Accessing the FNAL Kerberos Realm from Nevis

The Computing Division at Fermilab is implementing a strong authentication model for their system security. This impacts how Nevis users connect to Fermilab's computers.

Background

The Fermilab Computing Division is phasing in a strong authentication procedure for system security based on Kerberos. Use of this system will be required to access systems at FNAL as of 15-Dec-2000.

Unfortunately, Kerberos is not one of those security schemes that is 100% transparent to the user. If you wish to connect to systems at FNAL, you will have to learn about the following:

• Obtaining a Kerberos Principal
• Obtaining a Kerberos Ticket
• Connecting to a computer at FNAL

Kerberos client software described below has been installed on all the machines on the Nevis Linux cluster.

Obtaining a Kerberos Principal

From the perspective of an individual user, your Kerberos Principal is an ID/password combination that grants you permission to access the Kerberos realm at Fermilab. Note that this is different from a computer account: an account allows you log on to a computer and use it; a principal is needed to even access the computer in the first place.

Fermilab has documented the procedure for obtaining a principal. Basically, you have to go through the Computing Division liaison for your group.

Hopefully, you will only have to do this once.

Obtaining a Kerberos Ticket on Linux systems

The principal is a general permission to ride on the train. To make a specific trip, you have to buy a ticket. You get a Kerberos ticket via the kinit command:

kinit <kerberos-user-id>@FNAL.GOV

Hopefully, your Kerberos user id will the same as your FNAL user id; if it must be different for some reason, the FNAL Computing Division will let you know. For now, you can leave out @FNAL.GOV (which must be in upper case) since that is the only Kerberos realm we access at Nevis; if we ever begin to access others you'll have to type in the realm explicitly.

Connecting to a computer at FNAL from Linux systems

Once you have your ticket, you can go between railway cars as often as you like while the ticket is good. To drop the analogy, you can use "Kerberized" versions of UNIX commands (ssh, telnet, ftp, etc.) to access the Fermilab systems for ten hours or until you log off; then you must request a new ticket.

Frequently Asked Questions

Are we going to install a Kerberos realm at Nevis?

Not at present; we don't have the same security issues that Fermilab has.

However, Fermilab is still permitting Kerberos connections from "non-trusted" hosts. At some point, they may decide to only permit connections from "trusted" hosts. It is not clear what their definition of a trusted host will be, nor if a Nevis system would be trusted even if we have a Kerberos server. We will have to deal with that situation when it happens.