ARSC Kerberos/SecurID Login Procedures

Topics:

• Console Login to ARSC Workstations
• Remote Login to ARSC Systems
• Changing Your Kerberos Passphrase
• Changing Your SecurID PIN

Console Login to ARSC Workstations

All access to ARSC systems is controlled by Kerberos5/SecurID. This includes locally logging in to any ARSC system at the console. To login using the Kerberos5/SecurID enhanced XDM:

1. Move the mouse around to wakeup the screen-blanker. You should see a dialog box similar to this:

   pike.arsc.edu(Irix 6.5)
   Login: Principle: Password:

2. Respond as follows:

   'Login:'

   Enter your standard ARSC UserID.

   'Principle:'

   Leave this blank. It is only needed if you are authenticating with a remote server (for example: joe@WES.HPC.MIL).

   'Password:'

   Enter your Kerberos passphrase.

   'Passcode:'

   After you have entered your Kerberos passphrase, this prompt will appear. Obtain your 6-digit passcode by entering your 4-digit PIN into your SecurID card, and pressing the diamond-shaped key. Your card should now be displaying a valid 6-digit passcode.

3. If your authentication was successful, your workstation will now finish logging you in and will bring up your desktop environment. Your workstation also has all of the Kerberized clients on it (ktelnet, krlogin,kftp, etc.) so that you can connect to other ARSC systems.
4. If you have to leave your workstation while logged in, be sure to invoke the screen-locking application by giving the xlock command. To clear xlock you will again need to supply your Kerberos5 passphrase and a new, valid SecurID passcode.

Remote login to ARSC systems

Since access to all ARSC systems (with the exception of gate.arsc.edu) is controlled by Kerberos5/SecurID, you will need to either install a local copy of the Kerberos5/SecurID clients onto your own workstation or connect via ssh to gate and use the clients installed there. ARSC strongly discourages the use of gate to login to our systems and provides gate as a "last resort" for our users who are unable to obtain/install the Kerberos5/SecurID clients or who are behind certain types of firewalls. You will need to contact our User Support if you need to be added to the list of authorized gate users.

Kerberos5/SecurID

Please refer to our Obtaining and Installing Kerberos5 Clients page for information on where and how to obtain the Kerberos5/SecurID clients for your system.

Following the instructions for your specific system found in the Usage section of Obtaining and Installing Kerberos5 Clients, obtain a valid Kerberos5 ticket and then open a connection to an ARSC system. Available ARSC systems are listed on our Real-Time Host Status page.

ssh

For those users unable to obtain/install the Kerberos5/SecurID clients or who are having firewall difficulties, we can activate an account for you on gate.arsc.edu. You will then connect via ssh to gate where you can create an ARSC.EDU realm Kerberos5 ticket and use the Kerberos5/SecurID clients located there to connect to other systems. This option is strongly discouraged and generally only temporary.

See our Kerberos5/SecurID Installation page for links and information on how to obtain ssh software for your PC/Workstation. Once you have installed ssh and ARSC has activated your account on gate, you should be able to connect. As soon as you connect to gate, you will be asked for a valid password and passcode. The prompts and responses are:

Kerberos Principal Name [user]:

Enter your username or hit enter to accept default

Password for user@ARSC.EDU:

Enter your Kerberos5 passphrase here

Passcode:

Enter a valid SecurID passcode

Please enter a system name or command>

Enter a valid command or host from the listing

Changing Your Kerberos Passphrase

Unix/Linux Clients:

Installed along with kinit, krlogin, etc., on your Unix or Linux host should be a copy of "kpasswd." Invoke it with your kerberos principal. For instance

$ kpasswd user@ARSC.EDU

You will be prompted for your old passphrase, a new passcode from your SecurID card, and finally, the new desired passphrase (twice).

PC Clients:

Click the "change password" button in the "KRB5.EXE" dialog window.

Common Problems:

• Firewalls:

  If you're behind a firewall, note that while port 88 must be opened up to use kinit, ktelnet, and krlogin, an additional port, 749, must be opened up to use kpasswd.

• Misleading error messages:

  Entering a bad passcode can result in a message like this:

  kpasswd: Cannot establish a session with the Kerberos administrative server for realm ARSC.EDU.

• Options for ARSC Users without SGI Accounts:

  If, due to a firewall or other problem, you can't get your password changed from your local workstation/PC, we can set up your ARSC SGI account (and inactivate it again when you're done). Contact: User Support.

Changing Your SecurID PIN

You can obtain a new PIN at any time. You might suspect your current PIN has been compromised or you may have forgotten it.

You can't chose your own PIN; it will be generated for you, at random, by your card. Call User Support, with your SecurID card in hand, and a consultant will guide you through the process. It takes about a minute.

More Information

• Contact User Support if you encounter any problems.

Arctic Region Supercomputing Center
PO Box 756020, Fairbanks, AK 99775 | voice: 907-450-8600 | email:

home | search | about | support | news | science | resources