Contents
This page will provide information about authentication using grid proxies, Kerberos 5 and AFS within the NAF and outside (e. g. CERN or your home institute).
Grid proxy
Kerberos 5
At many sites Kerberos 5 is used for authentication, e. g. if you want ot log into a host or access a certain service. Unfortunately, you can only have one active Kerberos 5 ticket at the time. For example, if you have a CERN Kerberos 5 ticket to access the CERN SVN server, you can not log into another work group server from the same shell, because of the lack of a NAF Kerberos 5 ticket. You can also not submit jobs to the batch system.
Usually you can create a Kerberos 5 ticket using your password for the corresponding account. At the NAF everything is done via your Grid certificate and Grid proxy.
Creating a Kerberos 5 ticket
There are different ways to create a Kerberos 5 ticket:
gsissh atlas.naf.desy.de: If you log into the NAF you will get a Kerberos 5 ticket.
kinit, e. g. kinit cernusername@CERN.CH: for a CERN Kerberos 5 ticket. You will be asked for you CERN password.
naf_ticket, e. g. naf_ticket nafusername: This will use your current Grid proxy to create a Kerberos 5 ticket for the NAF. If you do not have a valid one or one without the -rfc option, a new one will be created and you need to type in your Grid passphrase.
Swapping the current Kerberos 5 ticket
You can have only one active Kerberos 5 ticket, but you can store more than one Kerberos 5 ticket using different files. This feature you can use to store your NAF ticket, create a new one for CERN and then swap between them as needed:
# store NAF Kerberos 5 ticiket NAF_KRB5CCNAME=$KRB5CCNAME # create a new file name for the CERN Kerberos 5 ticket CERN_KRB5CCNAME=FILE:`mktemp` # change the file name for the active Kerberos 5 ticket KRB5CCNAME=$CERN_KRB5CCNAME # create a new Kerberos 5 ticket for CERN kinit cernusername@CERN.CH
Now, you have a CERN Kerberos 5 ticket, which is the active one.
You can swap back to the NAF ticket using
KRB5CCNAME=$NAF_KRB5CCNAME
and back to the CERN one using
KRB5CCNAME=$CERN_KRB5CCNAME
SVN/CVS Server at CERN
CERN SVN Server
ATLAS is using the CERN SVN server since June 2009. Only ssh authentication is supported. Get a kerberos 5 ticket for CERN or set up ssh key authentication to avoid typing in passwords. If you have a different username at CERN and NAF, you have to tell ssh, what your username at CERN is. Add the following two lines to the files $HOME/.ssh/config
Host *.cern.ch user username
where username should be replaced by your CERN username.
If you do not have the file $HOME/.ssh/config, create it using:
touch $HOME/.ssh/config
For more details on this whole topic see http://information-technology.web.cern.ch/book/how-start-working-svn/accessing-svn-repository#accessing-sshlinux