Strong Authentication at Fermilab
Kerberos users and system administrators.
This article is the table of contents page of the "Strong Authentication at Fermilab" user manual.
Many of you are aware that Fermilab has implemented secure methods for users to access the computers at the FNAL site. The purpose of this introduction is to summarize the Strong Authentication plan and explain what it means for you as Fermilab computer users, system administrators, and software developers, and what you will need to do to conform to this policy.
The full text of the Fermilab Policy on Computing is maintained in this document. In this note we summarize the important points with respect to Strong Authentication.
In this note, we discuss choosing and obtaining a strengthened realm userid (called a Kerberos principal) and a Kerberos password.
In this note, we discuss accessing systems in the FNAL.GOV realm from UNIX, Windows and Macintosh machines using the methods recommended and supported by the Fermilab Computing Sector. We cover logging in at the console, connecting over the network, and using portal mode.
In this note, we discuss what off-site users are required to do in order to access Fermilab's strengthened realm, and some of the issues they may encounter.
In this note, we discuss accessing systems in the FNAL.GOV realm from UNIX, Windows and Macintosh machines using programs or operating systems not supported at Fermilab.
This note is intended to help users who are having trouble authenticating to Kerberos and logging in to Kerberized machines. We include information that should help you figure out what's causing your problem, and to fix it.
This note provides the basic information you need in order to manage your Kerberos tickets and work in a Kerberized environment. In particular, we cover ticket options and management, and account access files. The Kerberos commands and features of Kerberized network programs are documented in Kerberos Command Descriptions and Network Programs Available on Kerberized Machines, respectively.
In this note, we document a variety of common operations that work differently in the Fermilab Kerberized environment.
In this note, we provide guidance on determining whether your connection is encrypted, and ensuring that you open an encrypted connection.
In this note, we list the native Kerberos commands, and provide a brief description and option list with descriptions adapted from the man pages. Programs that Kerberos provides for ticket and password management include kinit, klist, kpasswd and kdestroy among others.
In this note, we document the Kerberized features of several network programs.
In this note, we provide instructions for installing Fermilab Kerberos on a UNIX machine (Linux is treated separately in Installing Fermi Kerberos on a Linux System) and for installing Kerberized ssh, as the combination works very well. These products are available from fnkits.fnal.gov. We describe how to install them using UPS/UPD. The information is valid for all supported flavors of UNIX, namely: SunOS, IRIX and OSF1.
In this note, we provide instructions for installing the Fermilab kerberos product and Kerberized ssh on a RedHat Linux machine. These products are available as UPS products from fnkits.fnal.gov, and in RPM format.
In this note, we describe the Kerberos configuration file krb5.conf.
In this note, we discuss some UNIX system administration issues related to the installation of Kerberos software.
In this note, we discuss some miscellaneous issues that sysadmins of off-site Kerberos installations should be aware of. Also see Logging In from Off-Site.
In this note, we describe how to install and configure the Putty software on your Windows system in order to access Kerberized machines and optionally encrypt your data transmissions.
In this note, we discuss Kerberizing a machine running a Linux OS other than SLF.
In this note, we describe how to install and configure the MIT Kerberos software to Kerberize your Windows system. Installation of the Kerberos software will allow you to connect to Kerberized machines and encrypt your data transmission using PuTTY (telnet and ssh client) and WinSCP (file transfers).
In this note, we describe how to install and configure Kerberos on your Macintosh system in order to access Kerberized machines and encrypt your data transmissions.
In this note, we discuss the concept of strong authentication and the features and environment as implemented at Fermilab.
In this note, we provide an introduction to the Kerberos Network Authentication Service V5, discuss the important terms and components, and describe the authentication process.
In this note, we present information for users who have pre-existing account names and/or an email address at Fermilab, and for whom the guidelines in Kerberos Principals and Passwords are not straightforward to follow.