Kerberos Authentication

What is Kerberos?

Kerberos is an authentication method that will give you access to groups of resources based on tickets that you generate. And yes, Kerberos is also a three headed dog from Greek Mythology.

When would I use Kerberos Authentication?

You will use this method via the tools kinit when you need to log into a kerberos realm. For example, the cluster at Stanford University use Kerberos.

How does Kerberos Work?

The general authentication flow looks like this:

[1. client] --> [2. key distribution center] --> [3. credential] --> [4. login]

Briefly, you will use kinit from your computer to identify yourself with your email and request a ticket from the key distribution center. The ticket will have a life and expiration, and be used to authenticate you to different realm resources. This is a way oversimplification, and we point the interested reader to learn more about this workflow by reading this nice post.

Important Terms

  • a realm some set of machines and an associated access policy. The components include a key distribution center, and a set of clients.
  • a key distribution center is part of a realm that has an Authentication Server and a Ticket Granting Server
  • a set of clients are computers (including yours!) that can be authenticated from.

Quick Start

If you are on Windows or Mac, you can first download a client called Kerberos Commander. If you are on Linux, then you can follow the general instructions provided for the Sherlock cluster. We will review these steps here!

1. Install system dependencies

We first install system dependencies, which include the local client and openssh:

$ sudo apt-get install krb5-user openssh-client

2. Get the configuration file

The configuration for the realm can be obtained by using wget. If you aren’t using a Stanford realm, there might be a different configuration file for you to download, and you would equally want to get the *.conf file that describes the realm and output it to /etc/krb5.conf

sudo curl -o /etc/krb5.conf https://web.stanford.edu/dept/its/support/kerberos/dist/krb5.conf

Take a look at this file, it’s kind of neat! You can see many different realms defined and various configuration variables.

cat /etc/krb5.conf

3. Test your setup.

Remember the step to get your ticket? You will do that by typing kinit email@stanford.edu. Then you will see the credential with klist.

$ kinit yourSUnet@stanford.edu
# See your kerberos ticket:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: yourSUnet@stanford.edu

Valid starting       Expires              Service principal
05/08/2018 07:31:27  05/09/2018 07:31:23  krbtgt/stanford.edu@stanford.edu

4. Save the setup

We would want to configure ssh (a secure shell) to access resources of interest, for example, the Sherlock cluster at Stanford! Your computer has a file at ~/.ssh/config where we can add variables that will be used for this workflow. Here is how to edit that file so that you can log in to Sherlock:

echo "Host *
  GSSAPIDelegateCredentials yes
  GSSAPIAuthentication yes" >> ~/.ssh/config

Once that is done, you should be able to login to Sherlock via Kerberos like this:

$ ssh yourSUnet@login.sherlock.stanford.edu

Have a question, need a clarification, or anything else? Ask away!