Working with Kerberos on MCECS Linux Systems

Kerberos management commands quickref

kinit - initialize a new Kerberos ticket
krenew - renew an unexpired Kerberos ticket (works until renewal lifetime exceeded - 7 days)
klist - show current Kerberos tickets and expiry times

If you let your kerberos ticket expire past the renewal lifetime, you will need to use kinit to generate a new ticket.

Hosts NOT running Kerberos

The following systems are currently NOT running Kerberos authentication for login or file system access. They are good candidates for using SSH keys for login, a bastion for dispatching long running jobs out in the labs, or a place to run cron jobs:

  • linux.cs.pdx.edu (aka ada.cs.pdx.edu) – CS Linux users
  • babbage.cs.pdx.edu – CS Linux users
  • ruby.cecs.pdx.edu – All MCECS Linux users
  • rita.cecs.pdx.edu  – All MCECS Linux users
  • fab01.cecs.pdx.edu through fab10.cecs.pdx.edu – All MCECS Linux users
  • quizors – CS Linux users with special quizor access
  • auto.ece.pdx.edu, mo.ece.pdx.edu – ECE Linux users

Kerberos quick intro

CAT supported Ubuntu Linux workstations in computer labs and offices use Kerberos-based user authentication to provide login authorization (ability to log in) and for homedir access authorization (being able to get to your home directory). This provides much stronger security than previous configurations used on MCECS Linux desktops. For most regular student Linux users of our computer labs, this difference is not noticeable.

However, advanced Linux users on these systems (often with a need to keep persistent sessions, run recurring jobs, use key based authentication) and users of dedicated desktop workstations in their offices (where they may stay logged on for days without locking/unlocking their screens) may need to adjust their use of the systems to accommodate a Kerberos environment.

This behavior is limited to the Kerberos based Linux workstations managed by the CAT in computer labs and offices. Remotely accessible login/compute servers housed in the data center behave in a more traditional Linux fashion.

Kerberos logins operate with a “ticket” that has a finite expiry time (24 hours) and a finite renewal time (7 days). The presence of a valid ticket is used to give you access to your files. If your ticket expires, you will need to renew it. If your ticket exceeds the renewal limit, you will need to initialize a new ticket. For details about how Kerberos functions, read this:

https://cat.pdx.edu/platforms/linux/user-environment/kerberos/whatis/

Problems?

If you find yourself unable log into a Kerberos controlled system after the switch, or tend to do the following in the labs:

  • Use SSH keys to login
  • Run Long Running Processes (LRPs)
  • Run multiple parallel processes
  • Run cron jobs

please read through our FAQ:

https://cat.pdx.edu/platforms/linux/user-environment/kerberos/faq/