Authenticating with Kerberos¶
Kerberos is a network authentication protocol supported by a number of IGWN Computing services. Users can generate a ticket-granting ticket tied to their identity that can be used to authenticate against services.
Only LIGO.ORG accounts are configured for use with Kerberos
At this time, only LIGO.ORG accounts can be used with Kerberos; KAGRA and Virgo identities are not supported.
Installing the Kerberos tools¶
The Kerberos command-line tools can be installed using your preferred package manager:
choco install mitkerberos
conda install --channel conda-forge krb5
apt-get install krb5-user
yum install krb5-workstation
How to generate a credential¶
Kerberos for LIGO.ORG¶
LIGO.ORG identity holders can generate Kerberos credentials using the kinit
command-line tool from the MIT Kerberos (krb5
) distribution:
kinit albert.einstein@LIGO.ORG
Password-less authentication using a Kerberos keytab
Credentials can be stored in a keytab file to enable (re-)generation of Kerberos tickets without having to re-enter a password each time.
To generate a keytab file:
$ ktutil
ktutil: addent -password -p albert.einstein@LIGO.ORG -k 1 -e aes256-cts-hmac-sha1-96
Password for albert.einstein@LIGO.ORG:
ktutil: wkt ligo.org.keytab
ktutil: quit
This will generate the ligo.org.keytab
file in the current directory, feel free then to move it wherever you want.
It is common then to store the path of that file in the KRB5_KTNAME
environment variable, e.g.:
export KRB5_KTNAME=${HOME}/.kerberos/ligo.org.keytab
Check permissions on Kerberos keytab
A Kerberos keytab can be used by anybody to impersonate the user who created it. It is extremely important that you verify that the permissions on your keytab file (ligo.org.keytab
in the above example) are restricted to only allow read/write for you, the user:
chmod 600 ligo.org.keytab
ktutil not available on Windows
The ktutil
utility required to generate keytabs is not available from MIT Kerberos on Windows.