ARSC requires all users to connect to all ARSC systems
(except for gate.arsc.edu) via Kerberos5/SecurID enabled versions
of ssh, telnet, rlogin, or FTP. Due to the fact that these clients
include "strong" encryption, you may not download this software if you
are
located
in, or are a citizen or national of, any country for which the US government
prohibits the export of encryption source code. ARSC maintains a set of execute-only
Kerberos5/SecurID clients on gate.arsc.edu so that
users who are unable to obtain/install their own clients can
connect to ARSC's resources. To eliminate the transmission of
clear-text passwords, all connections to gate must be
via ssh. For those able to install the Kerberos5/SecurID clients
(or have the clients installed on their behalf), gate should be
viewed as a last resort and we strongly encourage all of our users
to legally obtain and install their own local Kerberos5/SecurID
clients.
NOTE: ARSC does not directly provide any of the
Kerberos5/SecurID kits. Rather, we rely on the
Kerberos & SecurID Information Center
public web site for the clients. It is each user's
responsibility to ensure that they abide by Kerberos & SecurID Information Center's restrictions and
policies regarding the distribution of the client
kits.
Downloading
To download the client kit for your operating system, go to the
Kerberos & SecurID Information Center
web page and click on the Software link on the left side of the page.
From there, select the link for the operating system you are using under the Kerberos section.
Finally, right-click (Mac: Ctrl-click) the link to the kit for your system and choose
Save as... to download it.
Installation
General
Each copy of the Kerberos5/SecurID client kit comes with a
default configuration file and a README file that outlines
how and where to install the various parts of the Kerberos5/SecurID
client kit. These notes are not a replacement for the
READMEs, but will show you what to expect in each kit.
Macintosh
The Macintosh kit is distributed as a disk image (.dmg file).
The image installs the following files utilities and libraries:
kdestroy
kftp
kinit
klist
kpasswd
krcp
krlogin
ktelnet
krsh
krb5.conf
Kerberos (library)
Windows
The Windows client kit is available as a self extracting zip file or as
a Windows Installer Package. It
includes the following packages and utilities
PuTTy\putty.exe
PuTTy\psftp.exe (sftp command line client)
PuTTy\pscp.exe (scp command line client)
Filezilla\filezilla.exe
Kerberos\krb5.exe
Kerberos\klist.exe
Kerberos\kdestroy.exe
Kerberos\kinit.exe
Kerberos\ftp.exe
Kerberos Libraries\krb5.ini
By default the Windows Installer Package will install the kerberos kit in the directory C:\Program
Files\HPCMP. KRB5.EXE
is the Kerberos5 ticket manager which provides a GUI to acquire kerberos tickets.
Unix/Linux
Each of the Unix distributions is a standard, compressed tar
file. The contents will unpack as follows:
krb5/aklog
krb5/kdestroy
krb5/kftp
krb5/kinit
krb5/klist
krb5/kpasswd
krb5/krb5.conf
krb5/krcp
krb5/krlogin
krb5/krsh
krb5/kshell
krb5/ktelnet
krb5/README
If you have root access on your workstation, move the
krb5.conf file into the /etc directory. You may
also want to move the executables into /usr/local/bin
(or create symbolic links). Otherwise, set the KRB5_CONFIG
environment variable to point to
somePath/krb5/krb5.conf and run the applications out
of somePath/krb5/. ARSC does not use the
Andrew File System, so the aklog binary can be deleted.
Configuration
General
Each of the Kerberos5/SecurID client kits has a configuration
file that contains the names and addresses of Kerberos5 realms and
their server addresses. For example, ARSC's realm is
ARSC.EDU and our main Kerberos5 realm server is
kdc1.arsc.edu. As distributed by NRL, each kit has the defaults
in the configuration file set to the HPCMP.NAVY.MIL realm. You
can edit the configuration file included with each kit to make
ARSC.EDU the default realm, or download an ARSC-specific
configuration file for your platform. Please note that the
ARSC-specific configuration files do not contain non-ARSC realms,
so you will need to add these manually if you ever need to connect
to other realms.
Macintosh
The configuration file krb5.conf is stored
in /etc. Use your browser's
Save Link As... to save the ARSC-specific configuration file:
as krb5.conf. Once saved on your local system copy the file into
/etc. Note you will need administrator access on your machine to do this.
Windows
The Windows version of the configuration file krb5.ini should
replace the version that comes with the Kerberos Kit. The default location
for krb5.ini
is in C:\Program Files\HPCMP\Kerberos Libraries. Use your
browser's Save
Link
As... to save the ARSC-specific configuration file:
in the appropriate location. To edit the NRL version, open
KRB5.INI in an editor (such as Notepad) and make the
changes listed under Editing.
Unix
Depending on whether or not you have root access to your
workstation, krb5.conf will be located in /etc
or in the somePath/krb5 directory. Use your
browser's Save Link As... to save the ARSC-specific
configuration file:
in the appropriate location. To edit the NRL configuration file,
open krb5.conf with a text editor (such as vi) and
make the changes listed under Editing.
Editing
For all platforms, the configuration file is a plain text file.
These files are also case-sensitive, so, for example,
ARSC.EDU is not equivalent to arsc.EDU. Each of the
configuration files is divided into several sections:
[libdefaults]
[realms]
[domain_realm]
[appdefaults]
[capaths]
[libdefaults]
All platforms
change: default_realm = ARSC.EDU
change: tkt_lifetime = 600This gives a maximum ticket lifetime of
600 minutes.
[realms]
All platforms
add: kdc = kdc2.arsc.edu to the
ARSC.EDU = { } block just under kdc =
kdc1.arsc.edu
ARSC is not running any applications that require
information from this section. It can be ignored and/or
removed
Usage
Macintosh
From the command line run kinit. This will
prompt you for your Kerberos5 passphrase and SecurID passcode. The Kerberos
Manager can also be used to login (get a ticket) or logout
(destroy any existing tickets). The Kerberos Manager is located
in Applications:Utilities:Kerberos. As with kinit, if your workstation
UserID does not match your ARSC UserID, you will need to give your ARSC UserID
to krlogin or ktelnet via the -l option (For example: krlogin -l ARSC
UserID lynx.arsc.edu). Once you have a valid ticket
you can open multiple sessions to other ARSC systems.
See
the
README file for more information about the Macintosh
Kerberos5/SecurID package.
Windows
Start by running the Kerberos Ticket Manager (KRB5.EXE).
Enter your ARSC UserID into the Name box, your
Kerberos5 passphrase into the Password box, and ARSC.EDU into
the Realm box. Once you have clicked Login you
will be prompted for your SecurID passcode. If the ticket request is successful,
your ticket will
be
listed in the window. Putty may be used to connect to ARSC systems once a
valid ticket has been obtained. Further details can be found
in the Windows Kerberos5/SecurID kit's
README
Unix
If the krb5.conf file is not in /etc, set
the KRB5_CONFIG variable:
sh,ksh,bash:
KRB5_CONFIG=somePath/krb5.conf; export
KRB5_CONFIG
csh,tcsh: setenv KRB5_CONFIG
somePath/krb5.conf
Next (by either using the complete path or by adding the path to
your PATH variable), invoke kshell. kinit. If your
UserID on your workstation does not match your ARSC UserID, you
will need to invoke: kinit ARSC UserID. You will then
be prompted for your kerberos passphrase and SecurID passcode. If
kinit successfully created a ticket for you, you can list it by
invoking: klist. To connect to an ARSC system (for example,
lynx.arsc.edu), you can use either krlogin or
ktelnet. The preferred method is krlogin. As with kinit, if
your workstation UserID does not match your ARSC UserID, you will
need to give your ARSC UserID to krlogin or ktelnet via the -l
option (For example: krlogin -l ARSC UserID
lynx.arsc.edu). All of these tools along with kftp, krsh,
krcp, and kpasswd have man pages that can be read on any ARSC
system.
SSH Clients
If you are unable to install the Kerberos5/SecurID
clients onto your workstation (either because you are a foreign
national or if your system does not have a client kit), you will
need to install a ssh client onto your system to be able to connect
to gate.arsc.edu. Please contact User Support if you need to
connect via ssh to gate so that we can register you as a gate user
and activate your gate account.
The HPCMP provides Kerberos-enabled ssh client kits for several platforms
on its web site. These kits may also be used to connect directly to ARSC machines.
To obtain the kit, visit https://www.hpcmo.hpc.mil/security/kerberos// and
follow the links for the appropriate platform.
Notes
Windows Client Kit
The Windows client kit will run under any 32bit version of
Windows. This includes Windows 95, 98, XP, NT, and 2000. This
kit will
not work operate with 3.x versions of Windows.
Firewalls
An increasingly common problem for users who want to connect
via local Kerberos5/SecurID clients is the fact that many firewalls
are set up to block the ports used by Kerberos. A list of the ports
used by the Kerberized versions of Telnet, FTP, etc can be found in
NRL's Kerberos FAQ. To access systems through a NAT, you need to get an
addressless ticket by executing kinit -fA. Contact
your
ISP
or
site
administrator if you think you have a firewall problem. We will add
you to the list of ssh gate users if you are unable to resolve a
problem with firewalls.
More Information
Contact User Support if
you encounter any problems.
Arctic Region Supercomputing Center
PO Box 756020, Fairbanks, AK 99775 | voice: 907-450-8600 | email:
![[Menu Bar]](/images/header.gif)
