<

Kerberos

Why use Kerberos telnet, rsh, and rlogin commands?

Once you have been authenticated to the Kerberos server, you can automatically pass your Kerberos credentials to other hosts and services. You would then be able to log into other hosts in the cmf.nrl.navy.mil domain without supplying your password again. It is important to avoid sending a cleartext password across any network. If your local machine is not part of the cmf.nrl.navy.mil domain, you are encouraged to use one of our Kerberos kits on your local host (the installation procedure does not require system privileges).

What happens during login

Upon running login on a host, the user sets off a chain of Kerberos and AFS events. The user receives a Kerberos ticket-granting ticket. The ticket-granting ticket, which expires at a specific time, can be used to obtain additional tickets. The ticket-granting ticket is then used to automatically get an AFS ticket and token. This sounds complicated, but it happens automatically during login.

How to list Kerberos tickets

The command KLIST will list your Kerberos tickets. Each ticket has a default expiration time of 25 hours. For long-running jobs see the renewable tickets below.

>klist Ticket cache: /tmp/krb5cc_console Default principal: yourusername@CMF.NRL.NAVY.MIL Valid starting Expires Service principal 03/04/97 09:56:19 03/05/97 10:56:16 krbtgt/CMF.NRL.NAVY.MIL@CMF.NRL.NAVY.MIL 03/04/97 09:56:24 03/05/97 10:56:16 afs@CMF.NRL.NAVY.MIL

How to obtain a Kerberos ticket-granting ticket

The command kinit will obtain a Kerberos ticket-granting ticket. The command aklog will use the ticket-granting ticket to obtain an AFS ticket and token.

>kinit Password for youusername@CMF.NRL.NAVY.MIL: >aklog

Note... If possible, run kinit on your local machine to avoid sending your password in cleartext across the network. This is important computer security for both you and our site.

Running long jobs with renewable tickets

As mentioned previously, Kerberos tickets expire after 25 hours. There are many cases where you wish to run a program that will take longer than 25 hours, but still have credentials to write into AFS space. You can accomplish this by using the krenew program.

To use this program, first get a renewable ticket using the -r option to kinit. The -r option takes as an argument the maximum amount of time you wish to renew the ticket.

> kinit -r 7d Password for yourusername@CMF.NRL.NAVY.MIL >

You can check the maximum renewable time of your ticket using klist.

Ticket cache: /tmp/krb5cc_p42 Default principal: yourusername@CMF.NRL.NAVY.MIL Valid starting Expires Service principal 03/19/97 18:25:18 03/20/97 19:25:12 krbtgt/CMF.NRL.NAVY.MIL@CMF.NRL.NAVY.MIL renew until 03/26/97 18:25:12

Once you have a renewable ticket, run your job using krenew. (Just run the command krewew with your job as the command-line argument.)

>krenew my_long_job

krenew will automatically renew your tokens at the appropriate times, making sure that you always have valid Kerberos and AFS credentials.

The maximum amount of time you may renew tickets is seven days. If you wish to run jobs that last longer than seven days, please send your request to the sysadmin mailing list.

More information

You can read the Kerberos User's Guide for more detailed information on how to use Kerberos.


You can see compatible systems for Kerberos here.

You can obtain a Kerberos Kit from the Naval Research Labs here.