You are here: Home User Information Facility Services Kerberos Authentication Service

Overview of Kerberos Services

by Shigeki Misawa last modified Jan 28, 2008 04:31 PM
Information about the use of Kerberos at the RACF

The Kerberos Network Authentication Protocol is used by the RACF to provide password based authentication of users for many RACF services. For most purposes at the RACF, users do not directly interact with Kerberos, it is only used behind the scenes as a password verification service. However, there are three situations where the users directly interacts with Kerberos; when using the AFS file systems at the RACF, when using the GSSAPI enabled ssh for interactive "single sign on" and when using the Kerberos based interfaces to HPSS.

AFS, HPSS, and GSSAPI enabled ssh use the Kerberos Ticket Granting Ticket (TGT) to verify the identity of a user. A TGT is obtained by using the Kerberos kinit command to authenticate to the Kerberos server. Once a TGT is obtained, a user can obtain an AFS token by running the aklog command (assuming that the system is an AFS client). With a TGT, a user can also log into other systems within the RACF using a GSSAPI enabled ssh, without typing additional passwords. In addition, the user will have a TGT on the destination system, which will be automatically used to obtain an AFS token, if AFS is running on the system. Finally, when using the Kerberos based interfaces to HPSS, a TGT is used to authenticate the user. One item to note is the TGT has a limited lifetime (5 days from initial authentication at the RACF).

There are two separate Kerberos authentication "realms" at the RACF; the RHIC.BNL.GOV Kerberos realm is used to authenticate RHIC/LSST users, the USATLAS.BNL.GOV Kerberos realm is used to authenticate US Atlas users. RHIC/LSST systems at the RACF utilize the RHIC.BNL.GOV realm and as a result, the full functionality mentioned in the previous paragraph only works within the RHIC "universe", consisting of the rhic.bnl.gov AFS cell, the RHIC.BNL.GOV Kerberos realm and RHIC/LSST servers. Similarly, for US Atlas users, full functionality works only within the US Atlas "universe", consisting of the usatlas.bnl.gov AFS cell, the USATLAS.BNL.GOV Kerberos realm and US Atlas servers. There are selected services, most notably HPSS, that will accept TGT's from either Kerberos realm.