Skip to content

Authenticating with Kerberos

Kerberos is a network authentication protocol supported by a number of IGWN Computing services. Users can generate a ticket-granting ticket tied to their identity that can be used to authenticate against services.

Only LIGO.ORG accounts are configured for use with Kerberos

At this time, only LIGO.ORG accounts can be used with Kerberos; KAGRA and Virgo identities are not supported.

Installing the Kerberos tools

The Kerberos command-line tools can be installed using your preferred package manager:

choco install mitkerberos
conda install --channel conda-forge krb5
apt-get install krb5-user
yum install krb5-workstation

How to generate a credential

Kerberos for LIGO.ORG

LIGO.ORG identity holders can generate Kerberos credentials using the kinit command-line tool from the MIT Kerberos (krb5) distribution:

kinit albert.einstein@LIGO.ORG

Password-less authentication using a Kerberos keytab

Credentials can be stored in a keytab file to enable (re-)generation of Kerberos tickets without having to re-enter a password each time.

To generate a keytab file:

$ ktutil
ktutil:  addent -password -p albert.einstein@LIGO.ORG -k 1 -e aes256-cts-hmac-sha1-96
Password for albert.einstein@LIGO.ORG:
ktutil:  wkt ligo.org.keytab
ktutil:  quit

This will generate the ligo.org.keytab file in the current directory, feel free then to move it wherever you want.

It is common then to store the path of that file in the KRB5_KTNAME environment variable, e.g.:

export KRB5_KTNAME=${HOME}/.kerberos/ligo.org.keytab

Check permissions on Kerberos keytab

A Kerberos keytab can be used by anybody to impersonate the user who created it. It is extremely important that you verify that the permissions on your keytab file (ligo.org.keytab in the above example) are restricted to only allow read/write for you, the user:

chmod 600 ligo.org.keytab

ktutil not available on Windows

The ktutil utility required to generate keytabs is not available from MIT Kerberos on Windows.