Kerberos

From UMIACS
Revision as of 19:32, 2 March 2007 by Derek (talk | contribs)
Jump to navigation Jump to search

Introduction to Kerberos

Kerberos provides a toolkit for reducing the risks associated with insecure networks. It provides a unified password space in which we can manage strong passwords easily and it can prevent your password from being sent across the network as cleartext.

Working with Kerberos

When you successfully log into any of our kerberos authenticated systems, you will be granted a set of credentials which will identify you to other network resources. Most users can take advantage of Kerberos without any detailed knowlege about the system.

The only significant complication for some users is that credentials expire after one week at UMIACS. In some environments, the lack of credentials can cause the user environment to behave erratically as network resources become unavailable.

Whenever possible, we strongly suggest that users log out of their environments nightly.

Managing your Kerberos Account

You can change your password and the administrative information associated with your account by logging into any Openlab Solaris system and using the `chpass` command.

Use `chpass` without arguments to change your administrative information about your Full Name, Office, Shell, and Extension.

To change your password, Use `chpass -p` or `passwd`.

Listing your credentials

It is often useful to examine your current credentials. Using `klist`, you can verify that your login is correct ,

 DCE Identity Information:
       Warning: Identity information is not certified
       Global Principal: /.../umiacs.umd.edu/fmccall
       Cell:      a53a40a8-fedd-11d1-9da0-08005a75a4c7 /.../umiacs.umd.edu
       Principal: 00001130-9ff4-21d4-9200-800878e9aa77 fmccall
       Group:     0000000a-9ff8-21d4-9201-800878e9aa77 staff
       Local Groups:
               0000000a-9ff8-21d4-9201-800878e9aa77 staff
               00005f50-ba7d-21d6-a501-800878e9aa77 fmccall
               000007d7-3aa2-21d6-a501-800878e9aa77 glcfadm
 
 Identity Info Expires: 2002/09/28:20:47:45
 Account Expires:       never
 Passwd Expires:        never
 
 Kerberos Ticket Information:
 Ticket cache: /opt/dcelocal/var/security/creds/dcecred_41ffffc1
 Default principal: fmccall@umiacs.umd.edu
 Server: krbtgt/umiacs.umd.edu@umiacs.umd.edu
       valid 2002/09/21:20:47:45 to 2002/09/28:20:47:45
 Server: dce-rgy@umiacs.umd.edu
       valid 2002/09/21:20:47:45 to 2002/09/28:20:47:45
 Client: dce-ptgt@umiacs.umd.edu Server: krbtgt/umiacs.umd.edu@umiacs.umd.edu
       valid 2002/09/28:14:13:01 to 2002/09/28:16:13:01
 Client: dce-ptgt@umiacs.umd.edu Server: dce-rgy@umiacs.umd.edu
       valid 2002/09/28:14:12:56 to 2002/09/28:16:13:01
 Client: dce-ptgt@umiacs.umd.edu Server: hosts/phobos.umiacs.umd.edu/dfs-server@umiacs.umd.edu
       valid 2002/09/28:14:13:01 to 2002/09/28:16:13:01
 Server: imap/reptoid.umiacs.umd.edu@umiacs.umd.edu
       valid 2002/09/21:20:47:53 to 2002/09/28:20:47:45
 Server: dce-ptgt@umiacs.umd.edu
       valid 2002/09/28:14:13:01 to 2002/09/28:16:13:01
 Server: lpr/durer.umiacs.umd.edu@umiacs.umd.edu
       valid 2002/09/22:20:21:54 to 2002/09/28:20:47:45

'Default principal' indicates the kerberos identity of the current process. In this case, the kerberos pricipal, 'fmccall@umiacs.umd.edu' indicates that I am authenticated as the user 'fmccall' to the realm 'umiacs.umd.edu'.

'Identity Info Expires' indicates the date and time when the current credentials will expire. In this case, my credentials will expire September 28, 2002.

If my credentials have not been set up correctly, klist will report:

 No DCE identity available: No currently established network identity for this context exists (dce / sec)
 
 Kerberos Ticket Information:
 klist: No credentials cache file found (dce / krb) (ticket cache /opt/dcelocal/var/security/creds/dcecred_41ffffc1)

Reinitialize your Credentials

When available, use `dce_login -r` to refresh your current credentials. On other platforms, use `kinit` to reinitialize your credentials when they expire. Both programs will prompt for your password and reinitialize your credentials.

Single Sign On Services

Kerberos authenticated Pop and IMAP provide secure and convenient methods reading mail. Unlike traditional POP3 and IMAP services, your password is never sent over the network as cleartext and your password is not cached on a client.

The Distributed File System (DFS) is a kerberos authenticated network file system and only processes with your kerberos credentials can access your files. In many cases, even a super-user account cannot compromise the security of your files without first compromising your password.

We are actively working to use kerberos authentication with the OpenSSH package to provide single sign-on services for SSH, SCP, SFTP, and FTP so that users can login to remote systems, execute remote commands, and transfer files without typing your password or managing authentication tokens like .shosts files or key pairs.

Password Security

Kerberos security depends on the security of your password. Although Kerberos can make secure access to services convenient, it is still your responsibility to secure your password. Please try to choose a strong password and use secure protocols.

Long Running Processes in a Kerberos Environment

Please see Managing Long Running Processes in a Kerberos Environment