#acl EditorsGroup:read,write All:read <> ---- This page will provide information about authentication using grid proxies, Kerberos 5 and AFS within the NAF and outside (e. g. CERN or your home institute). = Grid proxy = = Kerberos 5 = At many sites Kerberos 5 is used for authentication, e. g. if you want ot log into a host or access a certain service. Unfortunately, you can only have one active Kerberos 5 ticket at the time. For example, if you have a CERN Kerberos 5 ticket to access the CERN SVN server, you can not log into another work group server from the same shell, because of the lack of a NAF Kerberos 5 ticket. You can also not submit jobs to the batch system. Usually you can create a Kerberos 5 ticket using your password for the corresponding account. At the NAF everything is done via your Grid certificate and Grid proxy. == Creating a Kerberos 5 ticket == There are different ways to create a Kerberos 5 ticket: * `gsissh atlas.naf.desy.de`: If you log into the NAF you will get a Kerberos 5 ticket. * `kinit`, e. g. `kinit cernusername@CERN.CH`: for a CERN Kerberos 5 ticket. You will be asked for you CERN password. * `naf_ticket`, e. g. `naf_ticket nafusername`: This will use your current Grid proxy to create a Kerberos 5 ticket for the NAF. If you do not have a valid one or one without the -rfc option, a new one will be created and you need to type in your Grid passphrase. == Swapping the current Kerberos 5 ticket == You can have only one active Kerberos 5 ticket, but you can store more than one Kerberos 5 ticket using different files. This feature you can use to store your NAF ticket, create a new one for CERN and then swap between them as needed: {{{ # store NAF Kerberos 5 ticiket NAF_KRB5CCNAME=$KRB5CCNAME # create a new file name for the CERN Kerberos 5 ticket CERN_KRB5CCNAME=FILE:`mktemp` # change the file name for the active Kerberos 5 ticket KRB5CCNAME=$CERN_KRB5CCNAME # create a new Kerberos 5 ticket for CERN kinit cernusername@CERN.CH }}} Now, you have a CERN Kerberos 5 ticket, which is the active one. You can swap back to the NAF ticket using {{{ KRB5CCNAME=$NAF_KRB5CCNAME }}} and back to the CERN one using {{{ KRB5CCNAME=$CERN_KRB5CCNAME }}} = SVN/CVS Server at CERN = == CERN SVN Server == ATLAS is using the CERN SVN server since June 2009. Only ssh authentication is supported. Get a kerberos 5 ticket for CERN or set up ssh key authentication to avoid typing in passwords. If you have a different username at CERN and NAF, you have to tell ssh, what your username at CERN is. Add the following two lines to the files `$HOME/.ssh/config` {{{ Host *.cern.ch user username }}} where `username` should be replaced by your CERN username. If you do not have the file `$HOME/.ssh/config`, create it using: {{{ touch $HOME/.ssh/config }}} For more details on this whole topic see http://information-technology.web.cern.ch/book/how-start-working-svn/accessing-svn-repository#accessing-sshlinux = AFS =