Departments | Computing Division | Fermilab at Work | Fermilab Home _____________________________________________________________________________________________________ Computing Division

Updates to the
Strong Authentication at Fermilab Manual

Document number: GG0019
2nd Draft Release preceding release 2.0
August 1, 2001

Strong Authentication at Fermilab Welcome Page
Acknowledgments and References - Abstract

---

The manual has been updated through 8/1/01. This is a draft release, it has not been thoroughly proofed. The manual is still undergoing revision.

Changes in 8/1/01 draft (and later) with respect to 2/23/01 release (1.0b):

This is an approximate list. Many text changes that are not noted here have been made to pre-existing chapters and sections.

New chapters/Appendices:

• Dear Collaborator (summarized introductory info)
• Ch 8: Transition from Pilot to FNAL.GOV Realm (User Info)
• Ch10: Installing Kerberos on non-Fermi Linux system
• 8/1 - Ch 13: MIT Kerberos on Windows with Exceed 7
• 8/1 - Ch 14: Heimdal Kerberos with Cygwin
• (as of 8/1, now 16) Ch 14: Transition from Pilot to FNAL.GOV Realm (Sysadmin Info)
• Appx A: Encrypted/Unencrypted Connections
• Appx B: Getting Started with CRYPTOCard (moved from old sec 5.3.3)
• 8/1 - Appx D: Network Programs
• (as of 8/1, now E) Appx D: The krb5.conf file (configuration info)

Chapters moved or removed:

• Old Ch 8 Kerberos Command Descriptions moved to new Appx C
• (as of 8/1, reinstated as Appx D) old Ch 9 Kerberized Network Programs removed

Sections added:

• 2.5 Fermilab Computing Policy Issues
• 3.3 Fermi vs. Standard MIT Kerberos
• (added online July 3) 5.1 Trying Out Kerberos on fnkerb.fnal.gov
• 5.4 Connecting from Kerberized SSH
• 5.7 Logging In with Exceed 7 from Windows
• 9.3 Fermi Kerberos from RPM (Linux)
• 11.5.1 and 11.5.2 under new section 11.5 User Accounts and Passwords (new 11.5.3 is old 11.5)
• 11.6.1 and 11.6.2 (under 11.6 Changing a Machine's Node Name)
• 11.7 Installing Service Host Keys
• 11.8 Static IP vs. DHCP Addresses
• 11.9 Multiple IP Addresses or Node Names
• 11.11 Laptops
• D.8 Kerberized ssh and slogin
• D.9 Kerberized scp

Other significant changes

• Ch 12 documents the installation of a new version of WRQ® Reflection on a Windows System
• Ch 15 documents the installation of a new version of MIT Kerberos on a Macintosh System

Further Updates to Information:

This table lists entries in order of appearance in the manual. The following updates didn't make it into the latest draft -- oops!

8/7/01 -- updates since the 8/1/01 version was printed:

• (8/17) Intro Letter: changed Strong auth definition in the box; How does Kerb work, item 5: add note about if tickets forwarded...
• (8/17) 3.4 Rewrote auth process descript
• (added 8/15) 8.3 Automated Installation of WRQ® Reflection Products
• 11.7 (now 11.8) Add -r REALM to kinit if default realm doesn't match host/ftp princ realm
• 5.3 If ticket forwarding has been set “off” for your system..., use the -f or -F option ... and to set it on for ssh use -k.
• (8/17) 5.3 ssh *doesn't* request password -- changed
• 8/17, 5.5.3 Added "need to give empty password for ssh from nonKerb machine before crypto prompt"
• (8/17) 5.6.1 Check Forwardable if ... want AFS token automatically
• 5.10 troubleshooting: added do_ypcall error.
• 8/17, 5.9.4 added NAT Mac note about forwarded tickets not working
• (8/17)5.10 Key version number..." error -- cross ref to 11.7 added
• 6.2.1 Forwarded tickets and tickets obtained via kinit are stored in different credential caches.
• (8/17) -- 6.2.3 -- KRB5CCNAME value often has FILE: -- Marc provided more complicated rsh command.
• 6.2.4 A Note about AFS tokens and Forwarding
• 8/17 -- 6.3.2 k5users file -- if no commands listed, princ can do all or nothing?; also added note for princ added more than once, only 1st entry used
• (added 8/15) Ch 9: retitled to avoid confusion: non Fermi supported Linux OS, not Linux box offsite
• 9.1.2 Added "The ssh installation sets the values of RhostsRSAAuthentication, RSAAuthentication and PasswordAuthentication in /etc/sshd_config to “yes”. They must be set to “no”! If you proceed to install kerberos, these values will get set properly. If kerberos is already installed, you must either set the values to “no” by hand, or you can do it by running: % ups install-sshd kerberos We recommend that you stop and restart sshd (you must be root) (commands then shown)
• 11.1 The default kerberos install preserves pre-existing usage of tcpwrappers on a service-by-service basis.
• Added new 11.6 for non-user accounts (add empty .k5login)
• 12.2.2 (8/17) Added Win2k timesynch info
• (added 8/15) Chapter 12 -- added comment that Exceed 7.0 FTP connections cannot be kerbeized.
• 13.1.3 When connected via a Host Explorer 7.0 Kerberized telnet session, users have reported problems with using Ctrl-g inside X applications and Ctrl-c at the UNIX command prompt when encryption is enabled. A problem report has been made to the vendor (Hummingbird).
• 8/17 15.2.1 Pointer to kerberos_preferences file for mac now in ps directory

Date	Chapter or Section	Description	Updated in HTML?	Updated in source?
2/27/01	5.2 Connecting from One Kerberized Machine to Another	To prevent your on-site Kerberized system from accepting a reusable login password over the network: don't configure sshd to accept a password (root users) be careful when editing inetd.conf and changing the flags on the kerberos telnetd or ftpd	no	no
2/27/01	5.3.3 CRYPTOCard	The palmOS version of the CRYPTOCard software (for Palm Pilot) does not lock on some number of wrong-PIN attempts.	no	no
03/06/01	10.1.6 Access Modes	The reason that Kerberos+ssh is not allowed for on-site systems is that it violates the Fermilab Policy on Computing: all on-site systems must require Kerberos authentication. Kerberized ssh is allowed.	yes	no
2/28/01	12.2 Installing Reflection v7.02	You may log in as Administrator and find that you can't connect to \\pckits\DesktopTools. If that's the case, in the box that pops up, enter fnal\yourNTname and your FNAL NT domain password.	no	no

---

Replacement of X Terminals with NICs

X terminals provide no way of encrypting a network connection. Therefore we are recommending their replacement by New Internet Computers (NIC). At Fermilab we are providing a CD for configuring the NICs, you will soon be able to get the CDs at the PREP window (for now, send a message to csi-group@fnal.gov to request one). For information on the Fermilab configuration, and instructions, go to the CD-CSI department's home page, and click on X Terminal Replacement Pilot.