Accessing the FNAL Kerberos Realm from Nevis
The
Computing Division
at
Fermilab
is implementing a
strong authentication
model for their system security. This impacts how Nevis users connect to Fermilab's computers.
Background
The
Fermilab
Computing Division
is phasing in a
strong authentication
procedure for system security based on
Kerberos
. Use of this system will be required to access systems at FNAL as of 15-Dec-2000.
Unfortunately, Kerberos is not one of those security schemes that is
100% transparent to the user. If you wish to connect to systems at
FNAL, you will have to learn about the following:
- Obtaining a Kerberos Principal
- Obtaining a Kerberos Ticket
- Connecting to a computer at FNAL
Kerberos client software described below has been installed on all the
machines on the Nevis Linux cluster.
Obtaining a Kerberos Principal
From the perspective of an individual user, your Kerberos Principal is
an ID/password combination that grants you permission to access the
Kerberos realm at Fermilab. Note that this is different from a
computer account: an account allows you log on to a computer and use
it; a principal is needed to even access the computer in the first
place.
Fermilab has
documented
the procedure for obtaining a principal. Basically, you have to go
through the Computing Division liaison for your group.
Hopefully, you will only have to do this once.
Obtaining a Kerberos Ticket on Linux systems
The principal is a general permission to ride on the train. To make a
specific trip, you have to buy a ticket. You get a Kerberos ticket
via the
kinit
command:
kinit <kerberos-user-id>@FNAL.GOV
Hopefully, your Kerberos user id will the same as your FNAL user id;
if it must be different for some reason, the FNAL Computing Division
will let you know. For now, you can leave out
@FNAL.GOV
(which
must be in upper case) since
that is the only Kerberos realm we access at Nevis; if we ever begin
to access others you'll have to type in the realm explicitly.
Connecting to a computer at FNAL from Linux systems
Once you have your ticket, you can go between railway cars as often
as you like while the ticket is good. To drop the analogy, you can
use "Kerberized" versions of UNIX commands (
ssh, telnet, ftp
, etc.) to access the Fermilab systems for ten hours or until you log off; then you must request a new ticket.
Frequently Asked Questions
Are we going to install a Kerberos realm at Nevis?
Not at present; we don't have the same security issues that Fermilab has.
However, Fermilab is still permitting Kerberos connections from
"non-trusted" hosts. At some point, they may decide to only permit
connections from "trusted" hosts. It is not clear what their
definition of a trusted host will be, nor if a Nevis system would be
trusted even if we have a Kerberos server. We will have to deal with
that situation when it happens.