Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Our Kerberos realm is only open to UMBC networks. If you're authenticating from off-campus, you'll need to connect through the UMBC VPN (https://vpn.umbc.edu/)


There are several free Kerberos implementations, but the most widely known are probably Heimdal and MIT. We primarily use MIT here at UMBC.

Installation

Here are links to the most popular Kerberos implementations. Follow their documentation in order to install Kerberos, or if your operating system distributes its own Kerberos implementation, consult that.

Configuration

Once you've installed Kerberos, you'll need to create a configuration file. On UNIX systems this file is typically /etc/krb5.conf, but the precise location may vary; refer to your implementation's documentation. Here is a minimal sample configuration that should get you going:

krb5.conf
[libdefaults]
    ticket_lifetime = 25h
    default_lifetime = 25h
    default_realm = UMBC.EDU
	
[realms]
    UMBC.EDU = {
        kdc = kerberos.umbc.edu:88
        kdc = kerberos2.umbc.edu:88
        admin_server = kerberos.umbc.edu:749
        default_domain = umbc.edu
	}

[domain_realm]
    umbc.edu = UMBC.EDU
    .umbc.edu = UMBC.EDU

If you plan on using GSSAPI and Kerberos to authenticate to our GL systems, you will also want to make sure that you have the following options enabled in your SSH client configuration:

    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

The first option allows you to login to the GL systems using your Kerberos credentials, the second forwards them to the server in to which you're logging in (so that you can acquire AFS tokens and access your home directory).  If you're unsure where to find these lines (or where to add them), consult your SSH client documentation.

Testing

To verify that your Kerberos configuration is working, open a terminal and type the kinit command (if your local login is different from your myUMBC username, supply it as an argument to the command):

kherna1@localhost (Mac OS X 10.9.5)
$ kinit kherna1
Password for kherna1@UMBC.EDU:

Once you've successfully authenticated, you can use the klist command to verify that you've been granted a ticket:

kherna1@localhost (Mac OS X 10.9.5)
$ klist
Ticket cache: KCM:CFC901FB-DCFD-4B13-A750-5EBAB74069C9
Default principal: kherna1@UMBC.EDU

Valid starting       Expires              Service principal
05/05/2016 11:37:09  05/06/2016 12:36:59  krbtgt/UMBC.EDU@UMBC.EDU
  • No labels

Request Help | Correct or Suggest an Article