Strong Authentication Presentation: Logging into FNALU Nodes

Strong Auth Index Page | Presentation Outline

Computing in a Kerberized Environment

Logging in at your UNIX Desktop

If it runs Kerberized login program, use your Kerberos password when logging into desktop machine.

If it runs standard UNIX login program, use your UNIX password, and run kinit after login.

How do you know which login program it runs? Ask your sysadmin.

Accessing a Kerberized Node (e.g., FNALU nodes)

List of Access Methods

Kerberos via Kerberized versions of ssh , slogin , scp , telnet , ftp , rsh , rlogin , and rcp .

CRYPTOCard from nonKerberized machine via standard ssh , slogin , telnet , ftp .

Method 1: Connecting from local Kerberized Machine

Authenticate to Kerberos on your desktop machine to get ticket.

Verify that ticket is forwardable (run klist -f, and look for F flag). If not, run kinit -f.

Check Kerberized connection program defaults in /etc/krb5.conf.

Run the Kerberized connection program you want to use; if necessary include ticket-forwarding option on command line

To reauthenticate without restarting remote terminal sessions, use k5push.

Method 2: Connecting from local NonKerberized Machine: Portal Mode

In portal mode, the remote Kerberized machine requires a single-use password for authentication. You need to use a calculator-style, battery-powered device called a CRYPTOCard to generate the password. (If you obtained your CRYPTOCard during or after March 2002, it looks and operates slightly differently than what's described here. Read this first, then go to Chapter 5: Using your CRYPTOCard to see what's different.)

No special hardware or software is required on the nonKerberized machine for CRYPTOCard use.

Login name and principal must match.

Authenticating with CRYPTOCard gets you a Kerberos ticket and AFS token the same as authenticating with Kerberos password.

Obtaining and preparing your CRYPTOCard

Request a CRYPTOCard on the same form used for requesting a Kerberos Principal, Form to Request Kerberos Principal and/or Related Items at http://www.fnal.gov/cd/forms/strongauth.html.

When you get your CRYPTOCard, read about how to prepare it and care for it sections 5.2 Caring for your CRYPTOCard, 5.3 Usage Notes and 5.4 The First Thing to do: Reset your PIN

To resynchronize your CRYPTOCard with the KDC, see section 5.8 Resync your CRYPTOCard.

Programs for Initiating CRYPTOCard Login

From your nonKerberized desktop, use one of the following programs:
% ssh <host>  
% slogin <host>  
% telnet <host>  
% ftp <host>  
Press Return. The remote host prompts you for your login id. It must be the same as your principal.

Ssh Notes:

For ssh, don't give a command argument!

Currently for ssh and slogin, the system prompts you for an ssh password before the CRYPTOCard prompt. At the ssh password prompt, type no characters, just press Return.

Using your CRYPTOCard

After you type a connection command (e.g., ssh <host>) and enter your login id, the CRYPTOCard prompt appears and looks like this:
Press ENTER and compare this challenge to the one on your display: [12345678] 
Enter the displayed response: 
Generate a response on your CRYPTOCard, and type it at the terminal keyboard. Full instructions can be found in sections 5.5 Log in Using CRYPTOCard (the First Time) and 5.6 Log in Using CRYPTOCard (Subsequently) .

To reathenticate without restarting your session, use the command new-portal-ticket; you will need to use your CRYPTOCard to generate a response.

Summary of the Login Steps with CRYPTOCard

These instructions are for the old-style cards. For new-style cards, see section 5.6.2 New Style Card (March 2002) under section 5.6 Log in Using CRYPTOCard (Subsequently).

ON , [PIN], ENT , ENT to get challenge string.

Run connection program, and enter your username/principal at prompt. Compare challenges on terminal and CRYPTOCard.

If challenges match, press ENT to generate response to challenge.

Type CRYPTOCard response.

(optional) OFF

The first time you use your CRYPTOCard, and any time it gets unsynchronized with the KDC, you will need to type the challenge into the card. (At step 3, if challenges don't match, press CH/MAC , and enter the challenge displayed at the terminal into the card. Continue from step 3.)

Change your initial Kerberos Password

First, choose a password that's hard to guess but easy for you to remember. For hints, see 3.2.2 Choosing a Kerberos Password . To change your password, run the kpasswd command.

Whenever you're about to run kpasswd, first verify that you're using a machine's directly-connected keyboard! Only on rare, necessary occasions may you run this command over a network connection. When you do, verify that all connections in the chain are encrypted!
% kpasswd [<principal_name>] 
kpasswd: Changing password for aheavey@FNAL.GOV. 
Old password:                 <--- type your initial password here.  
kpasswd: aheavey@FNAL.GOV's password is controlled by the policy default, 
which 
requires a minimum of 10 characters from at least 2 classes (the five classes 
are lowercase, uppercase, numbers, punctuation, and all other characters). 
New password:                 <--- type your new password here. 
New password (again):         <--- type your new password here for confirmation. 
Kerberos password changed. 