This site requires JavaScript to be enabled

Strong Authentication at Fermilab

611 views

5.0 - Updated on 2022-01-04 by Fang Wang

4.0 - Updated on 2021-02-18 by Carlos Salazar (Inactive)

3.0 - Updated on 2020-11-20 by Fang Wang

2.0 - Updated on 2020-06-02 by Fang Wang

1.0 - Authored on 2014-05-08 by Fang Wang

Strong Authentication at Fermilab


Intended for:

Kerberos users and system administrators.



Scenario/Use case:

This article is the table of contents page of the "Strong Authentication at Fermilab" user manual.



Instructions:

Introduction to Strong Authentication at Fermilab

Many of you are aware that Fermilab has implemented secure methods for users to access the computers at the FNAL site. The purpose of this introduction is to summarize the Strong Authentication plan and explain what it means for you as Fermilab computer users, system administrators, and software developers, and what you will need to do to conform to this policy.


Strong Authentication and Fermilab Computing Policy Issues

The full text of the Fermilab Policy on Computing is maintained in this document. In this note we summarize the important points with respect to Strong Authentication.


Kerberos Principals and Passwords

In this note, we discuss choosing and obtaining a strengthened realm userid (called a Kerberos principal) and a Kerberos password.


Accessing Kerberized Machines (Fermilab-Supported Methods)

In this note, we discuss accessing systems in the FNAL.GOV realm from UNIX, Windows and Macintosh machines using the methods recommended and supported by the Fermilab Computing Sector. We cover logging in at the console, connecting over the network, and using portal mode.


Logging In from Off-Site

In this note, we discuss what off-site users are required to do in order to access Fermilab's strengthened realm, and some of the issues they may encounter.


Accessing Kerberized Machines (Community-Supported Methods)

In this note, we discuss accessing systems in the FNAL.GOV realm from UNIX, Windows and Macintosh machines using programs or operating systems not supported at Fermilab.


Troubleshooting your Kerberos Authentication Problems

This note is intended to help users who are having trouble authenticating to Kerberos and logging in to Kerberized machines. We include information that should help you figure out what's causing your problem, and to fix it.


Using Kerberos

This note provides the basic information you need in order to manage your Kerberos tickets and work in a Kerberized environment. In particular, we cover ticket options and management, and account access files. The Kerberos commands and features of Kerberized network programs are documented in Kerberos Command Descriptions and Network Programs Available on Kerberized Machines, respectively.


Miscellaneous Topics for the User

In this note, we document a variety of common operations that work differently in the Fermilab Kerberized environment.


Encrypted vs. Unencrypted Connections

In this note, we provide guidance on determining whether your connection is encrypted, and ensuring that you open an encrypted connection.


Kerberos Command Descriptions

In this note, we list the native Kerberos commands, and provide a brief description and option list with descriptions adapted from the man pages. Programs that Kerberos provides for ticket and password management include kinit, klist, kpasswd and kdestroy among others.


Network Programs Available on Kerberized Machines

In this note, we document the Kerberized features of several network programs.


Installing Fermi Kerberos on a UNIX (non-Linux) System

In this note, we provide instructions for installing Fermilab Kerberos on a UNIX machine (Linux is treated separately in Installing Fermi Kerberos on a Linux System) and for installing Kerberized ssh, as the combination works very well. These products are available from fnkits.fnal.gov. We describe how to install them using UPS/UPD. The information is valid for all supported flavors of UNIX, namely: SunOS, IRIX and OSF1.


Installing Fermi Kerberos on a Fermilab Linux System

In this note, we provide instructions for installing the Fermilab kerberos product and Kerberized ssh on a RedHat Linux machine. These products are available as UPS products from fnkits.fnal.gov, and in RPM format.


The Kerberos Configuration File: krb5.conf

In this note, we describe the Kerberos configuration file krb5.conf.


Kerberized UNIX System Administration Issues

In this note, we discuss some UNIX system administration issues related to the installation of Kerberos software.


Additional UNIX Sysadmin Information for Off-Site Installations

In this note, we discuss some miscellaneous issues that sysadmins of off-site Kerberos installations should be aware of. Also see Logging In from Off-Site.


Installing and Configuring Putty on a Windows System

In this note, we describe how to install and configure the Putty software on your Windows system in order to access Kerberized machines and optionally encrypt your data transmissions.


Installing Kerberos on a non-Fermi-Supported Linux System

In this note, we discuss Kerberizing a machine running a Linux OS other than SLF.


Installing MIT Kerberos on Windows, for use with PuTTY and WinSCP

In this note, we describe how to install and configure the MIT Kerberos software to Kerberize your Windows system. Installation of the Kerberos software will allow you to connect to Kerberized machines and encrypt your data transmission using PuTTY (telnet and ssh client) and WinSCP (file transfers).


Installing and Configuring MIT Kerberos on a Macintosh System

In this note, we describe how to install and configure Kerberos on your Macintosh system in order to access Kerberized machines and encrypt your data transmissions.

Implementation Details of Strong Authentication at Fermilab

In this note, we discuss the concept of strong authentication and the features and environment as implemented at Fermilab.


About the Kerberos V5 Network Authentication Service

In this note, we provide an introduction to the Kerberos Network Authentication Service V5, discuss the important terms and components, and describe the authentication process.


More about Choosing a Principal Name

In this note, we present information for users who have pre-existing account names and/or an email address at Fermilab, and for whom the guidelines in Kerberos Principals and Passwords are not straightforward to follow.


Strong Authentication Glossary