Fermilab, Kerberos and E835
Please read this page and much of the linked documentation below.
Note that most of this page was written Summer of 2001. fn835 systems have
all been kerberized and the existence of this page is for people to have links to documentation that can be found on the Computing Division web pages.
What is going on:
Fermilab, for computer security reasons, has adopted a plan to have all
computing systems at Fermilab use Kerberos
as the user authentication system; the plan is to have all systems within
the strengthen realm FNAL.GOV by the end of the year.
The ultimate goal
of this project is to not have passwords transmitted over the ethernet.
is strange: one will have a principal (this can be thought of as
an account) and tickets (which are a set of privileges to access
your own normal account or a group account). A good point of using kerberos
is that you will only have to login with password/Cryptocard once per session
(movement between computing systems will then not require more password
challenges). On the other hand Cryptocards will be the used and tickets
will have time limits. For complete information see the Computing Division
information about strong
authentication. One should also review the latest version of
the Fermilab Policy
on Computing (pdf).
The experiment is required to comply and leaves us with two options:
1) turn off the systems or 2) kerberize the E835 systems (fn835c,i,j,q,r,s,t,x,y,z).
Since E835 has no plans to decommission the fn835 computer systems nor
plans to move what is required to the FNAL central systems, option 1) appears
to not be an option. That leaves option 2) of kerberizing the fn835
systems. In any case, the FNAL central systems will be within the strengthen
realm by the end of the year; the farms systems (NDST production) have
been fully kerberized in July. You will be required to change to strong
authentication and you will have to apply for a principal and start using
How will things be different:
The strong authentication
documentation attempts to describe all possible connections to and from
the FNAL.GOV strengthen realm. Here is described the procedure
for connecting to fn835 systems (and to the FNAL central systems) will
be like once a system is kerberized. For login at a system console
(0.1% of the logins; all fn835 system consoles are now in AP50 counting
room), use your existing unix password; to connect to another system, after
typing setup kerberos, one will need to use kinit and use
your principal password before telnet/ssh/ftp to another FNAL.GOV kerberized
system (you should not have to enter another password). Logins (using
telnet/ssh/ftp) from off site or an X-term (99.9% of fn835 logins) will
be issued a Cryptocard challenge (8 digit hex code) which your personal
Cryptocard will have the correct response (another 8 digit hex code); connecting
to other FNAL.GOV systems via telnet/ssh/ftp is done without having to
enter any passwords. Much more information is available in
the strong authentication
When will the fn835 systems be kerberized:
The E835 plan is to kerberize one system of each flavor (DEC OSF and SGI
IRIX) by the end of September. fn835q and fn835x (done July 16, 2001)
will then only be accessible using strong authentication. Four systems
will be kerbeized the first week of October. The last four systems will
be done the week of Oct ober 22. After these systems have all been
moved into the strengthen realm, you will need to have a kerberos principal
and cryptocard to access the fn835 systems. Web access will not be
How does one get ...:
The claim is the average turn around time on requests is two weeks. A web
form is used for requesting a principal and cryptocard. Included are
links to prerequisites (having a valid Fermilab ID) and other information
(please read). Make sure to request a kerberos principal the same as your
account's username. Also make sure to click the box to request a Cryptocard;
you have by default an account on fnkerb.fnal.gov--don't need to request
You will receive email welcoming you and providing information on acquiring
your initial password. Please read the email and determine how you will
get the initial password. A separate email will describe the Cryptocard
and the initial PIN number.
Stephen Pordes has volunteered to send the Cryptocards to the fellow
collaborators upon request: please arrange with him if you want your card
shipped. Please, contact Stephen also if you need to renew your Fermilab
ID: you'll need to send him this
form via fax.
Quick change the password:
The initial password is only valid for 30 days. Until the end of the year,
you can ssh to fnkerb.fnal.gov and change the password.
After you are successfully on fnkerb, then issue kpasswd and follow
the rules for passwords; you should be using a secure connection when you
type any reusable password. Choosen kerberos passwords will then be valid
for about a year.
When you first use your Cryptocard, you will be required to change the
PIN number. Here is a link describing the Cryptocard
(please read this page many times).
Pretty much all why and how to instructions are covered by the strong
authentication documentation. If you still have a question, send
you question to firstname.lastname@example.org. If you have a question about the
implementation of strong authentication on the fn835 systems please send
questions to Keith, Gabriele and Willi.
Last last update September 13, 2001
Last update March 23, 2002