6.2 Generating a public and private key pairBase DN : DCschnuggi,dcvinet,dcqa. Ktutil: addent -password -p krbuser -k 1. On a unix or MAC system with MIT Kerberos CLI utilities installed: ktutil. The primary advantage of a keytab is that it isolates the credentials in a separate file and can be used directly by various Kerberos software (so you dont have to add code to read a password from a separate file).Creating a keytab file for an AD user. Kinit supports authenticating from a keytab using the -k -t options.
![]() Generate Keytab File Password From AThis means if you are logged into machine A with a ticket, and ssh to machine B, the ticket will also be moved to machine B, so you can ssh (or scp, etc) once you are on B.Tickets are only valid for 26h and you typically refresh your kerberos authentication every day. Tickets are "forwardable" by default. The environmental KRB5CCNAME will point to the ticket file.If you log into a lab desktop, you would typically user you username (just "xyz" without the a new ticket is created.You can renew the ticket, or create it if you logged on my some other means, usingKinit takes an argument which is the user name (or full principle) and asked for you password. These allows you to gain a kerberos ticket in a cron job. One is kcron and kcroninit. In this case, you can useTo push your fresh ticket out though all ssh sessions and update the remote tickets.There are two utilities in kerberos which we will only note here. If you have an ssh session from machine A to machine B, and leave the session up, you may renew the ticket on A, but the ticket on B will not automatically be updated. Our certificates are based on the CILogon Certification Authority (CA) which is geared to big science.Some of the systems which require cert authentication are jobsub job submission, ifdh data transfer and writing to the SAM database as part of file upload to tape.You should have received a certificate as part of registering for computing accounts. You would typically only use this authentication at the point you log into the service and their is no local credential cache.For some interactive purposes on linux, via the command line or browsers, you will need a certificate to prove your identity. You will need this identity to log into Fermilab email, the servicedesk web site, sharepoint and some other services based at the lab. This feature is not as secure, so it is usually only issued by the lab when needed, for example, in a group account.Read more at the FNAL kerberos link (Miscellaneous Kerberos Topics for the User -> Automated Processes).The second identity you will need is the services principal, which looks like or often just xyz, and also has a password (different from your kerberos password). This file can hold a ticket that is good for a year and can be accessed by anyone with access to the keytab file. Mac emulator for 3dsIf you do not have a kerberos ticket when you run cigetcert, it will prompt you for your services password, and you can use this authentication to access your cert and make a proxy.You can print your proxy certificate withYour cert works by providing encrypted identity information. Note that jobsub and ifdh can automatically run kx509 for you if it is needed (so you only need to remember to kinit), however, samweb does not run kx509 automatically, and you will need to run it yourself if you get authentication errors.Cigetcert -institution="Fermi National Accelerator Laboratory"Which you might see some places. When you access your cert at the linux command line, you usually access it from this cache.Kinit makes sure your kerberos identity is valid, and kx509 uses that authentication to make a local, temporary copy of your cert, called a proxy, and writes it to a file named with your UID:-rw- 1 rlc mu2e 8171 Aug 15 10:07 /tmp/x509up_u1311It is this proxy, in this standard location, that commands can use to authenticate you. Your cert is good for a year and only needs to be updated in your browser once a year.When your cert is first created, it is also communicated to the lab which can then manage and provide the cert for you. While this delete-and-kx509 procedure works fine, the best solution is to provide the intermediate CA in the trust chain to the command (more below).A proxy is a copy of your certificate that expires quickly, usually in a few days or hours (see the printouts for "timeleft"). The cert created by kx509 is issued by the CILogon CA, and requires fewer steps to authenticate. Then try removing the cert and recreating it.The problem is that the proxy created by jobsub or ifdh may require extra steps in authentication because it is "issued" by you. CA's may be signed by other CA's in turn up to a nationally-recognized organization, in a "trust chain".If you believe you have a valid certificate and you still see errors, for example,Error creating dataset definition for. The party, such as a lab service, that wants to check your identity can ask the CA if your packet is valid. The kx509 certs are not fully RFC-compliant (the current industry standard) for backwards compatibility, so have type "unknown". It may also say "proxy" in the "type" field. (I've had experts tell me these are technically proxies, but this seems to not be helpful.) Here is what one print looks like:Subject : /DC=org/DC=cilogon/C=US/O=Fermi National Accelerator Laboratory/OU=People/CN=Raymond Culbertson/CN=UID:rlcIssuer : /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1Identity : /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1Key usage : Digital Signature, Key Encipherment, Data EnciphermentThe term "end-entity credential" just means it is below a CA in the certificate trust chain.If you print your cert and see "subject' with an appendage like "/CN=2707985426" then this is a proxy. At the command line, we only use proxies.Kx509 creates "end entity certificates", and are temporary copies of your cert. The proxy is considered safe enough to pass around the grid and over networks.
0 Comments
Leave a Reply. |
AuthorJackie ArchivesCategories |