Kerberos: Difference between revisions

From UMIACS
Jump to navigation Jump to search
No edit summary
(12 intermediate revisions by 3 users not shown)
Line 5: Line 5:
===Working with Kerberos===
===Working with Kerberos===


When you successfully log into any of our kerberos authenticated systems, you will be granted a set of credentials which will identify you to other network resources. Most users can take advantage of Kerberos without any detailed knowlege about the system.
When you successfully log into any of our Kerberos authenticated systems, you will be granted a set of credentials which will identify you to other network resources. Most users can take advantage of Kerberos without any detailed knowledge about the system.


The only significant complication for some users is that credentials expire after one week at UMIACS. In some environments, the lack of credentials can cause the user environment to behave erratically as network resources become unavailable.
The only significant complication for some users is that credentials expire after one week at UMIACS. In some environments, the lack of credentials can cause the user environment to behave erratically as network resources become unavailable.


Whenever possible, we strongly suggest that users log out of their environments nightly.
Whenever possible, we strongly suggest that users log out of their environments nightly.
===Password Policies===
We have the following policies in regards to our passwords,
* Maximum Ticket Lifetime : 14days
* Minimum Password Length : 8 Characters
* Minimum Character Classes : 2 Character Classes (numbers, letters, symbols are all character classes)
* Number of Previous Passwords Kept: 5 ( you can re-use your last 5 set passwords)
===Managing your Kerberos Account===
You can change your password via visting this link,
https://intranet.umiacs.umd.edu/cgi-bin/changepass
Administrative information associated with your account by this link,
https://intranet.umiacs.umd.edu/chinfo


===Listing your credentials===
===Listing your credentials===


It is often useful to examine your current credentials. Using `klist`, you can verify that your login is correct ,
It is often useful to examine your current credentials. Using <tt>klist</tt>, you can verify that your login is correct,


   [derek@kiwi ~]$ klist
   [derek@opensub00 ~]$ klist
   Ticket cache: FILE:/tmp/krb5cc_2174_dcDWCg
   Ticket cache: FILE:/tmp/krb5cc_2174_dcDWCg
   Default principal: derek@UMIACS.UMD.EDU
   Default principal: derek@AD.UMIACS.UMD.EDU
    
    
   Valid starting    Expires            Service principal
   Valid starting    Expires            Service principal
   05/28/08 11:39:36  05/29/08 11:39:36  krbtgt/UMIACS.UMD.EDU@UMIACS.UMD.EDU
   05/28/18 11:39:36  05/28/18 18:19:36  krbtgt/AD.UMIACS.UMD.EDU@AD.UMIACS.UMD.EDU
 
 
  Kerberos 4 ticket cache: /tmp/tkt2174
  klist: You have no tickets cached


'Default principal' indicates the kerberos identity of the current process. In this case, the kerberos pricipal, 'derek@UMIACS.UMD.EDU' indicates that I am authenticated as the user 'derek' to the realm 'UMIACS.UMD.EDU'.
'Default principal' indicates the Kerberos identity of the current process. In this case, the Kerberos principal, 'derek@AD.UMIACS.UMD.EDU' indicates that I am authenticated as the user 'derek' to the realm 'AD.UMIACS.UMD.EDU'.


If my credentials have not been set up correctly, klist will report:
If your credentials have not been set up correctly, klist will report:


   [derek@kiwi ~]$ klist
   [derek@opensub00 ~]$ klist
   klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2174_dcDWCg)
   klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2174_dcDWCg)
 
 
  Kerberos 4 ticket cache: /tmp/tkt2174
  klist: You have no tickets cached
===Reinitialize your Credentials===
When available, use `kinit -R` to refresh your current credentials.


===Single Sign On Services===
===Single Sign On Services===


Kerberos authenticated Pop and IMAP provide secure and convenient methods reading mail. Unlike traditional POP3 and IMAP services, your password is never sent over the network as cleartext and your password is not cached on a client.
Kerberos authenticated IMAP and SMTP provide secure and convenient methods for sending and reading mail. Unlike traditional IMAP and SMTP services, your password is never sent over the network as cleartext and your password is not cached on a client.
 
We are actively working to use kerberos authentication with the OpenSSH package to provide single sign-on services for SSH, SCP, SFTP, and FTP so that users can login to remote systems, execute remote commands, and transfer files without typing your password or managing authentication tokens like .shosts files or key pairs.


===Password Security===
===Password Security===


Kerberos security depends on the security of your password. Although Kerberos can make secure access to services convenient, it is still your responsibility to secure your password. Please try to choose a strong password and use secure protocols.
Kerberos security depends on the security of your password. Although Kerberos can make secure access to services convenient, it is still your responsibility to secure your password. Please try to choose a strong password and use secure protocols.

Revision as of 16:55, 5 September 2018

Introduction to Kerberos

Kerberos provides a toolkit for reducing the risks associated with insecure networks. It provides a unified password space in which we can manage strong passwords easily and it can prevent your password from being sent across the network as cleartext.

Working with Kerberos

When you successfully log into any of our Kerberos authenticated systems, you will be granted a set of credentials which will identify you to other network resources. Most users can take advantage of Kerberos without any detailed knowledge about the system.

The only significant complication for some users is that credentials expire after one week at UMIACS. In some environments, the lack of credentials can cause the user environment to behave erratically as network resources become unavailable.

Whenever possible, we strongly suggest that users log out of their environments nightly.

Listing your credentials

It is often useful to examine your current credentials. Using klist, you can verify that your login is correct,

 [derek@opensub00 ~]$ klist
 Ticket cache: FILE:/tmp/krb5cc_2174_dcDWCg
 Default principal: derek@AD.UMIACS.UMD.EDU
 
 Valid starting     Expires            Service principal
 05/28/18 11:39:36  05/28/18 18:19:36  krbtgt/AD.UMIACS.UMD.EDU@AD.UMIACS.UMD.EDU

'Default principal' indicates the Kerberos identity of the current process. In this case, the Kerberos principal, 'derek@AD.UMIACS.UMD.EDU' indicates that I am authenticated as the user 'derek' to the realm 'AD.UMIACS.UMD.EDU'.

If your credentials have not been set up correctly, klist will report:

 [derek@opensub00 ~]$ klist
 klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2174_dcDWCg)

Single Sign On Services

Kerberos authenticated IMAP and SMTP provide secure and convenient methods for sending and reading mail. Unlike traditional IMAP and SMTP services, your password is never sent over the network as cleartext and your password is not cached on a client.

Password Security

Kerberos security depends on the security of your password. Although Kerberos can make secure access to services convenient, it is still your responsibility to secure your password. Please try to choose a strong password and use secure protocols.