You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

University's Cubbli Linuxes use the same authentication mechanism as University's Windows machines. They authenticate and get their user accounts and groups from University's Active Directory (AD) domain. When you use your password to login to a Cubbli from the console, through ssh or just open a locked screen, you get a kerberos ticket, which is a secret random number, which can be used to authenticate against other services in the University's network without typing your password again. This provides the single sign on capabilities at the University.

The kerberos ticket is used to access (at least) the following services at the University's network:

  • Network file shares, like home directories and group directories (both SMB and NFS protocols)
  • Printing to IT Department's printers, including smartcard printers
  • Automatic login to University's web services through (this is still a work in progress, but should be available later in 2018)
  • Logging in remotely to Cubbli hosts through ssh (with Kerberos ticket delegation)

Since the kerberos ticket can be used just like your user account and password, it should be kept secret and should be available only to you. Kerberos tickets also have a lifetime, after which they cannot be used anymore. 

Using Kerberos tickets

You can see your kerberos ticket using the command klist. Here is an example output of a kerberos ticket, which has been used to access files both in University's file server (Z-drive through SMB) and CS Deparment's file server (/cs/home/ through NFS), to ssh remotely to and to print a document to university's smartcard queue:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1033431_JVldy8
Default principal: jjaakkol@AD.HELSINKI.FI

Valid starting Expires Service principal
13/07/18 12:05:16 13/07/18 22:05:16 krbtgt/AD.HELSINKI.FI@AD.HELSINKI.FI
renew until 14/07/18 12:05:14
13/07/18 12:06:47 13/07/18 22:05:16 nfs/
renew until 14/07/18 12:05:14
13/07/18 12:07:03 13/07/18 22:05:16 cifs/
renew until 14/07/18 12:05:14
13/07/18 12:07:51 13/07/18 22:05:16 host/
renew until 14/07/18 12:05:14
13/07/18 12:08:07 13/07/18 22:05:16 cifs/
  • No labels