Contents

Grid proxy
Kerberos 5
1. Creating a Kerberos 5 ticket
2. Swapping the current Kerberos 5 ticket
SVN/CVS Server at CERN
1. CERN SVN Server
AFS

This page will provide information about authentication using grid proxies, Kerberos 5 and AFS within the NAF and outside (e. g. CERN or your home institute).

Grid proxy

Kerberos 5

At many sites Kerberos 5 is used for authentication, e. g. if you want ot log into a host or access a certain service. Unfortunately, you can only have one active Kerberos 5 ticket at the time. For example, if you have a CERN Kerberos 5 ticket to access the CERN SVN server, you can not log into another work group server from the same shell, because of the lack of a NAF Kerberos 5 ticket. You can also not submit jobs to the batch system.

Usually you can create a Kerberos 5 ticket using your password for the corresponding account. At the NAF everything is done via your Grid certificate and Grid proxy.

Creating a Kerberos 5 ticket

There are different ways to create a Kerberos 5 ticket:

gsissh atlas.naf.desy.de: If you log into the NAF you will get a Kerberos 5 ticket.
kinit, e. g. kinit cernusername@CERN.CH: for a CERN Kerberos 5 ticket. You will be asked for you CERN password.
naf_ticket, e. g. naf_ticket nafusername: This will use your current Grid proxy to create a Kerberos 5 ticket for the NAF. If you do not have a valid one or one without the -rfc option, a new one will be created and you need to type in your Grid passphrase.

Swapping the current Kerberos 5 ticket

You can have only one active Kerberos 5 ticket, but you can store more than one Kerberos 5 ticket using different files. This feature you can use to store your NAF ticket, create a new one for CERN and then swap between them as needed:

# store NAF Kerberos 5 ticiket
NAF_KRB5CCNAME=$KRB5CCNAME
# create a new file name for the CERN Kerberos 5 ticket
CERN_KRB5CCNAME=FILE:`mktemp`
# change the file name for the active Kerberos 5 ticket
KRB5CCNAME=$CERN_KRB5CCNAME
# create a new Kerberos 5 ticket for CERN
kinit cernusername@CERN.CH

Now, you have a CERN Kerberos 5 ticket, which is the active one.

You can swap back to the NAF ticket using

KRB5CCNAME=$NAF_KRB5CCNAME

and back to the CERN one using

KRB5CCNAME=$CERN_KRB5CCNAME

SVN/CVS Server at CERN

CERN SVN Server

ATLAS is using the CERN SVN server since June 2009. Only ssh authentication is supported. Get a kerberos 5 ticket for CERN or set up ssh key authentication to avoid typing in passwords. If you have a different username at CERN and NAF, you have to tell ssh, what your username at CERN is. Add the following two lines to the files $HOME/.ssh/config

Host *.cern.ch
user username

where username should be replaced by your CERN username.

If you do not have the file $HOME/.ssh/config, create it using:

touch $HOME/.ssh/config

For more details on this whole topic see http://information-technology.web.cern.ch/book/how-start-working-svn/accessing-svn-repository#accessing-sshlinux

AFS

ATLAS: WorkBook/NAF/Authentication (last edited 2013-07-26 14:06:05 by DavidSouth)