Strong Auth Index Page | Presentation Outline

Managing Kerberos Tickets

---

Ticket Options

Once you are authenticated to Kerberos, you get issued Kerberos tickets (also called credentials). This allows you to log in remotely to other strengthened hosts without typing your password again. You can request that certain options be set on your tickets:

Forwardable: Ticket can be forwarded to other hosts so that you don't need to reauthenticate on each host.

Renewable: Ticket can be renewed before it expires, in order to extend its lifetime

Post-dated: Ticket becomes valid at a specified time in the future.

Proxiable: Like forwardable, but you can't use it to obtain a new ticket. (beyond scope)

Our Kerberos implementation is integrated with AFS. This means that if your machine is part of the strengthened realm and it runs AFS, then when you get a Kerberos ticket, you also automatically get an AFS token.

The ticket management operations (e.g., listing, destroying tickets) run on both the Kerberos tickets and the AFS token. The lifetime of the AFS token is set to the renewable lifetime of the Kerberos ticket.

Ticket Lifetime

The Fermilab default maximum lifetime for a Kerberos ticket is 26 hours. From WRQ® and Leash32, the maximum is 23 hours.

The Fermilab default maximum renewable lifetime is seven days.

Obtaining Tickets

"Authenticate to Kerberos" is equivalent to "obtain Kerberos ticket".

With rare exceptions, always authenticate to Kerberos on your local machine, and forward your tickets to remote hosts. On an occasion where you must authenticate remotely, verify that all connections in the chain are encrypted!

WRQ®

Navigate to Start > Programs > Reflection > Utilities > Kerberos Manager to open the Reflection Kerberos Manager application, and authenticate.

Kerberized Exceed 7

• Using the Leash32 utility, navigate to Start > Programs > Kerberos Utilities> Leash32 . Select Get Ticket on the Action menu.
• Using the command prompt, type kinit -5 to request a ticket.

Cygwin

Run kinit:

% kinit 

Password for username@FNAL.GOV:   <--- type your password here. 

Listing Tickets

WRQ®

Navigate to Start > Programs > Reflection > Utilities > Kerberos Manager to open the Reflection Kerberos Manager application. Tickets are listed in the window.

Kerberized Exceed 7

• Using the Leash32 utility, navigate to Start > Programs > Kerberos Utilities > Leash32 . Tickets are listed in the window. Click each plus sign to get more detail.
• Using the command prompt, type klist -f to list your ticket with flags.

Cygwin

Run klist -f .

With -f , this produces output which includes the ticket flags:

Ticket cache: /tmp/krb5cc_6302 
Default principal: aheavey@FNAL.GOV 
 
Valid starting     Expires            Service principal 
09/08/01 11:29:47  09/09/01 00:29:47  krbtgt/FNAL.GOV@FNAL.GOV 
        Flags: FIA 
09/08/01 11:29:48  09/09/01 00:29:47  afs/fnal.gov@FNAL.GOV 
        Flags: FA 

If you have no tickets you will see output like this:

klist: No credentials cache file found (ticket cache /tmp/krb5cc_6302) 

Several options are available for klist, as listed in section 12.2 klist and in the man pages.

Destroying Tickets

Tickets can outlive an interactive session and they can be stolen. It is best to destroy them when you log out. Also, if you are going to be away from your machine and are concerned about an intruder using your permissions, either destroy your tickets or use a screensaver that locks the keyboard.

WRQ®

1. Navigate to Start > Programs > Reflection > Utilities > Kerberos Manager to open the Reflection Kerberos Manager application. Tickets are listed in the window.
2. Clear your tickets by clicking Clear Tickets.

You can automate this by clicking Clear All Tickets On Shutdown on the Configuration menu.

Kerberized Exceed 7

• Using the Leash32 utility, navigate to Start > Programs > Kerberos Utilities> Leash32 . Select Destroy Ticket(s) on the Action menu.
• Using the command prompt, type kdestroy to destroy your ticket.

Cygwin

The command kdestroy destroys all your tickets.

Forwarding Tickets

You can use your current ticket to get a valid ticket on a remote machine by forwarding your ticket. You need a forwardable ticket to have an AFS ticket automatically generated when you connect to a system.

Always forward tickets if possible to avoid authenticating remotely and transmitting Kerberos password over the network!

WRQ®

Configure WRQ® for Kerberized hosts according to section 19.8 Configuring WRQ® Reflection telnet Connections at http://www.fnal.gov/docs/strongauth/html/winadmin.html#25613. Check Forward Ticket as shown:

You also have the option to check Forwardable when you authenticate with WRQ®, if it's not preconfigured.

Kerberized Exceed 7

Configure the telnet profile as described in 21.5.1 Create a new Telnet Profile for Kerberized Host at http://www.fnal.gov/docs/strongauth/html/winexceed7.html#58089. See step 4c: In the Kerberos 5 Options, check Forwarding.

Cygwin

The strengthened versions of programs such as ssh , slogin , scp , rsh , rcp , telnet , FTP and rlogin support forwarding copies of your tickets to the remote host. See Chapter 13: Network Programs Available on Kerberized Machines.

Renewing Tickets

Tickets can be given a renewable lifetime less than or equal to the maximum allowable renewable lifetime (seven days). A renewable ticket still has the normal lifespan but before it expires it can be renewed as long as its renewable life has not expired.

The lifetime of the AFS token is set to the renewable lifetime of the Kerberos ticket.

Request a Renewable Ticket

WRQ®

Configure WRQ® for Kerberized hosts according to section 19.8 Configuring WRQ® Reflection telnet Connections at http://www.fnal.gov/docs/strongauth/html/winadmin.html#25613. To request a renewable ticket (maximum lifetime at Fermilab defined as seven days), enter a non-zero lifetime value under Renewable ticket:

You also have the option to include a Renewable duration when you authenticate with WRQ® , if it's not preconfigured. Entering a non-zero value gets you a renewable ticket for the specified time:

Kerberized Exceed 7

• I don't know how to do this with Leash32.
• Using the command prompt, you can run % kinit -r <renewable-life> to request a renewable ticket. This requires password entry.

Cygwin

Run % kinit -r <renewable-life> to request a renewable ticket. This requires password entry.

Renew a Ticket

WRQ®

Click Renew Ticket on the Kerberos Manager screen before the ticket expires. (No password entry.) This keeps ticket active for another 23 or 26 hours.

Exceed 7 Command Prompt and Cygwin

Run % kinit -R before the ticket expires. (No password entry.) This keeps ticket active for another 23 or 26 hours.

Example

Example: % kinit -r 4d requests ticket with renewable life of 4 days. (AFS token lifetime set to 4 days.)

Before 23 hours has passed, run % kinit -R . Repeat every 23 hours or less until 4 day limit is reached.

---

The .k5login file and Group Accounts on FNALU

The .k5login File

The .k5login file is a text file that may exist in an account's home directory on a UNIX machine, e.g., a FNALU node. It contains a list of the principals who can log into the account. This file overrides all other rules for granting access.

Do you need a .k5login file?

As long as the only principal to log into your account is your own FNAL.GOV principal, and your principal matches your login id, you don't need a .k5login file.

If other principals need login access to the account, you need one. Make sure that all principals that require access are listed in it, including your FNAL.GOV principal.

Sample .k5login Files

One user who belongs to different realms:

jpedersen@FNAL.GOV
jpedersen@MYUNIV.EDU

Multi-user account:

jpedersen@FNAL.GOV
xsmith@FNAL.GOV
qjones@FNAL.GOV

About Group Accounts

Kerberos passwords cannot be shared! A multiple user account must have a .k5login file in its home directory containing an entry for each user that needs to log into the account. The account may have but does not need a corresponding principal.

AFS ACLs should be set up so that everyone in the group can read (and write, if necessary) the files with his/her own AFS login and token. (This avoids the problem of running klog with a group AFS password.)

Users log in to the multiple-user account as follows:

1. Authenticate to Kerberos under your own account.
2. Log in to the multiple-user account, by identifying it on the connection program command line, and forward the ticket, e.g., telnet -f -l <group-account-name> <host>.
3. Assuming tickets are automatically forwarded, you're now logged on under the account name, but your Kerberos ticket and AFS token are associated with your principal name.
4. Run klog to get an AFS token for the group account.

Strong Auth Index Page | Presentation Outline