Kerberos ticket expired: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
==== TL;DR ==== | ==== TL;DR ==== | ||
You need to authenticate with your password at least once per week in order to keep access to your home directory. | You need to authenticate with your password at least once per week in order to keep access to your home directory. | ||
To this run the <code>kinit</code> command explicitly or unlock your screen. | To do this, run the <code>kinit</code> command explicitly or unlock your screen. | ||
==== Details ==== | ==== Details ==== |
Revision as of 11:33, 7 March 2019
TL;DR
You need to authenticate with your password at least once per week in order to keep access to your home directory.
To do this, run the kinit
command explicitly or unlock your screen.
Details
Your home directory is secured using -what is called- kerberos tickets. As long as you have such a ticket you have access to your home directory. When the ticket is deleted, lost or expired you lose access to your home directory (and project directory/directories)
You get such a ticket:
- automatically when you login with your password (as opposed to e.g. with SSH public key)
- automatically when you unlock your screen using your password
- when you explicitly enter the
kinit
command (it will prompt for your password)
These tickets expire after 12 hours. But the validity can be extended *without*
re-entering your password up to max 1 week.
When you login on an LWP, ticket validity is extended automatically to one week.
So, in order to have uninterrupted access to your home directory, you need to either:
- Run the
kinit
command every week (or every day or so if that's more convenient) - Make sure you unlock your screen at least once a week, e.g. by configuring automatic screen locking.
Advanced commands:
klist
- Shows kerberos ticket information
kadvice
- Shows verbose kerberos ticket information, including advice on e.g. SSH command line option to use for maximum ticket validity.
If you use SSH from within the university network to access an LWP, it is
possible to authenticate without providing your password (e.g. by using public
key authentication or even a kerberos ticket). That is were it gets more
complicated. In those cases please run the kadvice
script mentioned above to
get some advice on the optimal SSH command line options to use.