An AFS token is a Kerberos Fatal errors are logged with level LOG_ERR. If you are using csh or tcsh shell, use the following command. Run in daemon mode to keep a ticket alive indefinitely. To be safe, renew the ticket above twice a day until its expiration: Kerberos is an authentication service. ~/.ssh/config file: Replace host with exactly what you type on the ssh command line. Ignore errors in renewing the ticket and keep running. Note the similarities and differences with UCAR's DNS domain, ucar.edu. Kerberos and HSI | Commands to know | Renewing tickets | Concepts and terms. For these examples, assume a user "someuser" with uid (scientist number) 1234. When run without any arguments, it just attempts to renew the existing ticket-granting ticket in the current ticket cache, equivalent to kinit -R, but it can optionally run a program like aklog to refresh AFS tokens, can run as a daemon and wake up periodically to renew the ticket cache, or can run a specified command and keep renewing the ticket cache until the command finishes (or renewal is no longer possible). This file is offered as-is, without any warranty. unlog destroys your AFS tokens. It will have to report any errors via some other mechanism for the errors to be seen. See Managing files with HSI for how to use HSI commands. they expire. Note: Stanford used to provide wrappers called klogin and The program reawakens after minutes minutes, checks if the ticket will expire before or less than two minutes before the next scheduled check, and renews the ticket if needed. above, so you may want t. © Copyright Stanford University. This is an alternative to -a to ensure that tickets always have a certain minimal amount of lifetime remaining. Once your HSI session starts, exit (or quit) immediately. Role principals support both long-term unattended file transfers and group logins. If it is not set by default on your system, create a file named That file should be a single line, listing your Stanford Kerberos Finally, kdestroy destroys your Kerberos ticket cache and Click on the Renew Tickets button, choose Renew Tickets from the Tickets menu, or press
forward forwardable tickets (so that you can then forward tickets from Watch Information Security Awareness Video, Administrative Guide: Information Security, Technology Toolkit for Telecommuting and Remote Work. All messages will be logged with facility LOG_DAEMON. If the environment variable AKLOG is set, its value will be used as the program to run with -t rather than the default complied into krenew. If you are using Korn shell, use the following command. If the environment variable KINIT_PROG is set, it overrides the compiled-in default.
a service on that remote system, such as AFS, you won't be able to. Principals are quite flexible and usually are administered according to site-adopted conventions. Normally, krenew exits as soon as the ticket cache either disappears or the tickets run out of renewable lifetime. Errors that don't cause krenew to terminate when run with -i are logged with level LOG_WARNING. Once you have the renewable ticket, you can put the renewal in a script and cron it. krenew [-a b h i L s t v x] [-c child pid file] [-H minutes] [-K minutes] [-k ticket cache] [-p pid file] [command...] Description. If the -k option is used, KRB5CCNAME will be set to point to the ticket file before running the aklog program or any command given on the command line. This can be found in the Utilities folder: Double-click on the Terminal application to launch it. wrappers are therefore no longer required. You can usually If you see any other domain name here, you are in a different default domain and hsi will not work. you trust that system to protect your identity, you can also forward your ".stanford.edu" on the end.). Kerberos.) To start over, enter kdestroy to empty your ticket cache. If this flag is given, krenew will also change directories to /. Kerberos identity to the remote system. (If the propagated signal causes the child process to exit, krenew will then exit.) Note that, when used with -b the PID file is written out after krenew is backgrounded and changes its working directory to /, so relative paths for the PID file will be relative to / (probably not what you want). If you use an AFS home This is useful when debugging problems in combination with -b. This can be useful if it's pointless for the command to keep running without Kerberos tickets.
Requesting a renewable ticket can make it easier for you to make unattended transfers.
krenew [-abhiLstvx] [-c child pid file] [-H minutes] [-K minutes] [-k ticket cache] [-p pid file] [command ...]. This argument is only valid in combination with either -K or a command to run. If an error occurs in refreshing the ticket cache that doesn't cause krenew to exit, the wake-up interval will be shortened to one minute and the operation retried at that interval for as long as the error persists. Obtain a new AFS token each time the ticket has to be renewed. You may receive Run The ticket cache is placed in different places on different machines. Stanford is The command to renew a ticket is: $ kinit -R You will not be asked for your Kerberos passphrase in this case. of your credentials from the system. due to the load-balancing. local username is different than your SUNet ID, you will need to tell Normally, krenew exits as soon as it fails to renew the Kerberos ticket cache. To To avoid storing your ticket in a /tmp director as shown above, you can define the environment variable KRB5CCNAME to specify the name of the credentials cache file. Kerberos client libraries exist that need to be installed on your local machines that allow you (or a service) to have client/server interactions with the KDC that authenticates you. canonicalization which works around the rlogin and rsh bug mentioned Kerberos v4 is now obsolete, and those Obtaining tickets. To use HSI on some NCAR systems that are outside of the supercomputing environment, you will need to use Kerberos credentials as described here. To find the current best host, requests renewal of the ticket-granting ticket.
Normally, when running a command or when run with the -K option, krenew keeps running even if it fails to renew the ticket cache as long as the ticket cache still exists and appears to be renewable. HSI will then issue you its own tickets which grant you access to the HSI service itself. If your account is older, you may have to create it and make (In other words, it ensures that the ticket will always have a remaining lifetime of at least two minutes.) It is given to you by a special service principal with the name "krbtgt/[email protected].". This document addresses only interactive use of HSI based on the Kerberos principal that matches your UCAR username. 2. The following commands will work if you There are differences in how this is handled. Check whether Regular messages that are displayed on standard output are logged with level LOG_NOTICE. If you aren't authenticated, and you invoke HSI, it will execute a kinit for you, and the KDC will prompt you for your Kerberos principal and password. Use of this flag on Mac OS X without specifying a file-based ticket cache by either using -k or setting KRB5CCNAME will probably not do what you want.
These are common Kerberos conventions for naming principals.