Ryan Kavanagh's /dev/brain

Several people have asked me over the past months how to simultaneously authenticate against multiple Kerberos realms and how to hook this up with AFS. To help with this, I’ve decided to write it all up once and for all. For the sake of example, I’m going to assume that you want to authenticate against the realms ANDREW.CMU.EDU and CS.CMU.EDU using the username gandalf.

The first step is to set your Kerberos credentials cache to be a directory so that individual Kerberos tickets from different realms do not conflict each other. I use the directory ${HOME}/.cache/krb5cc, but you can set this to whatever you would like. Make sure that the directory exists. Then add the following line to your ~/.profile (or other appropriate shell configuration file):

export KRB5CCNAME=DIR:${HOME}/.cache/krb5cc # kerberos credentials cache

For more details on this environment variable, see the Credential cache page in the MIT Kerberos documentation.

Next, I define an alias kinits that lets me get new tokens from multiple realms. I pass the -r 200h argument to kinit that lets me renew my tokens for up to 200 hours (about 8 days) without having to re-enter my password. Again, add the following to your shell configuration file:

alias kinits="kinit -r 200h -f rkavanag@CS.CMU.EDU && kinit -r 200h -f rkavanag@ANDREW.CMU.EDU"

Once you have your tokens (using the kinits alias), you should see that your tokens for each realm are split into two different cache files:

rak@zeta:~$ klist -A
Ticket cache: DIR::/home/rak/.cache/krb5cc/tktqina73
Default principal: gandalf@ANDREW.CMU.EDU

Valid starting       Expires              Service principal
2020-01-09 15:51:46  2020-01-10 15:51:44  krbtgt/ANDREW.CMU.EDU@ANDREW.CMU.EDU
		renew until 2020-01-17 23:51:44

Ticket cache: DIR::/home/rak/.cache/krb5cc/tktUhVKu8
Default principal: gandalf@CS.CMU.EDU

Valid starting       Expires              Service principal
2020-01-09 15:51:44  2020-01-10 15:51:42  krbtgt/CS.CMU.EDU@CS.CMU.EDU
		renew until 2020-01-17 23:51:42

Next, I define the following two helper functions rkinits and aklogs in my shell. The rkinits function renews all of my kerberos tokens without needing my password. aklogs refreshes my AFS tokens using my kerberos tokens. The club.cc.cmu.edu line in aklogs also refreshes my AFS tokens on that host using my existing Kerberos tokens. You should drop it if you do not have an account on that host. You should put these in a configuration file read by each invocation of your shell so that cron can find them (see below).

aklogs () {
	for r in CS.CMU.EDU ANDREW.CMU.EDU; do
		KRB5CCNAME=`KRB5CCNAME=DIR:$HOME/.cache/krb5cc klist -l | grep $r | sed -e s'/.*:://g'` aklog -c $r -k $r
	done
	KRB5CCNAME=DIR:$HOME/.cache/krb5cc aklog club.cc.cmu.edu
}
rkinits () {
	for r in CS.CMU.EDU ANDREW.CMU.EDU; do
		KRB5CCNAME=`KRB5CCNAME=DIR:$HOME/.cache/krb5cc klist -l | grep $r | sed -e s'/.*:://g'` kinit -R rkavanag@$r
	done
	KRB5CCNAME=DIR:$HOME/.cache/krb5cc aklogs
}

After calling aklogs, I then see the following AFS tokens, again split up by realm into two different cache files:

rak@zeta:~$ klist -A
Ticket cache: DIR::/home/rak/.cache/krb5cc/tktqina73
Default principal: gandalf@ANDREW.CMU.EDU

Valid starting       Expires              Service principal
2020-01-09 15:51:46  2020-01-10 15:51:44  krbtgt/ANDREW.CMU.EDU@ANDREW.CMU.EDU
		renew until 2020-01-17 23:51:44
2020-01-09 15:54:27  2020-01-10 15:51:44  afs/andrew.cmu.edu@ANDREW.CMU.EDU
		renew until 2020-01-17 23:51:44
2020-01-09 15:54:27  2020-01-10 15:51:44  krbtgt/CLUB.CC.CMU.EDU@ANDREW.CMU.EDU
		renew until 2020-01-17 23:51:44
2020-01-09 15:54:27  2020-01-10 15:51:44  afs/club.cc.cmu.edu@CLUB.CC.CMU.EDU
		renew until 2020-01-17 23:51:44

Ticket cache: DIR::/home/rak/.cache/krb5cc/tktUhVKu8
Default principal: gandalf@CS.CMU.EDU

Valid starting       Expires              Service principal
2020-01-09 15:51:44  2020-01-10 15:51:42  krbtgt/CS.CMU.EDU@CS.CMU.EDU
		renew until 2020-01-17 23:51:42
2020-01-09 15:54:27  2020-01-10 15:51:42  afs@CS.CMU.EDU
		renew until 2020-01-17 23:51:42

I have a crontab entry that renews my tokens once an hour. This lets me go a week without having to enter my password to get Kerberos working. Once I reach the renewal limit, I just manually call kinits. To edit your list of crontab entries, go crontab -e. You will need to make sure that the shell that you use reads the config file containing aklogs and rkinits. For example, if you are using ksh, then the ENV environment variable should point to the file containing aklogs and rkinits.

0 * * * * zsh -c "rkinits"

I have the following in my ~/.ssh/config. Setting GSSAPIAuthenticate yes lets me use Kerberos tokens to authenticate to authenticate against the listed hosts. Setting GSSAPIDelegateCredentials yes lets the remote host automatically mount my home directory over AFS when I log in without needing me to enter my password.

Host unix.andrew.cmu.edu linux.gp.cs.cmu.edu
	GSSAPIAuthentication yes
	GSSAPIDelegateCredentials yes
	User gandalf

As always, feel free to reach out to me if you have any questions.

Comments: To comment on this post, send me an email following the template below. Your email address will not be posted, unless you choose to include it in the link: field. If your web browser is configured to handle mailto: links, click comment to load the template into your mail client.

To: Ryan Kavanagh <rak@rak.ac>
Subject: [blog-comment] /blog/2020-01-11-on-using-multiple-kerberos-realms-and-afs/

post_id: /blog/2020-01-11-on-using-multiple-kerberos-realms-and-afs/
author: [How should you be identified? Usually your name or "Anonymous"]
link: [optional link to your website]

Your comments here. Markdown syntax accepted.

On using multiple Kerberos realms and AFS

0 Comments