Single sign-on Linux authentication

Department's Linux hosts are now using kerberos single sign on authentication. This means that when you login to a Linux classroom or office workstation hosts with your CS department's master password, you get a kerberos ticket, which can be used to automatically authenticate against other department's network services. Currently kerberos tickets are used to authenticate remote ssh logins and Samba and NFS file shares. Department's Linux ssh clients and ssh servers have been configured to use, accept and forward these tickets, so now you can ssh from one linux hosts to another without typing your password again (and without a ssh secret key).

Using kerberos tickets

Kerberos tickets are created automatically by the Cubbli Linux system when you login with your department's master password, so on most situations you don't need to worry about them or even know that they exist. However kerberos tickets have a limited lifetime and they are not created when you login to a system with ssh secret key or when your office workstation password is different from your department master password. Also, kerberos tickets are stored on files and can be stolen (perhaps from a session mistakenly left open in a public classroom), so destroying unneeded tickets is a good practise.

Ticket cache

Kerberos tickets are stored in a local file called a ticket cache. The location of the ticket cache is selected with the environment variable KRB5CCNAME. This file should never be on a network share, since you need the tickets to actually access network shares.  The ticket cache must be accessible only to you. The ticket cache is saved by default to /tmp directory, which also makes sure that all tickets are destroyed at system restarts. 

Using the ticket cache

The most common command line commands for manipulating ticket caches are:

  • kinit - obtain or renew a kerberos ticket and store it in a ticket cache
  • klist - list all tickets in the cache and their lifetimes
  • kdestroy - delete all tickets in a cache
  • krenew - automatically renew tickets

Renewing tickets

The default kerberos ticket lifetime in department's kerberos domain is 24 hours and they can be renewed for 7 days. Currently tickets are automatically recreated when a screensaver is unlocked, which should keep the tickets available in most common GUI usage scenarios.  When this is not enough there are workarounds;

  • Consider using those department's Linux hosts, which do not need kerberos tickets for accessing file shares: melkki, melkinpaasi, users, staff and Ukko cluster.
  • You can use command kinit -R to renew a ticket which is still valid (no password is needed for renewal), Tickets can be renewed for 7 days. 
  • For long running batch jobs or daemon processes use krenew /your/own/command to start a process and to automatically renew kerberos tickets while the process is running.
  • You can also use the command krenew -b -K 60 to automatically renew your kerberos ticket until the ticket's renewable lifetime has expired (or until the krenew process is killed). Please be careful with this command, since it will keep renewing your tickets even after you have logged out (remember, tickets can be stolen)

 

Example 

Kerberos autenticated login to melkki fails when there is no ticket cache:

jjaakkol@wel-14:~$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_4392_KeWDc27763)
jjaakkol@wel-14:~$ ssh -o "PasswordAuthentication no" -o "PubKeyAuthentication no" melkki echo Hello
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Get a kerberos ticket and use it:

jjaakkol@wel-14:~$ kinit
Password for jjaakkol@CSWIN.CS.HELSINKI.FI: 
jjaakkol@wel-14:~$ klist
Ticket cache: FILE:/tmp/krb5cc_4392_KeWDc27763
Default principal: jjaakkol@CSWIN.CS.HELSINKI.FI

Valid starting     Expires            Service principal
11/08/11 21:45:04  11/09/11 07:45:08  krbtgt/CSWIN.CS.HELSINKI.FI@CSWIN.CS.HELSINKI.FI
        renew until 11/09/11 07:45:04
jjaakkol@wel-14:~$ ssh -o "PasswordAuthentication no" -o "PubKeyAuthentication no" melkki echo Hello
Hello

Destroy the tickets in cache. Authentication will fail again:

jjaakkol@wel-14:~$ kdestroy
jjaakkol@wel-14:~$ ssh -o "PasswordAuthentication no" -o "PubKeyAuthentication no" melkki echo Hello
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
23.11.2011 - 16:09 Jani Jaakkola
08.11.2011 - 16:30 Jani Jaakkola