NRL CCS Research Group

NOTICE FOR HPC USERS

If you are an HPC user and need Kerberos support, you need to call the service number for your home realm MSRC.

Kerberos Commands

Our site runs MIT Kerberos V to support many services. To use the Kerberized versions of telnet, ftp, rlogin, and rsh, place /usr/krb5/bin in your PATH environment variable ahead of system-located Berkeley "r" commands (/usr/ucb and /usr/bsd).

We require the use of Kerberos on all incoming connections.

Why use Kerberos telnet, rsh, and rlogin commands?

Once you have been authenticated to the Kerberos server, you can automatically pass your Kerberos credentials to other hosts and services. You would then be able to log into other hosts in the cmf.nrl.navy.mil domain without supplying your password again. It is important to avoid sending a cleartext password across any network.

What happens during login

Upon running login on a host, the user sets off a chain of Kerberos and AFS events. The user receives a Kerberos ticket-granting ticket. The ticket-granting ticket, which expires at a specific time, can be used to obtain additional tickets. The ticket-granting ticket is then used to automatically get an AFS ticket and token. This sounds complicated, but it happens automatically during login.

How to list Kerberos tickets

The command klist will list your Kerberos tickets. Each ticket has a default expiration time of 10 hours. For long-running jobs see the renewable tickets below.

>klist Ticket cache: /tmp/krb5cc_console Default principal: yourusername@CMF.NRL.NAVY.MIL Valid starting Expires Service principal 03/04/97 09:56:19 03/05/97 10:56:16 krbtgt/CMF.NRL.NAVY.MIL@CMF.NRL.NAVY.MIL 03/04/97 09:56:24 03/05/97 10:56:16 afs@CMF.NRL.NAVY.MIL

How to obtain a Kerberos ticket-granting ticket

The command kinit will obtain a Kerberos ticket-granting ticket. The command aklog will use the ticket-granting ticket to obtain an AFS ticket and token.

>kinit Password for youusername@CMF.NRL.NAVY.MIL: >aklog

Note... If possible, run kinit on your local machine to avoid sending your password in cleartext across the network. This is important computer security for both you and our site.

Running long jobs with renewable tickets

As mentioned previously, Kerberos tickets expire after 10 hours. There are many cases where you wish to run a program that will take longer than 10 hours, but still have credentials to write into AFS space. You can accomplish this by using the krenew program.

To use this program, first get a renewable ticket using the -r option to kinit. The -r option takes as an argument the maximum amount of time you wish to renew the ticket.

> kinit -r 7d Password for yourusername@CMF.NRL.NAVY.MIL >

You can check the maximum renewable time of your ticket using klist.

Ticket cache: /tmp/krb5cc_p42 Default principal: yourusername@CMF.NRL.NAVY.MIL Valid starting Expires Service principal 03/19/97 18:25:18 03/20/97 19:25:12 krbtgt/CMF.NRL.NAVY.MIL@CMF.NRL.NAVY.MIL renew until 03/26/97 18:25:12

Once you have a renewable ticket, run your job using krenew. (Just run the command krenew with your job as the command-line argument.)

>krenew my_long_job

krenew will automatically renew your tokens at the appropriate times, making sure that you always have valid Kerberos and AFS credentials.

The maximum amount of time you may renew tickets is seven days. If you wish to run jobs that last longer than seven days, please send your request to the ccshelp@cmf.nrl.navy.mil mailing list.

Running cron/at jobs

It is possible to run authenticated cron and/or at jobs, but it requires the involvement of an administrator. Please contact the ccshelp@cmf.nrl.navy.mil mailing list if you wish to do this.

More information

You can read the Kerberos User's Guide for more detailed information on how to use Kerberos.

Send comments or questions to ccshelp@cmf.nrl.navy.mil

NRL ~ Code 5000 ~ Code 5500 ~ Code 5590