Information about the use of Kerberos at the SDCC

The Kerberos Network Authentication Protocol is used by the SDCC to provide password-based authentication of users for many SDCC services. For most purposes at the SDCC users do not directly interact with Kerberos, it is only used behind the scenes as a password verification service. However, there are three situations where the users directly interact with Kerberos; when using the AFS file systems at the SDCC, when using the GSSAPI enabled ssh for interactive "single sign-on" and when using the Kerberos based interfaces to HPSS.

AFS, HPSS, and GSSAPI enabled ssh to use the Kerberos Ticket Granting Ticket (TGT) to verify the identity of a user. A TGT is obtained by using the Kerberos kinit command to authenticate to the Kerberos server. Once a TGT is obtained, a user can obtain an AFS token by running the aklog command (assuming that the system is an AFS client). With a TGT, a user can also log into other systems within the SDCC using a GSSAPI enabled ssh, without typing additional passwords. In addition, the user will have a TGT on the destination system, which will be automatically used to obtain an AFS token, if AFS is running on the system. Finally, when using the Kerberos-based interfaces to HPSS, a TGT is used to authenticate the user. One item to note is the TGT has a limited lifetime (5 days from initial authentication at the SDCC).

There are two separate Kerberos authentications "realms" at the SDCC; the RHIC.BNL.GOV Kerberos realm is used to authenticate RHIC/LSST users, the USATLAS.BNL.GOV Kerberos realm is used to authenticate US Atlas users. RHIC/LSST systems at the SDCC utilize the RHIC.BNL.GOV realm and as a result, the full functionality mentioned in the previous paragraph only works within the RHIC "universe", consisting of the rhic.bnl.gov AFS cell, the RHIC.BNL.GOV Kerberos realm, and RHIC/LSST servers. Similarly, for US Atlas users, full functionality works only within the US Atlas "universe", consisting of the usatlas.bnl.gov AFS cell, the USATLAS.BNL.GOV Kerberos realm, and US Atlas servers. There are selected services, most notably HPSS, that will accept TGT's from either Kerberos realm.