KTH PDC [PDC - Center for Parallel Computers, KTH]
[Entrance to PDC]
[Information about PDC]
[News & Events]
[Computer resources]
*[User support]
[Training & Courses]
[Search the webmap]
[Links to far away]

Guided Tours: Kerberos

What is Kerberos?

In order to access the computers at PDC in a secure way, all users must use an authentication system called Kerberos. Kerberos uses encryption to enable secure communication. To be able to connect to the computers at PDC you have to use programs that can use Kerberos. The Kerberos travelkit contains the programs you need to connect to and use the computing resources at PDC.

Using Kerberos

Note: commands on this page are Kerberos version 4 (athena) commands. If you are using Kerberos version 5 (heimdal), see the Kerberos5 tour .

This text describes the use of kerberos in general. Additional issues which may have to be addressed when using the kerberos travelkit are addressed on the Kerberos travelkit tour. The commands described here normally reside in the directory /usr/athena/bin. In order to authenticate yourself to kerberos you need to get 'tickets'. A ticket grants you the right to use a service, such as accessing your files. Tickets are normally obtained using the 'kauth' command. The following would get you a ticket allowing you to log in to the Strindberg computer at PDC :

> kauth -h strindberg.pdc.kth.se -n your-username-at-pdc@NADA.KTH.SE
The -h switch gives you tickets both on your local computer and on the computers listed after the switch. You can see which tickets you currently have and when they will expire using the 'klist' command.
For instance :
> klist
Ticket file:    /tmp/tkt17445
Principal:      <username>@NADA.KTH.SE

  Issued           Expires          Principal
Mar  5 10:21:46  Mar  5 20:21:46  krbtgt.NADA.KTH.SE@NADA.KTH.SE
Mar  5 10:21:46  Mar  5 20:21:46  afs.pdc.kth.se@NADA.KTH.SE
Mar  5 10:21:46  Mar  5 20:21:46  afs@NADA.KTH.SE

The first ticket is a 'ticket granting ticket', i.e. a ticket used to get other tickets. Then comes two tickets allowing this user to access files in the AFS filesystem at PDC. When you first get kerberos tickets on your local computer klist will normally only show a ticket granting ticket.

Kerberos tickets normally expires after 10 hours. If you submit a job that will take longer time than this to start and run to its conclusion you need to get tickets with longer lifetimes since your program won't be able to write its results to disk if the tickets has expired. You can specify the lifetime of your tickets like this :

> kauth -h strindberg.pdc.kth.se -n your-username-at-pdc@NADA.KTH.SE
                 -l lifetime-in-minutes
If you specify the lifetime as -1 then the ticket will get the maximum allowed lifetime (around 1 month).

The rxtelnet command starts a xterm window with a kerberized telnet to the given host. From this window other X-programs can be started securely. The following command opens a secure telnet connection to the Strindberg computer :

> rxtelnet -l your-username-at-pdc strindberg.pdc.kth.se
Observe that this is the proper way to start X-applications remotely. You should NOT use the xhost command to enable running X-applications on the computers at PDC since this is a big security hole.

Kerberized ftp works as normal ftp with the exception that you have to get AFS tickets to be able to access your files. This is accomplished by issuing the kauth command while at the ftp prompt. You have to use a kerberos-aware ftp program to do this.
Example :

> ftp ftp.pdc.kth.se
Connected to anca.pdc.kth.se.
220 anca.pdc.kth.se FTP server (Version 6.00+krb4-0.9.7alpha) ready.
Trying KERBEROS_V4...
Kerberos authentication successful.

Name (ftp.pdc.kth.se:<user>): <user>
P:232-Digital UNIX V4.0B  (Rev. 564); Thu Oct 30 23:02:39 MET 1997 
P:232-
P:232 User <user> logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> klist
P:500 No ticket file (tf_util)
ftp> kauth
Password for <user>@NADA.KTH.SE:
P:200 Tickets will be destroyed on exit.
ftp> klist
P:200-Principal: <user>@NADA.KTH.SE
P:200-%-15s  %-15s    Issued
P:200-Mar  5 17:36:34  Mar  6 03:36:34  krbtgt.NADA.KTH.SE@NADA.KTH.SE (4)
P:200-Mar  5 17:36:36  Mar  6 03:36:36  afs.pdc.kth.se@NADA.KTH.SE (2)
P:200 
ftp>
If you are behind a firewall, it may help to switch to passive ftp mode.

When you log out it is good practice to destroy your tickets with the 'kdestroy' command.

More detailed information about Kerberos can be found here.


<-- back to guided tours