Contents
Why is klog being turned off?
Using kinit and aklog from remote sites
Installing kinit and aklog
Problems and work-arounds
Reference
Why is klog being turned off?
For years SLAC has used the kerberos 4 based native AFS protocol to obtain an AFS token.
Unfortunately, this protocol uses both weak form of encryption and uses it in such a way
that off-line dictionary attacks are possible. It is just a matter of time before the
the security of this protocol is completely compromised by modern hardware. See
RFC 4772
for more detailed information.
SLAC is moving to using the more secure kerberos 5 protocol and a separate program
to obtain AFS tokens. At SLAC this is combined in one program since we us the heimdal
version of kinit. Remote sites can still get AFS tokens but if they use the default RHEL3 based rpms
will need to install and configure two separate programs, kinit and aklog.
Using kinit and aklog from remote sites
On RHEL3 based systems, kinit is installed in /usr/kerberos/bin/kinit. If aklog is not in your
default path, try using the locate command to find it.
Kerberos 5 uses two different means to locate the authentication servers, the first is via
DNS SRV records. If this is enabled at your site you should be able to use these commands
kinit userid@SLAC.STANFORD.EDU
aklog -c SLAC.STANFORD.EDU
Note: upper case is required, realm names are case sensitive, but in general are all upper case
for historical reasons. If you are using kerberos 5 at your site, you will probably want to
put the SLAC credentials into a different file. You can use the environmental variable
KRB5CCNAME to do this
env KRB5CCNAME=/tmp/my.slac.tgt kinit userid@SLAC.STANFORD.EDU
Then use aklog to obtain a token.
env KRB5CCNAME=/tmp/my.slac.tgt aklog -c SLAC.STANFORD.EDU
If the above method does not work at your site, please see the Problems and work-arounds section.
Installing kinit and aklog
RHEL3 based linux's can use the default kerberos rpms based on
krb5-workstation-1.2.7. You can get the aklog program from the
appropriate openafs-krb5 rpm. You will need to edit the
krb5.conf file as described in Problems and work-arounds
Problems and work-arounds
Here are some current problems you might encounter when attempting to get an AFS token for SLAC from off-site locations,
along with suggested work-arounds.
"unable to reach any KDC in realm"
There are two work-arounds for this, the first is preferred if possible.
- Edit the /etc/krb5.conf file on your machine and change these two lines.
dns_lookup_realm = false
dns_lookup_kdc = false
to pre
dns_lookup_realm = true
dns_lookup_kdc = true
- If this is not allowed at your site, you should ask the local administrator to include this
stanza in the [realms] section of your krb5.conf
SLAC.STANFORD.EDU = {
kdc = k5auth1.slac.stanford.edu:88 k5auth2.slac.stanford.edu:88 k5auth3.slac.stanford.edu:88
master_kdc = k5auth1.slac.stanford.edu:88
admin_server = k5admin.slac.stanford.edu
kpasswd_server = k5passwd.slac.stanford.edu
default_domain = slac.stanford.edu
}
If that is not possible, then get a copy of /etc/krb5.conf from any SLAC machine and use the
environmental variable KRB5_CONFIG to specify that kerberos should use that conf file.
env KRB5_CONFIG=/tmp/slac.krb5.conf kinit userid@SLAC.STANFORD.EDU
env KRB5_CONFIG=/tmp/slac.krb5.conf aklog -c SLAC.STANFORD.EDU
kinit works but aklog doesn't.
This is due to older versions of OpenAFS that don't fully implement kerberos 5. We recommend OpenAFS
1.4.4 or later versions of aklog. You can either copy over the version of aklog from /usr/afsws/bin/aklog
or install a new version of OpenAFS. The latter is highly recommended as there are significant improvements in the 1.4.x
versions of OpenAFS.
Using addressless tickets can also help with this problem.
You can check this by using klist -a
If you are not getting addressless tickets by default try running
kinit -A userid@SLAC.STANFORD.EDU
Java version of kinit
Versions 1.4 and 1.5 of java contain a kinit program that is largely broken. The fix is to either
change your $PATH variable to have the MIT kinit path come first or turn off the execute bit on the
kinit program. Java version 1.6 appears to not have this executable. It would be a good idea
to do the same for the java version of klist in the same directory as well.
Reference
Man pages for the kinit and aklog commands
There are detailed manual pages for each of these commands. Use
the man command on the UNIX system. You may need to specify the
path like this
man -M /usr/kerberos/man kinit
Kerberos and OpenAFS information elsewhere
OpenAFS home page
MIT Kerberos home page
Heimdal Kerberos home page
Owner: Chuck Boeheim
|
