Strong Auth Index Page | Presentation Outline
PREV NEXT

Computing in a Kerberized Environment

Authenticate at your Windows Desktop

WRQ®

Navigate to Start > Programs > Reflection > Utilities > Kerberos Manager to open the Reflection Kerberos Managerapplication. With your principal tab selected, click Authenticate .

{short description of image}

On the Authenticate window, make sure "Forwardable" is checked, click OK , and provide your Kerberos password at the prompt.

Back on the Kerberos Manager window, you should see the new ticket krbtgt/FNAL.GOV@FNAL.GOV.

{short description of image}

Right-click on ticket to see ticket properties.

Once you run Reflection Kerberos Manager and authenticate, you do not need to keep the application active; you can exit and continue to log in to Kerberized machines. The authentication is valid for the lifetime of the ticket.

Kerberized Exceed 7

Using the Leash32 utility, navigate to Start > Programs > Kerberos Utilities > Leash32 . Select Get Ticket on the Action menu.

{short description of image}

You will be required to enter your Kerberos password. Ignore the CRYPTOCard prompt that may follow (press Cancel ). You ticket will appear in the Leash32 window. Click on the Windows Explorer-style plus signs (+) to see ticket details.

{short description of image}

Using the command prompt:

Cygwin

Type kinit to request a ticket.

Accessing FNALU or other Remote Kerberized Nodes

List of Access Methods

Method 1: Log in using a Kerberized connection program

Run a WRQ® telnet Session to Kerberized Host

Best to make a shortcut to the file in the Reflection folder!

Run a WRQ® ftp Session to Kerberized Host

{short description of image} WRQ® Reflection FTP does not forward ticket or AFS token to remote host. For transferring files to AFS space, you may want to configure the FTP client with standard security and use a CRYPTOCard, or bypass FTP entirely and install the Windows AFS client on your machine for file transfers. See below.

Using WRQ® Reflection FTP:

Run an Exceed 7 telnet Session to Kerberized Host

Best to make a shortcut!

{short description of image} Run Windows AFS Client for transferring files to AFS space

See Chapter 20: Installing and Configuring the Windows AFS Client of the manual for installation instructions and section 4.8 Windows AFS Client for File Transfers to AFS Space for user instructions. You will use your AFS password to authenticate to AFS.)

Method 2: Connecting from a NonKerberized Machine: Portal Mode

In portal mode, the remote Kerberized machine requires a single-use password for authentication. You need to use a calculator-style, battery-powered device called a CRYPTOCard to generate the password.

{short description of image}

Obtaining and preparing your CRYPTOCard

Request a CRYPTOCard on the same form used for requesting a Kerberos Principal, Form to Request Kerberos Principal and/or Related Items at http://www.fnal.gov/cd/forms/strongauth.html.

When you get your CRYPTOCard, read about how to use it and care for it in sections 5.2 Caring for your CRYPTOCard, 5.3 Usage Notes and 5.4 The First Thing to do: Reset your PIN. You must reset the PIN before you use it.

To resynchronize your CRYPTOCard with the KDC, see section 5.8 Resync your CRYPTOCard.

Programs for Initiating CRYPTOCard Login

From a Windows desktop, use one of the following nonKerberized programs:

ssh  
telnet  
ftp  



The remote host prompts you for your login id. It must be the same as your
UNIX realm principal.


{short description of image}Ssh Notes: 



Using your CRYPTOCard 


  The CRYPTOCard prompt looks like this: 



Press ENTER and compare this challenge to the one on your display: [12345678] 
Enter the displayed response: 




Generate a response on your CRYPTOCard, and type it at the terminal
keyboard. Full instructions can be found in sections
5.5 Log in Using CRYPTOCard (the
First Time) and 5.6 Log in
Using CRYPTOCard (Subsequently). 


To reathenticate without restarting your session, use the command
new-portal-ticket; you will
need to use your CRYPTOCard to generate a response. 


Summary of the Login Steps with CRYPTOCard


These instructions are for the old-style cards. For new-style cards, see
section 5.6.2 New Style Card (March
2002) under section 5.6 Log in Using CRYPTOCard (Subsequently). 



    

  1.  {short description of image} 
ON
, [PIN], 
ENT
, 
ENT
 to get challenge string. 
    2. 

  2.  {short description of image} Run connection program, and enter your
username/principal at prompt. Compare challenges on terminal and CRYPTOCard. 

    3. 

  3.  {short description of image} If challenges match, press 
ENT
 to generate response to challenge.
    4. 

  4.  {short description of image} Type CRYPTOCard response. 
    5. 

  5.  {short description of image} (optional) 
OFF
 
    6. 



The first time you use your CRYPTOCard, and any time it gets unsynchronized
with the KDC, you will need to type the challenge into the card. (At step 3, if
challenges don't match, press 
CH/MAC
, and enter the challenge displayed at the terminal into the card.
Continue from step 3.)




 Change your initial Kerberos
Password on UNIX Strengthened Realm FNAL.GOV


A Kerberos password must contain a minimum of ten characters from at least
two of the following five classes: lowercase letters, uppercase letters,
numbers, punctuation, and all other characters. Root passwords must contain a
minimum of 11 characters including at least three of the five classes.


  WRQ® Reflection



  Cygwin (like UNIX/Linux)


To change your password, run the 
kpasswd
 command. 


% kpasswd [<principal_name>] 




kpasswd: Changing password for aheavey@FNAL.GOV. 
Old password:                 <--- type your initial password here.  
kpasswd: aheavey@FNAL.GOV's password is controlled by the policy default, 
which 
requires a minimum of 10 characters from at least 2 classes (the five classes 
are lowercase, uppercase, numbers, punctuation, and all other characters). 
New password:                 <--- type your new password here. 
New password (again):         <--- type your new password here for confirmation. 
Kerberos password changed. 




  MIT Kerberos with Exceed 7.0 


The 
Change
Password utility in 
Leash32
 does not work, and 
 kpasswd in the
Command Prompt works for AFS password. 


{short description of image}Consequently, changing your password under this
configuration requires typing your password over a network connection. Try to
find a machine on which you can do it locally, instead. Only use this as a last
resort.


    

  1.   To change your Kerberos password, make your
connection to your UNIX host using a telnet profile with Kerberos enabled. 

    2. 

  2. Verify that encryption is set. 
    3. 

  3. Run the kpasswd 
command on the remote host to change your Kerberos password, as
described for Cygwin, above. 
    4. 



 Change your initial Kerberos
Password on W2K Strengthened Realm FERMI.WIN.FNAL.GOV


We recommend that you keep your W2K domain password synchronized with your
FNAL.GOV realm password. However, please choose ALL OTHER passwords to be
different from this. NO OTHER PASSWORD ON ANY SYSTEM OR FOR ANY APPLICATION
SHOULD BE THE SAME AS YOUR KERBEROS PASSWORD!


On you Windows 2000 machine, press Ctrl-Alt-Delete and select Change
Password.







 




PREV 
NEXT 









Strong Auth Index Page | Presentation Outline