What is Kerberos?

Kerberos quick start

• ⇒ Kerberos for Mac.
• ⇒ Kerberos for Ubuntu Linux.
• ⇒ Kerberos for Windows.

What is Kerberos?

Kerberos is a network authentication protocol. It provides strong authentication for client/server applications so that a client can prove its identity to a server (and vice versa) across an insecure network connection. When you log in, your client contacts the Kerberos server and uses your password to prove your identity. In return it receives a ticket which is valid for a fixed period of time (at our site, 18 hours). Kerberos is about using tickets instead of passwords to get access to services running on servers.

Refer to the Wikipedia entry on Kerberos for more general information, and for further links.

Why do we need Kerberos ?

Authentication is the process of identifying yourself to the network and is fundamental to the security of computer systems. Kerberos provides secure authentication for clients and services. A more detailed rationale of our decision to use Kerberos was written when we designed the DICE infrastructure.

What does "ticket expired" or "no credentials cache found" mean ?

It means that your Kerberos ticket has run out. Your Kerberos ticket is what gives you permission to use a range of network services; it proves to them that you are who you say you are. You're automatically given a ticket when you login. A ticket is valid for a few hours and then it expires.

How can I get a new Kerberos ticket?

You get a ticket when you login. You can get a new one at any time by typing renc in a terminal window on a DICE machine.

You can also get a new ticket by locking your screen with the xscreensaver program then unlocking it again. This is the default screensaver for Gnome under DICE. It may be possible to configure for other window managers as well - contact support if you're interested in this.

How long will my Kerberos ticket last?

A ticket lasts for eighteen hours before it expires. You can find out when your ticket will expire, or if it has already expired, by typing klist in a terminal window.

Can I obtain a Kerberos ticket which lasts longer?

The short answer is yes, but you may not need one. See the documentation on long-running jobs for details on using krenew to renew your ticket for up to 28 days. If unattended, authenticated access for longer than that period is required we can create an additional identity, to be used with a keytab (a file on local disk which holds key material). Contact support if you require this.

Can I use Kerberos from a self-managed machine or from home?

Yes, instructions on setting up Kerberos (and AFS, for file system access) can be found in the Remote Working page.

How do I use Kerberos with SSH?

It is possible to use Kerberos with ssh to connect to DICE machines without entering a password. Full instructions are given in the Remote Working page.