Back to Strong Auth Index Page | Computing Division| Fermilab at Work | Fermilab Home
Strong Authentication at Fermilab

Table of Contents

Acknowledgments and References

About this Manual

Purpose and Intended Audiences


Notational Conventions

Your Questions and Comments

Part I Getting Started

Chapter 1: Introduction to Strong Authentication at Fermilab

1.1 Computing on the World Wide Web

1.2 Strong Authentication

1.3 Why has Fermilab implemented strong authentication?

1.4 What do you need to know and do ?

1.4.1 General User

1.4.2 System Administrator

1.4.3 Developer

1.5 What advantages does Kerberos provide?

1.6 What advantages does Kerberos have over other possible solutions?

1.7 How does Kerberos work?

1.8 How do you obtain a Kerberos Principal?

Chapter 2: Fermilab Computing Policy Issues

2.1 The Strong Authentication Policy in a Nutshell

2.2 Authentication Guidelines for On-site vs. Off-site Machines

2.3 Transient Machines

2.4 Obtaining an Exemption from the Policy

2.5 Compliance with Policy

Chapter 3: Kerberos Principals and Passwords

3.1 Your Kerberos Principal

3.1.1 Choosing a Principal Name

3.1.2 Requesting a Principal

3.2 About Kerberos Passwords

3.2.1 Important! Please Read!

3.2.2 Choosing a Kerberos Password

3.3 Changing your Kerberos Password

3.3.1 UNIX/Linux/Cygwin

3.3.2 Windows (with WRQ® Reflection software installed)

3.3.3 Windows (with Exceed 7.0 and MIT Kerberos)

3.3.4 Macintosh

Part II User's Guide

Chapter 4: Accessing Kerberized Machines (Fermilab-Supported Methods)

4.1 Logging In at the Console of a Kerberized UNIX Machine

4.1.1 Using Standard UNIX Login Program

4.1.2 Using Kerberos Login Program

4.1.3 If you don't have a principal yet...

4.1.4 Machines Running Mixed Mode Kerberos

4.2 Connecting from One Kerberized Machine to Another

4.3 Connecting via Kerberized SSH

4.4 Connecting from a NonKerberized Machine: Portal Mode

4.4.1 About Portal Mode

4.4.2 About CRYPTOCard

4.4.3 Programs for Initiating CRYPTOCard Login

4.4.4 Portal Mode FTP when you can't see the Challenge

4.5 Logging into a UNIX Account that's not your own

4.6 Logging In Through WRQ® Reflection Software from Windows

4.6.1 Authenticate Locally via the Kerberos Manager

4.6.2 Run a telnet Session to Kerberized Host

4.6.3 Run an FTP Session to Kerberized Host

4.7 Windows AFS Client for File Transfers to AFS Space

4.7.1 How does AFS Appear on your Desktop?

4.7.2 Authenticate to AFS

Chapter 5: Using your CRYPTOCard

5.1 How does your CRYPTOCard Work?

5.2 Caring for your CRYPTOCard

5.3 Usage Notes

5.4 The First Thing to do: Reset your PIN

5.4.1 Resetting Initial PIN

5.4.2 Resetting PIN (General)

5.5 Log in Using CRYPTOCard (the First Time)

5.5.1 Original Style Card

5.5.2 New Style Card (March 2002)

5.6 Log in Using CRYPTOCard (Subsequently)

5.6.1 Original Style Card

5.6.2 New Style Card (March 2002)

5.7 Reauthenticate using your CRYPTOCard

5.8 Resync your CRYPTOCard

5.8.1 Original Style Card

5.8.2 New Style Card (March 2002)

Chapter 6: Logging In from Off-Site

6.1 Description of Choices for Off-Site Machines

6.2 In a Pinch: Download Client-Only Version of Kerberos

6.3 Obtaining CRYPTOCards

6.4 Exporting CRYPTOCards

6.5 Network Address Translation

6.5.1 Windows

6.5.2 Linux

6.5.3 Macintosh

Chapter 7: Accessing Kerberized Machines (Community-Supported Methods)

7.1 Logging In Through Kerberized Exceed 7 Software from Windows

7.1.1 Telnet Connections

7.1.2 FTP Connections

7.2 Logging In from a Macintosh

Chapter 8: Troubleshooting your Authentication Problems

Chapter 9: Using Kerberos

9.1 Ticket Properties and Options

9.1.1 Default Ticket Flags and Lifetimes

9.1.2 Credential Caches

9.1.3 Tickets for Root Instance of Kerberos Principal

9.2 Ticket Management

9.2.1 Obtaining Tickets (Authenticating to Kerberos)

9.2.2 Viewing Tickets

9.2.3 Destroying Tickets

9.2.4 Forwarding Tickets

9.2.5 Renewing Tickets

9.2.6 Update Tickets on Remote Terminal Sessions

9.3 Account Access by Multiple Users

9.3.1 The .k5login File

9.3.2 About Group Accounts

9.3.3 The .k5users File

9.4 Using Root Instance of your Principal

9.4.1 What is a Root Instance of a Principal?

9.4.2 How do You Use your /root Principal?

9.4.3 How Should You NOT Use It?

9.4.4 How do you Maintain Credentials for your Normal Principal while Using the /root Principal?

Chapter 10: Miscellaneous Topics for the User

10.1 Running Xwindows

10.1.1 UNIX

10.1.2 Windows NT4/98/95

10.1.3 Macintosh

10.2 Usage Notes for PC's with WRQ® Reflection Installed

10.2.1 Cutting and Pasting

10.2.2 Using Matrix through X Windows Interface

10.3 Automated Processes

10.3.1 Specific-User Processes (cron Jobs)

10.3.2 Processes Running as root

10.3.3 Non-root, Non-Specific-User Processes

10.4 Sending Data from Unstrengthened to Strengthened Machines

10.5 CVS

Part III User's Reference Manual

Chapter 11: Encrypted vs. Unencrypted Connections

11.1 How do you know if your connection is encrypted?

11.1.1 Connecting from Kerberized UNIX/Linux Desktops

11.1.2 Connecting over a CRYPTOCard ssh Session

11.1.3 Connecting over a CRYPTOCard telnet Session

11.1.4 Connecting over a CRYPTOCard ftp Session

11.1.5 Connecting from an X Terminal

11.1.6 Connecting from a PC Running Windows

11.1.7 Macintosh: MIT Kerberos and BetterTelnet

11.2 If it's unencrypted, what do I do when I need to reauthenticate?

Chapter 12: Kerberos Command Descriptions

12.1 kinit

12.1.1 Syntax

12.1.2 Option Descriptions

12.1.3 Examples

12.2 klist

12.2.1 Syntax

12.2.2 Option/Argument Descriptions

12.2.3 Examples

12.3 kpasswd

12.3.1 Syntax

12.3.2 Argument Description

12.4 kdestroy

12.4.1 Syntax

12.4.2 Option Descriptions

12.5 Kerberized su (ksu)

12.5.1 Syntax

12.5.2 Description

12.5.3 Option Descriptions

12.6 kvno

12.6.1 Syntax

12.6.2 Option Descriptions

Chapter 13: Network Programs Available on Kerberized Machines

13.1 Introduction

13.2 Kerberized telnet

13.3 Kerberized rsh

13.4 Kerberized rlogin

13.5 Kerberized FTP

13.6 Kerberized rcp

13.7 Kerberized ssh and slogin

13.8 Kerberized scp

Part IV System Administrator's Guide "A": Recommended and Supported Implementations

Chapter 14: Installing Fermi Kerberos on a UNIX (non-Linux) System

14.1 Before You Install Kerberos

14.1.1 Obtain a Kerberos Principal

14.1.2 Create an Account that Matches your Principal

14.1.3 Understand your Installation Options

14.1.4 Install UPS/UPD (Recommended)

14.1.5 Install Kerberized SSH (Recommended)

14.1.6 Do you Need to Allow Incoming Kerberos Connections?

14.1.7 Synchronize your Machine with Time Server

14.1.8 Determine Kerberos Access Mode(s)

14.1.9 Choose Login Program

14.2 Installing Fermi Kerberos using UPS/UPD

Chapter 15: Installing Fermi Kerberos on a Linux System

15.1 Before You Install Kerberos

15.1.1 Choose your Installation Method

15.1.2 Differences between the UPS/UPD and RPM Kerberos Products

15.1.3 Follow Same Pre-install Steps as for UNIX

15.1.4 Create a Local Account

15.1.5 PAM and Passwords for Desktop Environment Applications

15.1.6 SSH and OpenSSH

15.2 Kerberos and OpenSSH RPM Installation

Chapter 16: The Kerberos Configuration File: krb5.conf

16.1 What does krb5.conf Control?

16.2 Reinstall krb5conf Using UPD

16.3 Obtain krb5conf without Using UPD

16.4 krb5.conf.template

Chapter 17: Kerberized UNIX System Administration Issues

17.1 Alterations Made to your System when Fermi Kerberos is Installed

17.2 Setting Defaults for Tickets/Applications

17.3 The /etc/hosts File

17.4 Portal Mode Configuration

17.5 Register yourself as an Administrator

17.6 User Accounts and Passwords

17.6.1 User Account Names

17.6.2 Determine if a Particular Principal Exists

17.6.3 User Passwords

17.6.4 Providing Access to Sensitive Accounts

17.7 Non-user Accounts

17.8 Searching KDC Log Files and the Principal List

17.9 Changing a Machine's Node Name

17.9.1 Using UPS

17.9.2 Using Kerberos Utilities

17.10 Installing Service Host Keys

17.11 Configuration to allow use of CRYPTOCard with OpenSSH

17.12 Static IP vs. DHCP Addresses

17.13 Multiple IP Addresses or Node Names

17.14 Laptops

Chapter 18: Additional UNIX Sysadmin Information for Off-Site Installations

18.1 root access to /usr

18.2 Obtaining the krb5.conf File

18.3 When your Node is in a Different Domain

18.4 Connecting from One Off-Site Domain to Another

Chapter 19: Installing and Configuring WRQ® Reflection on a Windows System

19.1 Getting Ready

19.2 Automated Installation of WRQ® Reflection v12.0.0

19.3 Configuration for Addressless Tickets

19.4 Time Synchronization

19.4.1 WRQ® Reflection 10.0.0

19.4.2 WRQ® Reflection 8.0.0

19.5 Configuring WRQ® Reflection Kerberos Manager v12.0.

19.6 Configuring WRQ® Reflection

19.7 Configuring WRQ® Reflection OpenSSH Connections

19.7.1 For Kerberized Host

19.7.2 For nonKerberized Host

19.7.3 Create a Template Configuration

19.8 Configuring WRQ® Reflection telnet Connections

19.8.1 For Kerberized Host

19.8.2 For nonKerberized Host

19.8.3 Create a Template Configuration

19.9 Configure X Connection to Host

19.9.1 Connect to Host with X Application Startup

19.10 Configuring WRQ® Reflection FTP Connections

19.10.1 Create a Profile for FTP to Kerberized Host

19.10.2 Connect to nonKerberized Host

19.10.3 Edit an FTP Setup

Part V System Administrator's Guide "B": Community-Supported Implementations

Chapter 20: Installing Kerberos on a non-Fermi-Supported Linux System

20.1 Before You Install Kerberos

20.1.1 Obtain a Kerberos Principal

20.1.2 Do you Need to Allow Incoming Kerberos Connections?

20.1.3 Create an Account that Matches your Principal

20.1.4 Synchronize your Machine with Time Server

20.2 Installing MIT Kerberos

20.3 Installing Fermi Kerberos

20.3.1 Download Modified Source from CVS

20.3.2 Download Tar File from KITS

Chapter 21: Installing MIT Kerberos on Windows, for use with Exceed 7 and FileZilla

21.1 Getting Ready

21.1.1 Obtain a Kerberos Principal

21.1.2 Install Exceed and FileZilla

21.1.3 Caveats

21.2 Installing Kerberos

21.3 Configuring Kerberos using Leash32

21.4 Getting a Ticket

21.5 Configuring the Exceed 7 Telnet Application

21.5.1 Create a new Telnet Profile for Kerberized Host

21.5.2 Create a new Telnet Profile for nonKerberized Host

21.5.3 Connect to Kerberized Host using Telnet Profile

21.5.4 Connect to nonKerberized Host using Telnet Profile

21.6 krb5.ini for FNAL.GOV

Chapter 22: Installing Heimdal Kerberos for use with Cygwin

22.1 Obtain a Kerberos Principal

22.2 Install Cygwin

22.2.1 Partial Installation

22.2.2 Complete Installation

22.3 Install Heimdal Kerberos

22.4 Using CVS under Cygwin

Chapter 23: Installing and Configuring MIT Kerberos on a Macintosh System

23.1 Kerberos on Mac OS X

23.1.1 Install and Configure

23.1.2 Kerberized Ftp Client

23.1.3 X Client

23.1.4 Authenticate to Kerberos

23.1.5 Time Synchronization

23.2 Installing MIT Kerberos for Mac OS 9 and Earlier

23.2.1 Changes in MIT Kerberos for Macintosh 4.0

23.2.2 Download Kerberos from the MIT Web Site

23.2.3 Items that Appear on your Desktop

23.2.4 Installation Instructions

23.3 Configuring the Kerberos Software v4 for Mac

23.3.1 The Preferences File

23.3.2 Select Favorite Realms

23.3.3 Edit Preferences

23.4 Installing Telnet Client

23.5 Configuring Telnet

23.6 Kerberized FTP Client

23.7 Authenticating to Kerberos

23.7.1 Authenticate via Kerberos Control Panel

23.7.2 Authenticate at Login

23.7.3 Time Synchronization (Pre-OS X 10)

Part VI Appendices

Appendix A. Implementation Details of Strong Authentication at Fermilab

A.1 What is "Strong Authentication"?

A.1.1 Definition

A.2 Goals of Strong Authentication at Fermilab

A.3 The Authentication Model Implemented at Fermilab

A.3.1 The Realms

A.3.2 Relationships between the Realms

A.4 Features of Strong Authentication at Fermilab

Appendix B. About the Kerberos Network Authentication Service

B.1 Introduction to Kerberos

B.1.1 Background

B.1.2 About Kerberos Authentication

B.1.3 How Secure is Kerberos?

B.2 Keys, Tickets and the KDC

B.3 Fermi vs. Standard MIT Kerberos

B.4 The Authentication Process

Appendix C. More about Choosing a Principal Name

C.1 Guidelines for Choosing a Kerberos Principal

C.2 If your Principal and Login Name do not Match



Back to Strong Auth Index Page | Computing Division| Fermilab at Work | Fermilab Home
This page generated on: 09/01/06 16:25:01