Kerberos central authentication infrastructure

General

Authentication is the process of proving who you are. Kerberos is a specification of an authentication mechanism. The Kerberos implementation that is in use at GSI is called heimdal. Kerberos replaces the venerable NIS as it offers better security in addition to other advantages concerning usability:

1. During normal operation, passwords are never sent over the network.
2. After logging on to your machine, you get a session key. This session key is valid for 10 hours and can be used to get authenticated access to Kerberos-aware applications without further user interaction. An example of those services is ssh.
3. More recent encryption mechanisms.

Usage

Suppose you are logged in to a machine that is connected to Kerberos. Run kinit to get a session-key:

» kinit
USER@GSI.DE's Password:
» klist
Credentials cache: FILE:/tmp/krb5cc_1234
        Principal: USER@GSI.DE

  Issued                Expires               Principal
Feb  2 15:56:33 2015  Feb  3 01:56:33 2015  krbtgt/GSI.DE@GSI.DE

When connecting to a single host of a group of machines, e.g. lx-pool.gsi.de, add the following lines to ~/.ssh/config:

Host lx-pool.gsi.de
   GSSAPITrustDNS yes

Connecting to other hosts that use Kerberos should not require a password if you have a valid session-key:

» ssh lxg0815.gsi.de
Linux lxg0815 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
+===================================================================+
| Welcome to the Linux farm at GSI                                  |
+-------------------------------------------------------------------+
[…]
</pre>

You should not be prompted for a password.
Then logout and run klist again, to see that your session key has been used to get the credentials for lxg0815.gsi.de:

<verbatim>
lxg0815.gsi.de » exit
Connection to lxg0815 closed.
» klist
Credentials cache: FILE:/tmp/krb5cc_1234
        Principal: $USER@GSI.DE

  Issued                Expires               Principal
Feb  2 15:56:33 2015  Feb  3 01:56:33 2015  krbtgt/GSI.DE@GSI.DE
Feb  2 16:04:19 2015  Feb  3 01:56:33 2015  host/lxg0815.gsi.de@GSI.DE
»
</pre>

---++ Changing your password

Run the following command: =passwd=

Note however, that with Kerberos, password-rules are enforced:
   1 At least 10 characters
   1 English uppercase characters (A through Z)
   1 English lowercase characters (a through z)
   1 Base 10 digits (0 through 9)
   1 Symbols (eg !, $, #, %)

---++ Trouble Shooting

   $ <verbatim>kinit: krb5_get_init_creds: Client ($USER@GSI.DE) unknown</verbatim> : You have not been migrated yet. Run =ssh -o PubKeyAuthentication=no migrate.gsi.de= and try again. If it still did not work, write an e-mail to mailto:linux-service@gsi.de
   $ <verbatim>kinit: Password incorrect</verbatim> : Since the migration takes a lot of time, your Kerberos-password may still be an old NIS-password. The migration started on the July, 1st, 2014. If you changed your NIS-password since then, your Kerberos-password may be an old one. If you cannot remember your old password, write an e-mail to mailto:linux-service@gsi.de.
   $ <verbatim>kpasswd: kpasswd: krb5_get_init_creds: Already tried ENC-TS-info, looping</verbatim>: You have given =kpasswd= a wrong password. It responds with this weird message. Check if your keyboard accidently switched to another layout. Try old NIS-passwords. If that does not help write an e-mail to mailto:linux-service@gsi.de

---++ Tips

---+++ =~/.k5login=

If you create a file =.k5login= in an accounts home directory and add Kerberos realms to it, the given users wil be able to login to that account autheniticated by Kerberos. 

Example:
<verbatim>
onormalb:~# cat .k5login
admin@GSI.DE
onormalb:~#
</verbatim>

This will allow =admin= to login in as =onormalb= via Kerberos, ie. without being prompted for a password. This is an alternative to [[SshUsage#Use_a_Public_Key_for_Login][key-based SSH logins]].

-- Main.MatthiasPausch, Main.ChristopherHuhn - 2015 - 2016
</verbatim>
<nop>