NuMI/MINOS Home  |  NuMI at Work  |  MINOS at Work  |  Getting a FNAL Computer Account
MINOS Computing Information |  MINOS Offline Software |  Fermilab at Work

Installing Kerberos on your Linux System(s)

These instructions are for RedHat Linux only. If you are running other flavors of Linux that are not supported by FNAL then see item 9 at the end of this document.

  1. You need a host/ftp principal for each machine that will need to receive incoming kerberized connections. If you only plan to use the machine to connect TO FNAL but never want to connect TO it using kerberos then you don't need a host principal, you just need to install the client software.
    Here is the form that you need to complete.
    If you already have your principal then just request the host/ftp principal(s). You will need one application per machine.
    See the instructions on applying for your personal principal and CRYPTOCard.
  2. You will receive email notification when the principal is created and a key to use during installation.
  3. Follow the instructions for installing kerberos and ssh
  4. Offsite machines are allowed to continue to use un-kerberized ssh so you need to edit /etc/sshd_config to re-enable this access because the installation turned it off. On-site machines must run kerberized ssh - this includes Soudan. On-site machines can continue to work in a dual (regular ssh and kerberos) mode for a while in order to ease the transistion.
    
    ## MODIFIED by krb5-fermi-config 1.4 05Jul2001
    ##RhostsRSAAuthentication yes
    RhostsRSAAuthentication no
    ## MODIFIED by krb5-fermi-config 1.4 05Jul2001
    ##RSAAuthentication yes
    RSAAuthentication no
    ## MODIFIED by krb5-fermi-config 1.4 05Jul2001
    PasswordAuthentication yes
    ##PasswordAuthentication no
    
    
    Re-enable how ever many of these that you use. This example just turns password authentication back on.
    By default telnet is setup to NOT forward tickets. You may wish to change this by editing /etc/krb5.conf
    In the [appdefaults] section modify the telnet entry
    
    	telnet = {
    		forward = true
    	}
    
    
  5. There is additional useful sysadmin information in the online manual which tells you how to grant root access when you login from somewhere other than the console for example. There is also information on adding your domain to /etc/krb5.conf when you are not in fnal.gov which will be the case for most people trying to install the software.
  6. Finally reboot your machine.
  7. Much more detail can be found in the online manual
    Many of the links on mentioned in this document can be found in the online manual. A quick reference card has been created which is available online.

  8. There is a mailing list kerberos-users@fnal.gov which is a good place to try if you get stuck. You can also contact the Helpdesk

  9. What if you aren't using RedHat? There are instructions for getting the MIT version or installing the FNAL version from the cvs sources. Installing from the sources is preferable because then you get the FNAL customizations and configuration files.

Send suggestions or comments to - The Pagemaster

Security, Privacy, Legal

Fermi National Accelerator Laboratory