Fermilab, Kerberos and E835

Please read this page and much of the linked documentation below.

Note that most of this page was written Summer of 2001. fn835 systems have all been kerberized and the existence of this page is for people to have links to documentation that can be found on the Computing Division web pages.

What is going on:

Fermilab, for computer security reasons, has adopted a plan to have all computing systems at Fermilab use Kerberos as the user authentication system; the plan is to have all systems within the strengthen realm FNAL.GOV by the end of the year.   The ultimate goal of this project is to not have passwords transmitted over the ethernet.  The nomenclature is strange: one will have a principal (this can be thought of as an account) and tickets (which are a set of privileges to access your own normal account or a group account). A good point of using kerberos is that you will only have to login with password/Cryptocard once per session (movement between computing systems will then not require more password challenges). On the other hand Cryptocards will be the used and tickets will have time limits. For complete information see the Computing Division information about strong authentication.  One should also review the latest version of the Fermilab Policy on Computing (pdf).

The experiment is required to comply and leaves us with two options: 1) turn off the systems or 2) kerberize the E835 systems (fn835c,i,j,q,r,s,t,x,y,z).  Since E835 has no plans to decommission the fn835 computer systems nor plans to move what is required to the FNAL central systems, option 1) appears to not be an option. That leaves option 2) of kerberizing the fn835 systems. In any case, the FNAL central systems will be within the strengthen realm by the end of the year; the farms systems (NDST production) have been fully kerberized in July. You will be required to change to strong authentication and you will have to apply for a principal and start using kerberos soon.

How will things be different:

The strong authentication documentation attempts to describe all possible connections to and from the FNAL.GOV strengthen realm. Here is described the procedure for connecting to fn835 systems (and to the FNAL central systems) will be like once a system is kerberized.  For login at a system console (0.1% of the logins; all fn835 system consoles are now in AP50 counting room), use your existing unix password; to connect to another system, after typing setup kerberos, one will need to use kinit and use your principal password before telnet/ssh/ftp to another FNAL.GOV kerberized system (you should not have to enter another password).  Logins (using telnet/ssh/ftp) from off site or an X-term (99.9% of fn835 logins) will be issued a Cryptocard challenge (8 digit hex code) which your personal Cryptocard will have the correct response (another 8 digit hex code); connecting to other FNAL.GOV systems via telnet/ssh/ftp is done without having to enter any passwords.   Much more information is available in the strong authentication documentation.

When will the fn835 systems be kerberized:

The E835 plan is to kerberize one system of each flavor (DEC OSF and SGI IRIX)  by the end of September. fn835q and fn835x (done July 16, 2001) will then only be accessible using strong authentication.  Four systems will be kerbeized the first week of October. The last four systems will be done the week of Oct ober 22.  After these systems have all been moved into the strengthen realm, you will need to have a kerberos principal and cryptocard to access the fn835 systems.  Web access will not be affected.

How does one get ...:

The claim is the average turn around time on requests is two weeks. A web form is used for requesting a principal and cryptocard. Included are links to prerequisites (having a valid Fermilab ID) and other information (please read). Make sure to request a kerberos principal the same as your account's username. Also make sure to click the box to request a Cryptocard; you have by default an account on fnkerb.fnal.gov--don't need to request fnkerb account.

You will receive email welcoming you and providing information on acquiring your initial password. Please read the email and determine how you will get the initial password.  A separate email will describe the Cryptocard and the initial PIN number.

Stephen Pordes has volunteered to send the Cryptocards to the fellow collaborators upon request: please arrange with him if you want your card shipped. Please, contact Stephen also if you need to renew your Fermilab ID: you'll need to send him this form via fax.

Quick change the password:

The initial password is only valid for 30 days. Until the end of the year, you can ssh to fnkerb.fnal.gov and change the password.  After you are successfully on fnkerb, then issue kpasswd and follow the rules for passwords; you should be using a secure connection when you type any reusable password. Choosen kerberos passwords will then be valid for about a year.


When you first use your Cryptocard, you will be required to change the PIN number.  Here is a link describing  the Cryptocard (please read this page many times).


Pretty much all why and how to instructions are covered by the strong authentication documentation.  If you still have a question, send you question to helpdesk@fnal.gov.  If you have a question about the implementation of strong authentication on the fn835 systems please send questions to Keith, Gabriele and Willi.

Why the name Kerberos?

Last last update September 13, 2001
Last update March 23, 2002