Kerberos ticket expired: Difference between revisions

From LWP-Wiki
Jump to navigation Jump to search
(Created page with "Your home directory is secured using -what is called- kerberos tickets. As long as you have such a ticket you have access to your home directory. When the ticket is deleted,...")
 
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Category:home-directory-faq]]
==== TL;DR ====
You need to authenticate with your password at least once per week in order to keep access to your home directory.
To do this, run the <code>kinit</code> command explicitly or unlock your screen.
==== Details ====
Your home directory is secured using -what is called-  kerberos tickets. As
Your home directory is secured using -what is called-  kerberos tickets. As
long as you have such a ticket you have access to your home directory. When the
long as you have such a ticket you have access to your home directory. When the
Line 13: Line 19:
re-entering your password up to max 1 week.
re-entering your password up to max 1 week.


When you login on an LWP, extending validity of the ticket happens
When you login on an LWP, ticket validity is extended automatically to one week.
automatically to one week.


So, in order to have uninterrupted access to your home directory, you need to either:
So, in order to have uninterrupted access to your home directory, you need to either:
Line 31: Line 36:
possible to authenticate without providing your password (e.g. by using public
possible to authenticate without providing your password (e.g. by using public
key authentication or even a kerberos ticket). That is were it gets more
key authentication or even a kerberos ticket). That is were it gets more
complicated.  In those cases please run the 'kadvice' script mentioned above to
complicated.  In those cases please run the <code>kadvice</code> script mentioned above to
get some advice on the optimal SSH command line options to use.
get some advice on the optimal SSH command line options to use.
==== Keytab ====
A more permanent option is to create a keytab file.<br>
:  '''!NOTE''' Uppercase [PSFG] in username is required.<br>
:  '''!WARNING''' You are effectively storing the login credentials to an account in a file on the system; Handle with care! Don't use this on a shared system.<br>
Login to a LWP; In a terminal enter the following command to open the '''ktutil''' command interface:
  $ ktutil
Give these commands to create a keytab file (replace '''''P123456''''' with a valid username):
  ktutil: add_entry -password -p '''''P123456''''' -k 1 -e aes256-cts-hmac-sha1-96 -s WORKSPACE.RUG.NL'''''P123456'''''
  # Input your password.
  ktutil: write_kt /tmp/kt_'''''P123456'''''
  ktutil: quit
Now use the following command to run your jobs with the credentials file you've just created:
  $ k5start -Ubf /tmp/kt_'''''P123456''''' <command you want to keep running>

Latest revision as of 12:50, 14 June 2024

TL;DR

You need to authenticate with your password at least once per week in order to keep access to your home directory. To do this, run the kinit command explicitly or unlock your screen.

Details

Your home directory is secured using -what is called- kerberos tickets. As long as you have such a ticket you have access to your home directory. When the ticket is deleted, lost or expired you lose access to your home directory (and project directory/directories)

You get such a ticket:

  • automatically when you login with your password (as opposed to e.g. with SSH public key)
  • automatically when you unlock your screen using your password
  • when you explicitly enter the kinit command (it will prompt for your password)


These tickets expire after 12 hours. But the validity can be extended *without* re-entering your password up to max 1 week.

When you login on an LWP, ticket validity is extended automatically to one week.

So, in order to have uninterrupted access to your home directory, you need to either:

  • Run the kinit command every week (or every day or so if that's more convenient)
  • Make sure you unlock your screen at least once a week, e.g. by configuring automatic screen locking.


Advanced commands:

klist
Shows kerberos ticket information
kadvice
Shows verbose kerberos ticket information, including advice on e.g. SSH command line option to use for maximum ticket validity.

If you use SSH from within the university network to access an LWP, it is possible to authenticate without providing your password (e.g. by using public key authentication or even a kerberos ticket). That is were it gets more complicated. In those cases please run the kadvice script mentioned above to get some advice on the optimal SSH command line options to use.

Keytab

A more permanent option is to create a keytab file.

!NOTE Uppercase [PSFG] in username is required.
!WARNING You are effectively storing the login credentials to an account in a file on the system; Handle with care! Don't use this on a shared system.

Login to a LWP; In a terminal enter the following command to open the ktutil command interface:

 $ ktutil

Give these commands to create a keytab file (replace P123456 with a valid username):

 ktutil: add_entry -password -p P123456 -k 1 -e aes256-cts-hmac-sha1-96 -s WORKSPACE.RUG.NLP123456
 # Input your password.
 ktutil: write_kt /tmp/kt_P123456
 ktutil: quit

Now use the following command to run your jobs with the credentials file you've just created:

 $ k5start -Ubf /tmp/kt_P123456 <command you want to keep running>