KTH PDC [PDC - Center for Parallel Computers, KTH]
[Entrance to PDC]
[Information about PDC]
[News & Events]
[Computer resources]
*[User support]
[Training & Courses]
[Search the webmap]
[Links to far away]

Guided Tours: Kerberos5 (Heimdal)

What is Kerberos?

Kerberos is a protocol and a set of tools that provides rigorously safe user authentication and access control. In this respect it has several similarities to the wider spread SSH protocol and tools.

Differences between SSH and Kerberos are:

No local identity files
There are no local identity files needed in Kerberos authorization
Expiring tickets
Unlike the behaviour of SSH any authorization acquired using kerberos has a limited time associated with it. The risk of loss of authorization information to a third party is thus limited to that time span.
Authorization revocation
SSH has an authorization mode based on registering authorization keys at a host. A user who is able to match the registered public key with a private counterpart is granted access. If the private key is lost, all systems where the public key is registered as having access must be reached and that particular key disabled. Using kerberos the revocation only needs to be made to a kerberos server.

Differences between Kerberos4 and Kerberos

For users accustomed to Kerberos4 some important differences are listed here.
  • The command kinit is preferred over the previous kauth. For backwards compatibility a kauth command is included with similar behaviour as the Kerberos4 command.
  • The expiration time is by default in seconds in Kerberos5 while it is minutes in Kerberos4. Thus kauth/kinit -l 15 will get the user a ticket valid for 15 seconds and not 15 minutes.
  • You may use varying units when stating life-time of your ticket. Some valid examples are
    • kinit -l 10h
    • kinit -l 10d
    • kinit -l 1month
    • kinit -l 1y
  • The syntax of the principal is slightly different. In Kerberos5 there is a "/" between the service name and the service host, some services have had their names changed as well:
    • Kerberos5: 
    • Kerberos4: 
  • There are optional capabilities to an authentication ticket. They can be forwardable and renewable to mention two important properties.
  • The "remote" ticket acquisition of Kerberos4 kauth -h remotehost is not available in Kerberos5. An alternative, similar, effect can be accomplished using forwardable tickets and a Kerberos5 compatible telnet client.

Example Kerberos5 session

If you are using a Kerberos5 version of a travel kit. This could be an example of a session where you login to a PDC resource.

The following would get you a forwardable ticket valid for 8 hours allowing you to log in to the Strindberg computer at PDC :

> kinit -f -l 8h your-username-at-pdc@NADA.KTH.SE
You can see which tickets you currently have and when they will expire using the 'klist' command.
For instance :
> klist -f
Credentials cache: FILE:/tmp/krb5cc_22557
        Principal: smeds@NADA.KTH.SE

  Issued           Expires        Flags    Principal                   
Aug 15 11:55:28  Aug 15 19:55:28  FI     krbtgt/NADA.KTH.SE@NADA.KTH.SE
Aug 15 11:55:28  Aug 15 19:55:28         afs/pdc.kth.se@NADA.KTH.SE    
Aug 15 11:55:28  Aug 15 19:55:28         afs@NADA.KTH.SE               

The first ticket is a 'ticket granting ticket' (krbtgt), ie a ticket used to get other tickets. Then comes two tickets allowing this user to access files in the AFS file system at PDC. When you first get kerberos tickets on your local computer klist will normally only show a ticket granting ticket. The flags I and F are short for initial (master) and forwardable (can be moved to another computer).

The rxtelnet command starts a xterm window with a kerberized telnet to the given host. From this window other X-programs can be started securely. The following command opens a secure telnet connection to the Strindberg computer :

> rxtelnet -l your-username-at-pdc -t -F loginnodename.pdc.kth.se
Observe that this is the proper way to start X-applications remotely. You should NOT use the xhost command to enable running X-applications on the computers at PDC since this is a big security hole.

The option -t passes its argument to the telnet command. Thus rxtelnet will invoke a telnet session with the option -F. This instructs the telnet client to forward any forwardable tickets to the remote host and make these tickets forwardable again.

When you log out it is good practice to destroy your tickets with the 'kdestroy' command.

Kerberos5 ftp

Kerberized ftp works as normal ftp with the exception that it forwards your AFS tickets to be able to access your files. You have to use a kerberos-aware ftp program to do this. If in doubt use ftp -help and if the output contains GSS-API it is modern enough.
Example :
> ftp ftp.pdc.kth.se
Connected to realname.pdc.kth.se.
220 realname.pdc.kth.se FTP server (Version 6.00+Heimdal 0.7.1) ready.
Trying GSSAPI...
Authenticated to 
Authentication successful.

Name (ftp.pdc.kth.se:default): your-username
S:232-Kickstart-installed Bambi RedHat Linux at PDC Thu Nov  3 14:02:33 CET 2005
S:232 User your-username logged in.
S:230 Password not necessary
Remote system type is UNIX.
Using binary mode to transfer files.
GSSAPI (see message above) should forward your kerberos tickets to the ftp machine in a way so that you can read your personal files without extra kinit. If you don't have read/write permissions from the ftp prompt, did your tickets really have the forwardable property? (you can check than with klist -f or klist -v)

More detailed information about Kerberos can be found at http://www.pdc.kth.se/heimdal/.

<-- back to guided tours