Office of Information Technology
Home
Calendar
Map
 Home
 Computing
Library
Search

A Brief Introduction to Kerberos Authentication

UCS uses the Kerberos 5 authentication service for authentication on most of its systems.

How does one use Kerberos

At UMBC, it's as simple as logging in. All of the UCS UNIX systems verify a user's password by attempting to retrieve a ticket granting ticket for your principal (your username is the name of your kerberos principal), which can later be used to authorize you to other Kerberos-aware services (such as PH). You can see your current Kerberos credentials (tickets and credentials are used almost interchangably in the Kerberos system) by typing klist. 

irix1[3]# klist
Ticket cache: /tmp/krb5cc_p486390
Default principal: banz@UMBC.EDU

Valid starting      Expires             Service principal
20 May 99 20:59:54  21 May 99 21:59:53  krbtgt/UMBC.EDU@UMBC.EDU
20 May 99 20:59:54  21 May 99 21:59:53  afs@UMBC.EDU
irix1[4]#

The output of this command shows that I have my Kerberos ticket-granting-ticket, krbtgt/UMBC.EDU@UMBC.EDU. Since AFS generates your token from your Kerberos credentials, an afs ticket is also retrieved for you as part of your login process. A service ticket, like that for AFS includes, as encrypted data, information that identifies the ticket as being owned by you and an expriation time (by default, 25 hours). Also part of the package is the AFS service key, a secret key known only to the AFS servers, that is required to decrypt the package and verify it's authenticity.

Ticket (and token) expiration

Most users will never experience their Kerberos tickets (or AFS tokens expiring), since the default expiration time of 25 hours is much more than the length of time most people log in for. However, for faculty or staff that may be constantly logged in from their offices, or users who log in from other places on the Internet (via ssh, of course), may find that their Kerberos, and AFS credentials will expire. The most obvious symptom of which is getting a permission denied when trying to access any file in your home directory!

Verifying that you have expired tokens is easy. AFS supplies the tokens command, which is similar to the klist command for Kerberos, but it deals only with AFS tokens (which are stored in the kernel of the machine you are using). 

irix1[5]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 4906) tokens for afs@umbc.edu [Expires May 21 12:02]
   --End of list--
irix1[6]#

...is the normal output of the tokens command. When you have expired tokens, the output will be similar to this: 

irix1[6]# tokens

Tokens held by the Cache Manager:

   --End of list--
irix1[7]#

Getting new tokens is as easy as typing kinit, which will retrieve you new Kerberos credentials, and as a side effect, also retrieve, or update, your AFS tokens. 

irix1[7]# kinit
Password for banz@UMBC.EDU: enter your password
irix1[8]#

...and you can continue working.

Kerberos, SSH, and Remote Logins

SSH, running on most any machine that is running AFS and Kerberos at UMBC, is configured to use Kerberos to:

  • Provide password-less logins
  • Forward kerberos (and AFS) access credentials to the target machine.
While any machine, with the correctly configured SSH client, has the ability to authenticate itself via kerberos to any machine, not all systems are configured to receive such authentication. Major server machines, such as umbc7, irix1, irix2, linux1, and linux2 are, and for most purposes this is sufficient. If you have a machine that your absolutly need password-less login to, please contact systems@umbc.edu and arrange to have a host key generated for your machine to enable remote kerberos logins.
Office of Information Technology • Main Office: ECS 125 • Phone: 410-455-3838 • Email: oit@umbc.edu