 |
 |
 |
 |
| View/print PDF file | |||
Back
to Strong Auth Index Page | Computing
Division| Fermilab at
Work | Fermilab
Home
|
||||||||||||
|
Strong Authentication at Fermilab | |||||||||||
Chapter 7: Accessing Kerberized Machines (Community-Supported Methods)
7.1 Logging In Through Kerberized Exceed 7 Software from Windows
7.1.1 Telnet Connections
7.1.2 FTP Connections
7.2 Logging In from a Macintosh
7.2.1 Authenticate via Kerberos Control Panel
7.2.2 Authenticate at Login
Chapter 7: Accessing Kerberized Machines (Community-Supported Methods)
In this chapter we discuss accessing systems in the FNAL.GOV realm from UNIX, Windows and Macintosh machines using programs or operating systems not supported by the Computing Division.
Very important note: Any time you're about to enter your Kerberos password, first verify that you're using the host's directly-connected keyboard or using an encrypted connection! Otherwise you risk exposing your password. See Chapter 11: Encrypted vs. Unencrypted Connections for information.
7.1 Logging In Through Kerberized Exceed 7 Software from Windows
7.1.1 Telnet Connections
You should create one secure telnet profile for each Kerberized host you wish to access, according to the instructions in section 22.5 Configuring the Exceed 7 Telnet Application. To authenticate:
- using the Leash32 utility, navigate to Start > Programs > Kerberos Utilities > Leash32. Select Get Ticket on the Action menu.
You will be required to enter your Kerberos password. Ignore the CRYPTOCard prompt that may follow (press Cancel). You ticket will appear in the Leash32 window. Click on the Windows Explorer-style plus signs (+) to get details.
- using the command prompt, type kinit -5 to request a ticket.
You will be required to enter your Kerberos password. Ignore the CRYPTOCard prompt that may follow (just press Enter). To verify the ticket and its flags, either bring up the Leash32 window, or type klist -f at the command prompt.
You can request a renewable ticket at the command prompt by using the -r option (see section 9.2.5 Renewing Tickets). Your AFS token will have a lifetime equal to the renewable lifetime of the Kerberos ticket.
- Start the Exceed 7 telnet program. Navigate to Start > Programs > Hummingbird Connectivity v7.0 > HostExplorer > Telnet.
- On the Open Session window, with the desired telnet profile selected, the target host name or IP address should appear in the Host Name window. To connect, click on the Connect button. If you've preauthenticated, you should get right in without having to provide your Kerberos password.
- The Leash32 window should now show your host connection in addition to the kerberos ticket.
7.1.2 FTP Connections
Exceed 7 does not provide a Kerberized FTP client. Furthermore, you cannot connect using your CRYPTOCard (as you may for WRQ® FTP, described in section 4.6.3 Run an FTP Session to Kerberized Host), since the Exceed 7 FTP client stores your password, and doesn't let you enter it each time you connect. Choose a different product! Suggestions: WRQ®, FileZilla, AFS Windows Client (for remote hosts using AFS).
7.2 Logging In from a Macintosh
Here we assume you are running the MIT Kerberos v4.0 software for Macintosh as described in Chapter 24: Installing and Configuring MIT Kerberos on a Macintosh System.
7.2.1 Authenticate via Kerberos Control Panel
- Invoke the Kerberos Control Panel (from Control Panels under the Apple menu, from the Kerberos Menu in the menu bar, or from the Kerberos Control Strip module).
- Select the right username and realm. Click Options... to specify the ticket options; you should generally choose forwardable.
You should see a ticket appear. Now you can invoke your telnet product (BetterTelnet or NiftyTelnet) and connect to one or more strengthened hosts without having to provide your password again.
7.2.2 Authenticate at Login
Invoke BetterTelnet or NiftyTelnet and connect to a strengthened host. You will be prompted for your Kerberos password, and then authenticated once you have provided it.
|
|||||||||||
| Back to Strong Auth Index Page | Computing Division| Fermilab at Work | Fermilab Home | |||||||||||
