-- Stanford Linear Accelerator Center

Getting SLAC AFS tokens at a Remote Site

UNIX at SLAC
Security
Updated: 2 May 2008
--

Contents

Why is klog being turned off?
Using kinit and aklog from remote sites
Installing kinit and aklog
Problems and work-arounds
Reference

Why is klog being turned off?

For years SLAC has used the kerberos 4 based native AFS protocol to obtain an AFS token. Unfortunately, this protocol uses both weak form of encryption and uses it in such a way that off-line dictionary attacks are possible. It is just a matter of time before the the security of this protocol is completely compromised by modern hardware. See RFC 4772 for more detailed information.

SLAC is moving to using the more secure kerberos 5 protocol and a separate program to obtain AFS tokens. At SLAC this is combined in one program since we us the heimdal version of kinit. Remote sites can still get AFS tokens but if they use the default RHEL3 based rpms will need to install and configure two separate programs, kinit and aklog.

Using kinit and aklog from remote sites

On RHEL3 based systems, kinit is installed in /usr/kerberos/bin/kinit. If aklog is not in your default path, try using the locate command to find it.

Kerberos 5 uses two different means to locate the authentication servers, the first is via DNS SRV records. If this is enabled at your site you should be able to use these commands

	kinit userid@SLAC.STANFORD.EDU
	aklog -c SLAC.STANFORD.EDU

Note: upper case is required, realm names are case sensitive, but in general are all upper case for historical reasons. If you are using kerberos 5 at your site, you will probably want to put the SLAC credentials into a different file. You can use the environmental variable KRB5CCNAME to do this

	env KRB5CCNAME=/tmp/my.slac.tgt kinit userid@SLAC.STANFORD.EDU

Then use aklog to obtain a token.

	env KRB5CCNAME=/tmp/my.slac.tgt aklog -c SLAC.STANFORD.EDU

If the above method does not work at your site, please see the Problems and work-arounds section.

Installing kinit and aklog

RHEL3 based linux's can use the default kerberos rpms based on krb5-workstation-1.2.7. You can get the aklog program from the appropriate openafs-krb5 rpm. You will need to edit the krb5.conf file as described in Problems and work-arounds

Problems and work-arounds

Here are some current problems you might encounter when attempting to get an AFS token for SLAC from off-site locations, along with suggested work-arounds.

"unable to reach any KDC in realm"

There are two work-arounds for this, the first is preferred if possible.
  • Edit the /etc/krb5.conf file on your machine and change these two lines.

    dns_lookup_realm = false
    dns_lookup_kdc = false
    

    to pre

    dns_lookup_realm = true
    dns_lookup_kdc = true 
    
  • If this is not allowed at your site, you should ask the local administrator to include this stanza in the [realms] section of your krb5.conf
    SLAC.STANFORD.EDU = {
          kdc = k5auth1.slac.stanford.edu:88 k5auth2.slac.stanford.edu:88 k5auth3.slac.stanford.edu:88
          master_kdc = k5auth1.slac.stanford.edu:88
          admin_server = k5admin.slac.stanford.edu
          kpasswd_server = k5passwd.slac.stanford.edu
          default_domain = slac.stanford.edu
         }

    If that is not possible, then get a copy of /etc/krb5.conf from any SLAC machine and use the environmental variable KRB5_CONFIG to specify that kerberos should use that conf file.

    env KRB5_CONFIG=/tmp/slac.krb5.conf kinit userid@SLAC.STANFORD.EDU

    env KRB5_CONFIG=/tmp/slac.krb5.conf aklog -c SLAC.STANFORD.EDU

kinit works but aklog doesn't.

This is due to older versions of OpenAFS that don't fully implement kerberos 5. We recommend OpenAFS 1.4.4 or later versions of aklog. You can either copy over the version of aklog from /usr/afsws/bin/aklog or install a new version of OpenAFS. The latter is highly recommended as there are significant improvements in the 1.4.x versions of OpenAFS. Using addressless tickets can also help with this problem. You can check this by using

klist -a

If you are not getting addressless tickets by default try running

kinit -A userid@SLAC.STANFORD.EDU

Java version of kinit

Versions 1.4 and 1.5 of java contain a kinit program that is largely broken. The fix is to either change your $PATH variable to have the MIT kinit path come first or turn off the execute bit on the kinit program. Java version 1.6 appears to not have this executable. It would be a good idea to do the same for the java version of klist in the same directory as well.

Reference

Man pages for the kinit and aklog commands

There are detailed manual pages for each of these commands. Use the man command on the UNIX system. You may need to specify the path like this

man -M /usr/kerberos/man kinit

Kerberos and OpenAFS information elsewhere

OpenAFS home page
MIT Kerberos home page
Heimdal Kerberos home page
Owner: Chuck Boeheim