Skip redundant pieces
Department of Mathematics
Home : Computing Help : Documentation : Kerberos

Using Kerberos

Gregory Harris, gharris@math.ku.edu
Justin L Graham, jgraham@math.ku.edu
December 2007

What is Kerberos?

Simply put, kerberos is an advanced authentication method. The general goal of kerberos was to increase security and minimize the number of times you have to enter your password in a specified period of time. In the Mathematics department, Kerberos replaced the aging NIS authentication system on July 1, 2004. Kerberos is not installed on any of the NetBSD machines in the department.

How does Kerberos work?

When logging into any machine in the department that is connected to the Kerberos network, you will obtain what is called a Kerberos Ticket-Granting-Ticket, or TGT. This ticket can then be used in place of entering your password for other services, such as accessing your mail or using ssh to connect to another computer on the kerberos network.

Kerberos Commands

There are three basic kerberos commands to remember. kinit will erase any tickets you currently have and obtain a new ticket-granting-ticket (TGT). klist will list your kerberos tickets, and kdestroy will erase any tickets you have. It is not necessary to type kdestroy in addition to kinit to obtain a new TGT.

Example

I am going to ssh into pascal for this demonstration. Once I ssh into pascal.math.ku.edu, I type klist to see what tickets I have:

                           The University of Kansas
                            Mathematics Department
                           ------------------------
 
Welcome to pascal.math.ku.edu, running on a Dell PowerEdge 750 server.
 
All connections to this machine are logged.  Unauthorized use of this
system is punishable under Title 18 Code 1030.
 
Please report any problems with this machine to help@math.ku.edu.
 
This machine has replaced gandalf, which has been taken out of service.
 
-bash-2.05b$ klist
Ticket cache: FILE:/tmp/krb5cc_56246_gZDMBy
Default principal: gharris@MATH.KU.EDU
 
Valid starting     Expires            Service principal
01/21/05 09:06:43  01/22/05 09:06:43  krbtgt/MATH.KU.EDU@MATH.KU.EDU
        renew until 01/22/05 09:06:43
 
 
Kerberos 4 ticket cache: /tmp/tkt56246
klist: You have no tickets cached
-bash-2.05b$

You will see the time I obtained the TGT (denoted by krbtgt/MATH.KU.EDU@MATH.KU.EDU), in addition to its expiration date. You can ignore any messages about Kerberos 4 tickets.

Now, I'm going to type pine to access my mail. As long as the TGT has not expired, I will not be prompted for my password since pine will use the TGT in place of my password. Once I have exited, I'll type klist to see what tickets I have:

-bash-2.05b$ klist
Ticket cache: FILE:/tmp/krb5cc_56246_gZDMBy
Default principal: gharris@MATH.KU.EDU
 
Valid starting     Expires            Service principal
01/21/05 09:06:43  01/22/05 09:06:43  krbtgt/MATH.KU.EDU@MATH.KU.EDU
        renew until 01/22/05 09:06:43
01/21/05 09:09:52  01/22/05 09:06:43  imap/bayes.math.ku.edu@MATH.KU.EDU
        renew until 01/22/05 09:06:43
 
 
Kerberos 4 ticket cache: /tmp/tkt56246
klist: You have no tickets cached
-bash-2.05b$

You will see that I have obtained a service ticket to obtain access to the IMAP mail server (denoted by imap/bayes.math.ku.edu@MATH.KU.EDU). Now I am going to ssh to one of the lab machines, vis-a, and then exit back to pascal. Like accessing pine, I will not be prompted for my password to access vis-a, since SSH knows to use the TGT instead.

-bash-2.05b$ klist
Ticket cache: FILE:/tmp/krb5cc_56246_gZDMBy
Default principal: gharris@MATH.KU.EDU
 
Valid starting     Expires            Service principal
01/21/05 09:06:43  01/22/05 09:06:43  krbtgt/MATH.KU.EDU@MATH.KU.EDU
        renew until 01/22/05 09:06:43
01/21/05 09:09:52  01/22/05 09:06:43  imap/bayes.math.ku.edu@MATH.KU.EDU
        renew until 01/22/05 09:06:43
01/21/05 09:12:37  01/22/05 09:06:43  host/vis-a.math.ku.edu@MATH.KU.EDU
        renew until 01/21/05 09:12:37
 
 
Kerberos 4 ticket cache: /tmp/tkt56246
klist: You have no tickets cached
-bash-2.05b$

Again, you will see that I have received a service ticket for host vis-a.math.ku.edu.

If I let my tickets expire, I will need to type kinit again in order to not be prompted for my password when I ssh to other machines.

Using Kerberos on Mac OS X


Kerberos

In addition to the command line functionality described above Mac OS X supplies a convenient graphical utility to manage your Kerberos credentials. On Mathematics Department systems this utility can be found in Applications -> Utilities -> Kerberos (and has the icon displayed to the left of this text). On stock Mac OS X installations the utility can be found in System -> Library -> CoreServices -> Kerberos.

Once launched click the New button at the top and enter your Math username and password to obtain a new Kerberos ticket.

New Ticket

Your ticket will be valid for some predetermined interval of time. The Kerberos application will show you the remaining time on your tickets. (The number of tickets listed in the lower pane will vary depending on how many Kerberized services you use.)

Tickets

In addition to managing your Kerberos credentials you can change your Mathematics Department password using this utility. To do so obtain your credentials and then click the Password button at the top of the window. Enter your current password and new password then click OK.

Password Change

Kerberos password policies are enforced and the helper will let you know if you must choose a stronger or different password.