Kerberos: Difference between revisions

From UMIACS
Jump to navigation Jump to search
No edit summary
 
(21 intermediate revisions by 3 users not shown)
Line 5: Line 5:
===Working with Kerberos===
===Working with Kerberos===


When you successfully log into any of our kerberos authenticated systems, you will be granted a set of credentials which will identify you to other network resources. Most users can take advantage of Kerberos without any detailed knowlege about the system.
When you successfully log into any of our Kerberos authenticated systems, you will be granted a set of credentials which will identify you to other network resources. Most users can take advantage of Kerberos without any detailed knowledge about the system.


The only significant complication for some users is that credentials expire after one week at UMIACS. In some environments, the lack of credentials can cause the user environment to behave erratically as network resources become unavailable.
The only significant complication for some users is that credentials expire after one week at UMIACS. In some environments, the lack of credentials can cause the user environment to behave erratically as network resources become unavailable.


Whenever possible, we strongly suggest that users log out of their environments nightly.
Whenever possible, we strongly suggest that users log out of their environments nightly.
===Managing your Kerberos Account===
You can change your password and the administrative information associated with your account by logging into any Openlab Solaris system and using the `chpass` command.
Use `chpass` without arguments to change your administrative information about your Full Name, Office, Shell, and Extension.
To change your password, Use `chpass -p` or `passwd`.


===Listing your credentials===
===Listing your credentials===


It is often useful to examine your current credentials. Using `klist`, you can verify that your login is correct ,
It is often useful to examine your current credentials. Using <tt>klist</tt>, you can verify that your login is correct,


   DCE Identity Information:
   -bash-4.2$  klist
        Warning: Identity information is not certified
  Ticket cache: FILE:/tmp/krb5cc_2174_dcDWCg
        Global Principal: /.../umiacs.umd.edu/fmccall
  Default principal: username@AD.UMIACS.UMD.EDU
        Cell:     a53a40a8-fedd-11d1-9da0-08005a75a4c7 /.../umiacs.umd.edu
        Principal: 00001130-9ff4-21d4-9200-800878e9aa77 fmccall
        Group:    0000000a-9ff8-21d4-9201-800878e9aa77 staff
        Local Groups:
                0000000a-9ff8-21d4-9201-800878e9aa77 staff
                00005f50-ba7d-21d6-a501-800878e9aa77 fmccall
                000007d7-3aa2-21d6-a501-800878e9aa77 glcfadm
    
    
   Identity Info Expires: 2002/09/28:20:47:45
   Valid starting    Expires           Service principal
  Account Expires:      never
   05/28/18 11:39:36  05/28/18 18:19:36  krbtgt/AD.UMIACS.UMD.EDU@AD.UMIACS.UMD.EDU
  Passwd Expires:        never
 
  Kerberos Ticket Information:
  Ticket cache: /opt/dcelocal/var/security/creds/dcecred_41ffffc1
  Default principal: fmccall@umiacs.umd.edu
   Server: krbtgt/umiacs.umd.edu@umiacs.umd.edu
        valid 2002/09/21:20:47:45 to 2002/09/28:20:47:45
  Server: dce-rgy@umiacs.umd.edu
        valid 2002/09/21:20:47:45 to 2002/09/28:20:47:45
  Client: dce-ptgt@umiacs.umd.edu Server: krbtgt/umiacs.umd.edu@umiacs.umd.edu
        valid 2002/09/28:14:13:01 to 2002/09/28:16:13:01
  Client: dce-ptgt@umiacs.umd.edu Server: dce-rgy@umiacs.umd.edu
        valid 2002/09/28:14:12:56 to 2002/09/28:16:13:01
  Client: dce-ptgt@umiacs.umd.edu Server: hosts/phobos.umiacs.umd.edu/dfs-server@umiacs.umd.edu
        valid 2002/09/28:14:13:01 to 2002/09/28:16:13:01
  Server: imap/reptoid.umiacs.umd.edu@umiacs.umd.edu
        valid 2002/09/21:20:47:53 to 2002/09/28:20:47:45
  Server: dce-ptgt@umiacs.umd.edu
        valid 2002/09/28:14:13:01 to 2002/09/28:16:13:01
  Server: lpr/durer.umiacs.umd.edu@umiacs.umd.edu
        valid 2002/09/22:20:21:54 to 2002/09/28:20:47:45


'Default principal' indicates the kerberos identity of the current process. In this case, the kerberos pricipal, 'fmccall@umiacs.umd.edu' indicates that I am authenticated as the user 'fmccall' to the realm 'umiacs.umd.edu'.
'Default principal' indicates the Kerberos identity of the current process. In this case, the Kerberos principal, 'username@AD.UMIACS.UMD.EDU' indicates that we are authenticated as the user 'username' to the realm 'AD.UMIACS.UMD.EDU'.


'Identity Info Expires' indicates the date and time when the current credentials will expire. In this case, my credentials will expire September 28, 2002.
If your credentials have not been set up correctly, klist will report:


If my credentials have not been set up correctly, klist will report:
  -bash-4.2$  klist
 
   klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2174_dcDWCg)
  No DCE identity available: No currently established network identity for this context exists (dce / sec)
 
  Kerberos Ticket Information:
   klist: No credentials cache file found (dce / krb) (ticket cache /opt/dcelocal/var/security/creds/dcecred_41ffffc1)
 
===Reinitialize your Credentials===
 
When available, use `dce_login -r` to refresh your current credentials. On other platforms, use `kinit` to reinitialize your credentials when they expire. Both programs will prompt for your password and reinitialize your credentials.


===Single Sign On Services===
===Single Sign On Services===


Kerberos authenticated Pop and IMAP provide secure and convenient methods reading mail. Unlike traditional POP3 and IMAP services, your password is never sent over the network as cleartext and your password is not cached on a client.
Kerberos authenticated IMAP and SMTP provide secure and convenient methods for sending and reading mail. Unlike traditional IMAP and SMTP services, your password is never sent over the network as cleartext and your password is not cached on a client.
 
The Distributed File System (DFS) is a kerberos authenticated network file system and only processes with your kerberos credentials can access your files. In many cases, even a super-user account cannot compromise the security of your files without first compromising your password.
 
We are actively working to use kerberos authentication with the OpenSSH package to provide single sign-on services for SSH, SCP, SFTP, and FTP so that users can login to remote systems, execute remote commands, and transfer files without typing your password or managing authentication tokens like .shosts files or key pairs.


===Password Security===
===Password Security===


Kerberos security depends on the security of your password. Although Kerberos can make secure access to services convenient, it is still your responsibility to secure your password. Please try to choose a strong password and use secure protocols.
Kerberos security depends on the security of your password. Although Kerberos can make secure access to services convenient, it is still your responsibility to secure your password. Please try to choose a strong password and use secure protocols.
===Long Running Processes in a Kerberos Environment===
Please see [[KerberosLongRun|Managing Long Running Processes in a Kerberos Environment]]

Latest revision as of 22:42, 22 April 2022

Introduction to Kerberos

Kerberos provides a toolkit for reducing the risks associated with insecure networks. It provides a unified password space in which we can manage strong passwords easily and it can prevent your password from being sent across the network as cleartext.

Working with Kerberos

When you successfully log into any of our Kerberos authenticated systems, you will be granted a set of credentials which will identify you to other network resources. Most users can take advantage of Kerberos without any detailed knowledge about the system.

The only significant complication for some users is that credentials expire after one week at UMIACS. In some environments, the lack of credentials can cause the user environment to behave erratically as network resources become unavailable.

Whenever possible, we strongly suggest that users log out of their environments nightly.

Listing your credentials

It is often useful to examine your current credentials. Using klist, you can verify that your login is correct,

 -bash-4.2$  klist
 Ticket cache: FILE:/tmp/krb5cc_2174_dcDWCg
 Default principal: username@AD.UMIACS.UMD.EDU
 
 Valid starting     Expires            Service principal
 05/28/18 11:39:36  05/28/18 18:19:36  krbtgt/AD.UMIACS.UMD.EDU@AD.UMIACS.UMD.EDU

'Default principal' indicates the Kerberos identity of the current process. In this case, the Kerberos principal, 'username@AD.UMIACS.UMD.EDU' indicates that we are authenticated as the user 'username' to the realm 'AD.UMIACS.UMD.EDU'.

If your credentials have not been set up correctly, klist will report:

 -bash-4.2$  klist
 klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2174_dcDWCg)

Single Sign On Services

Kerberos authenticated IMAP and SMTP provide secure and convenient methods for sending and reading mail. Unlike traditional IMAP and SMTP services, your password is never sent over the network as cleartext and your password is not cached on a client.

Password Security

Kerberos security depends on the security of your password. Although Kerberos can make secure access to services convenient, it is still your responsibility to secure your password. Please try to choose a strong password and use secure protocols.