How to use kerberos on cdf, or, get rid of those Cryptocards!

Kerberos now exists by default on all the cdf machines here at Chicago; you don't need to do much to use it.  The executables for kerberos (these replace the old-style rsh, ftp, telnet, etc.) are in /usr/kerberos/bin, so the first thing you probably want to do is make sure you use these programs instead of the old-style ones.  Check to see if it's set up for you by typing:

tcsh> echo $PATH

If the first directory you see listed is NOT /usr/kerberos/bin, you need to set it to be. You do this by typing:

tcsh> setenv PATH /usr/kerberos/bin:$PATH
or
bash$ export PATH=/usr/kerberos/bin:$PATH

If you find that you need to do the above, I would also suggest adding this to your .cshrc or .bash_profile (depending on which shell you're using, of course).

Now you want to acquire what's called a "kerberos ticket" so you can log into the machines at FNAL or various places at Chicago that require kerberos.  You do this by typing:

tcsh> kinit

This will ask you for a password. This is NOT your standard login password for the machine you're trying to access, or the one you're on, but it's your Kerberos password for the domain you're accessing (e.g. FNAL.GOV).  If you do not know what your password is, call Yolanda Valadez at x8118 (Fermilab extension).   She will set it up for you, then you need to change it.

Now you can use your friends, rsh, rlogin, ftp, etc.  NONE OF THESE SHOULD ASK FOR A PASSWORD.  If they do, something is wrong, and you should kill the connection without putting in a password.  Either you've tried to run the wrong program, or someone has broken in and done something bad to the programs.

NOTE ON PASSWORDS:  Your password expires after a year (as I learned the hard way).  If you let it expire by accident without changing it, you won't be able to run kinit; you'll get an odd error message telling you it can't connect.  YOU DON'T NEED TO CALL ANYONE.  All you need to do is type in:

tcsh> kpasswd case

(stick in your username where I put in case)
It will then ask for your old password, and allow you to change it.  There is no need to run kinit first, and after you've done this, you can
run kinit, and it should work.

NOTE ON TRAVEL: You should be able to access fcdfsgi2 through your desktop machine if you are wandering about the world and need to get into fcdfsgi2.  Just log into your desktop machine using ssh (this is all that will work due to Marty's new security measures)
and then run kinit on your desktop.  Now you should be able to rsh to fcdfsgi from your login to the desktop box.



Last updated 2/21/2002 by SCC (comments to  case@hep.uchicago.edu )