Carnegie Mellon University School of Computer Science

Kerberos

Kerberos is a network-based authentication system that is used by many programs (login, ssh, rsh, and others) to provide secure authentication. We use Kerberos because it provides a degree of protection against network snooping and other attacks, and allows one to use a single password for logging in to multiple hosts (and instance passwords for other tasks).

Authentication & tickets

When you type your password at a service that uses Kerberos (for example, you login to a Linux (Dragon) host), your password is used to verify to the Kerberos server that you are who you say you are. This is done in a way that does not send your password over the network. Once your identity is verified (i.e. you typed in the correct password), the Kerberos server sends back a ticket. Tickets have limited lifetimes and are used as credentials to obtain services or additional tickets.

Kerberos principals, instances, and realms

Any ticket is assigned to a unique principal. A Kerberos principal consists of three parts:

primary

For users, this can be considered to be the same as your SCS Unix userid (e.g. "bovik").

instance

A way to "qualify" the primary. For example, in SCS common instances are mail, remote, and root.

realm

A Kerberos realm corresponds to an organizational unit and associated Kerberos database. It is usually written in uppercase (and is case sensitive). The SCS Kerberos realm is CS.CMU.EDU.

Principals are written in full as:

primary/instance@REALM

For example:

bovik/mail@CS.CMU.EDU

In some cases, one might see them written with a "." instead of a "/"; this was the syntax for the the previous version of Kerberos (note that the AFS fs will only accept instance names that use a "." when adding such instances to AFS ACLs). In many cases the realm is omitted, since it defaults to the realm that the machine you are using belongs to.

Security and Kerberos

One way Kerberos adds to security is that the process of getting a ticket from the Kerberos server does not send your password over the network. However, Kerberos does not protect against other forms of attack, such as somebody sniffing your keystrokes or snooping non-encrypted traffic between you and the process that you are authenticating to.

How to manage your Kerberos password

Note: The primary SCS interface for managing Kerberos instances is the interactive, Web-based instance manager. If you prefer a command-line interface, you can run remctl on any Facilitized Unix host.

Use the web-based Kerberos Password Change interface to change the password of your Kerberos null instance: https://webiso.cs.cmu.edu/password

Change your Kerberos password

To change your main SCS Kerberos password, please follow these steps:

  1. Log in to the Instance Manager at https://webiso.cs.cmu.edu/instance
  2. Click the Change password link at the top
  3. Enter your current SCS Kerberos password
  4. Enter and confirm your new SCS Kerberos password
  5. Click Change Password
Your main SCS Kerberos password is used for: WebISO with your @CS.CMU.EDU account and logging in to linux.gp.cs.cmu.edu and other SCS Linux machines.

The Instance Manager page for provides more information on this interface and its functionality. If you have forgotten your Kerberos password or your /root instance password, you must stop by the SCS Help Desk with a photo ID to have them changed. Remote password resets are possible on a case-by-case basis and need to be scheduled in advanced. Contact us to request a remote password reset should you not be able to visit us in person.

How to authenticate to Kerberos

When you authenticate to the Kerberos server, you receive limited-lifetime credentials that programs then use to prove your identity when you request services.

To authenticate on Facilitized Unix hosts

The kinit command, located in /usr/local/bin is used to authenticate to Kerberos on Facilitized Unix hosts. For example, the command: 

kinit username

would prompt you for the SCS Kerberos password for the userid "bovik" and authenticate you if you give the correct password. You can use the same command to authenticate as a Kerberos instance, for example: "username/root". The klist command is used to list the Kerberos tickets that one has.

To authenticate on a Windows PC

Kclient is the Kerberos authentication program on Windows. It can be obtained from our software distribution server Monolith in the "pc_dist\mit" folder, and should already be installed on most SCS PCs as part of our baseline Windows environment

How to troubleshoot common Kerberos problems

Some common reasons for Kerberos authentication problems are:

The host cannot reach the Kerberos servers.

Kerberos authentication to the CS.CMU.EDU realm requires that the host be able to communicate over the network with our Kerberos servers, kerberos-1.srv.cs.cmu.edu and kerberos-2.srv.cs.cmu.edu.

The time on the client host is wrong.

To prevent reply attacks, the time on the client must be within a few minutes of the time on the Kerberos server.

The client host is out of disk space on /.

Facilitized Unix hosts use the directory /tkt to store ticket files. If / is full, you will receive an authentication error.

The client host is in the wrong realm.

Client hosts will try to authentication in a default realm, if one is not explicitly given. Try giving an explicit realm when you authenticate, e.g. username@CS.CMU.EDU.

If you have trouble accessing a Kerberized service that you had previously authenticated to, you should check to see if your tickets have expired. Kerberos tickets have limited lifetimes for security reasons. You can use the klist program to list your tickets and their expiration dates, and the kinit program to re-authenticate.