Kerberos central authentication infrastructure

General

Authentication is the process of proving who you are. Kerberos is a specification of an authentication mechanism. The Kerberos implementation that is in use at GSI is called heimdal. Kerberos replaces the venerable NIS as it offers better security in addition to other advantages concerning usability:
  1. During normal operation, passwords are never sent over the network.
  2. After logging on to your machine, you get a session-key. This session key is valid for 10 hours and can be used to get authenticated access to Kerberos-aware applications without further user-interaction. An example of those services is ssh.
  3. More recent encryption-mechanisms.

Migration from NIS to Kerberos

Passwords cannot be automatically migrated from NIS to Kerberos, since passwords are stored in different formats and never in plain-text. Since the migration period is over, please contact the user help desk to create a kerberos-principal for you. This should only be the case if you have not used linux at GSI for a couple of years.

Usage

Suppose you are logged in to a machine that is connected to Kerberos. Run kinit to get a session-key:

$USER@lxpool.gsi.de> kinit
$USER@GSI.DE's Password:
$USER@lxpool.gsi.de> klist
Credentials cache: FILE:/tmp/krb5cc_1234
        Principal: $USER@GSI.DE

  Issued                Expires               Principal
Feb  2 15:56:33 2015  Feb  3 01:56:33 2015  krbtgt/GSI.DE@GSI.DE

When connecting to a single host of a group of machines, e.g. kronos.hpc.gsi.de, add the following lines to ~/.ssh/config:

Host kronos.hpc*
   GSSAPITrustDNS yes

Connecting to other hosts that use Kerberos should not require a password if you have a valid session-key:

$USER@lxpool.gsi.de> ssh kronos.hpc.gsi.de

Welcome to the Linux farm at GSI                                # Notice that no password-prompt appeared.
================================

 Prometheus GridEngine Submit Node
 -- http://wiki.gsi.de/Linux/GridEngine

If you have problems or other issues with the system
please report them to linux-service@gsi.de.

Further info is available at http://wiki.gsi.de/Linux

Have a good time

Last login: Mon Feb  2 13:16:23 2015 from lxpool.gsi.de
$USER@lxsub21.gsi.de$

Then logout and run klist again, to see that your session-key has been used to get the credentials for lxsub21.gsi.de:

$USER@lxsub21.gsi.de> exit
Connection to lxsub21 closed.
$USER@lxpool.gsi.de> klist
Credentials cache: FILE:/tmp/krb5cc_1234
        Principal: $USER@GSI.DE

  Issued                Expires               Principal
Feb  2 15:56:33 2015  Feb  3 01:56:33 2015  krbtgt/GSI.DE@GSI.DE
Feb  2 16:04:19 2015  Feb  3 01:56:33 2015  host/lxsub21.gsi.de@GSI.DE
$USER@lxpool.gsi.de> 

Changing your password

Run the following command:

passwd

Note however, that with Kerberos, password-rules are enforced:
  1. At least 10 characters
  2. English uppercase characters (A through Z)
  3. English lowercase characters (a through z)
  4. Base 10 digits (0 through 9)
  5. Nonalphanumeric characters (e.g., !, $, #, %)

Trouble Shooting

kinit: krb5_get_init_creds: Client ($USER@GSI.DE) unknown
You have not been migrated yet. Run ssh -o PubKeyAuthentication=no migrate.gsi.de and try again. If it still did not work, write an e-mail to mailto:linux-service@gsi.de
kinit: Password incorrect
Since the migration takes a lot of time, your Kerberos-password may still be an old NIS-password. The migration started on the July, 1st, 2014. If you changed your NIS-password since then, your Kerberos-password may be an old one. If you cannot remember your old password, write an e-mail to mailto:linux-service@gsi.de.
kpasswd: kpasswd: krb5_get_init_creds: Already tried ENC-TS-info, looping
You have given kpasswd a wrong password. It responds with this weird message. Check if your keyboard accidently switched to another layout. Try old NIS-passwords. If that does not help write an e-mail to mailto:linux-service@gsi.de

Tips

~/.k5login

If you create a file .k5login in an accounts home directory and add Kerberos realms to it, the given users wil be able to login to that account autheniticated by Kerberos.

Example:
onormalb:~# cat .k5login
admin@GSI.DE
onormalb:~#

This will allow admin to login in as onormalb via Kerberos, ie. without being prompted for a password. This is an alternative to key-based SSH logins.

-- MatthiasPausch, ChristopherHuhn - 2015 - 2016
Topic revision: r19 - 2018-10-16, MatthiasPausch