renew the Kerberos ticket for your login session.  That session will remain valid for up to 7 days.+krenew will run in the background, automatically renewing your Kerberos ticket for your login session.  That session will remain valid for up to 7 days.  As always, use "klist" to view your Kerberos tickets at any time.
  
 ===== Processes That Run for More Than 7 Days ===== ===== Processes That Run for More Than 7 Days =====
  
-For processes that will run for more than 7 days, where it would obviously be impractical to constantly renew your ticket, follow this procedure:+For processes that will run for more than 7 days, where it is obviously impractical to constantly renew your Kerberos ticket every 10 hours, follow this procedure:
  
 First, you will create a custom keytab file using the ktutil command, replacing <user> with your username: First, you will create a custom keytab file using the ktutil command, replacing <user> with your username:
Line 115: Line 115:
 </code> </code>
  
-The keytab file will be written to a file called <user>.keytab in your home directory.  You can name the file whatever you like.  The permission on the file will be 600.  That is, the file will be readable by you, and only you.  Please don't change the permission on this file.  If someone gets a hold of this file, they will be able to access your files!+The keytab file will be written to a file called <user>.keytab in your home directory.  You can name the file whatever you like.  The permission on the file will be 600.  That is, the file will be readable by you, and only you.  Please don't change the permission on this file.  If someone gets a hold of this file, they will be able to access your files, so please protect this file, and delete it, if possible, after your long running process completes.
  
 Test that the keytab file can be used to authenticate as you.  First, run "kdestroy" to destroy your current Kerberos ticket: Test that the keytab file can be used to authenticate as you.  First, run "kdestroy" to destroy your current Kerberos ticket:
Line 129: Line 129:
 </code> </code>
  
-Note that you will not be asked for your password because the keytab file includes what is required for kinit to initialize your ticket.  +Note that you will not be asked to enter your password because the keytab file includes what is required for kinit to initialize your Kerberos ticket.  
  
 If you see the following error: If you see the following error:
Line 141: Line 141:
 You should be able to list your new Kerberos ticket using the "klist" command.  You will see that it is valid for 10 hours with a 7 day expiry. You should be able to list your new Kerberos ticket using the "klist" command.  You will see that it is valid for 10 hours with a 7 day expiry.
  
-Now, in the future, whenever you want to run a process that will have its Kerberos ticket renewed indefinately, you will run your job using k5start:+Now, you can run your job using k5start:
  
   k5start -f <full path to keytab file> <user>  -- <full path to command>   k5start -f <full path to keytab file> <user>  -- <full path to command>
login/kerberos.1626181755.txt.gz · Last modified: 2021/07/13 09:09 by jas