Kerberos ticket expired: Difference between revisions
No edit summary |
(→Keytab) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 41: | Line 41: | ||
==== Keytab ==== | ==== Keytab ==== | ||
A more permanent option is to create a keytab file.<br> | A more permanent option is to create a keytab file.<br> | ||
'''!NOTE''' Uppercase [PSFG] in username is required.<br> | : '''!NOTE''' Uppercase [PSFG] in username is required.<br> | ||
'''! | : '''!WARNING''' You are effectively storing the login credentials to an account in a file on the system; Handle with care! Don't use this on a shared system.<br> | ||
Login | Login to a LWP; In a terminal enter the following command to open the '''ktutil''' command interface: | ||
$ ktutil | $ ktutil | ||
Give these commands to create a keytab file (replace P123456 with a valid username): | Give these commands to create a keytab file (replace '''''P123456''''' with a valid username): | ||
ktutil: add_entry -password -p P123456 -k 1 -e aes256-cts-hmac-sha1-96 -s WORKSPACE.RUG. | ktutil: add_entry -password -p '''''P123456''''' -k 1 -e aes256-cts-hmac-sha1-96 -s WORKSPACE.RUG.NL'''''P123456''''' | ||
# Input your password. | # Input your password. | ||
ktutil: write_kt /tmp/ | ktutil: write_kt /tmp/kt_'''''P123456''''' | ||
ktutil: quit | ktutil: quit | ||
Now use the following command to run your jobs with the credentials file you've just created: | Now use the following command to run your jobs with the credentials file you've just created: | ||
$ k5start -Ubf /tmp/ | $ k5start -Ubf /tmp/kt_'''''P123456''''' <command you want to keep running> |
Latest revision as of 12:50, 14 June 2024
TL;DR
You need to authenticate with your password at least once per week in order to keep access to your home directory.
To do this, run the kinit
command explicitly or unlock your screen.
Details
Your home directory is secured using -what is called- kerberos tickets. As long as you have such a ticket you have access to your home directory. When the ticket is deleted, lost or expired you lose access to your home directory (and project directory/directories)
You get such a ticket:
- automatically when you login with your password (as opposed to e.g. with SSH public key)
- automatically when you unlock your screen using your password
- when you explicitly enter the
kinit
command (it will prompt for your password)
These tickets expire after 12 hours. But the validity can be extended *without*
re-entering your password up to max 1 week.
When you login on an LWP, ticket validity is extended automatically to one week.
So, in order to have uninterrupted access to your home directory, you need to either:
- Run the
kinit
command every week (or every day or so if that's more convenient) - Make sure you unlock your screen at least once a week, e.g. by configuring automatic screen locking.
Advanced commands:
klist
- Shows kerberos ticket information
kadvice
- Shows verbose kerberos ticket information, including advice on e.g. SSH command line option to use for maximum ticket validity.
If you use SSH from within the university network to access an LWP, it is
possible to authenticate without providing your password (e.g. by using public
key authentication or even a kerberos ticket). That is were it gets more
complicated. In those cases please run the kadvice
script mentioned above to
get some advice on the optimal SSH command line options to use.
Keytab
A more permanent option is to create a keytab file.
- !NOTE Uppercase [PSFG] in username is required.
- !WARNING You are effectively storing the login credentials to an account in a file on the system; Handle with care! Don't use this on a shared system.
Login to a LWP; In a terminal enter the following command to open the ktutil command interface:
$ ktutil
Give these commands to create a keytab file (replace P123456 with a valid username):
ktutil: add_entry -password -p P123456 -k 1 -e aes256-cts-hmac-sha1-96 -s WORKSPACE.RUG.NLP123456 # Input your password. ktutil: write_kt /tmp/kt_P123456 ktutil: quit
Now use the following command to run your jobs with the credentials file you've just created:
$ k5start -Ubf /tmp/kt_P123456 <command you want to keep running>