Security FAQ

User Information Home
Compute Resources
Software
Data
Security
Allocations
Consulting
Training

General Questions

• What do I need to do to connect securely to NCSA?
• My production machine password doesn't work anymore. Which password should I use?
• How can I connect to the mass storage system (UniTree) from my local machine?

Questions about Kerberos

• My NCSA login is different from my local login. What do I need to do to use kerberos?
• I have a valid kerberos ticket, but I get the error 'telnetd: Authorization failed' when I use telnet.
• I get the following kinit error: kinit: Cannot find KDC for requested realm while getting initial credentials.
• I installed the UNIX kerberos clients from NCSA, but I get the following error when I issue a kinit: kinit: Can't open/find configuration file (dce / krb) when parsing name jdoe.
• I get the following error when I issue a kinit: kinit: Principal unknown (kerberos).
• I get the following error when I issue a kinit in Windows: Client not found in Kerberos database while logging in
• I'm connecting from behind a firewall. What are my options?
• I have accounts in two Kerberos realms. How can I get credentials for both?
• How do I use Kerberos with X in a Windows environment?

Also see the NCSA Kerberos Windows and UNIX Troubleshooting Guides.

Questions about SSH

• Can I use SSH2 clients to connect to NCSA?
• My NCSA login is different from my local login. What do I need to do to use ssh?
• I use ssh to connect to NCSA's production machines; can I use scp to access UniTree?
• My account is in restricted mode; can I use scp to access files in my home directory?
• What does the message " host key not found from the list of known hosts" mean?
• I get the error "error in locking authority file" when I log in. What does this mean?
• I get the error "write failed flushing stdout buffer" when I use scp. What does this mean?

---

General Questions

What do I need to do to connect securely to NCSA?

You need to use either the Kerberos or Secure Shell encryption software. See the section Software - Kerberos and Secure Shell for information.

My production machine password doesn't work anymore. Which password should I use?

The password to use is your NCSA AFS/Kerberos password. For HPC users, this is the same as your NCSA UniTree (mass storage) password. For NCSA staff, this is the same as the password you use for checking email or logging into NCSA's public systems (pecos and osage).

Note that you will also use this password to connect to NCSA's internal server to download the software.

How can I connect to the mass storage system (UniTree) from my local machine?

Currently, the only way to access UniTree is using the kerberized ftp client.

Questions about Kerberos

My NCSA login is different from my local login. What do I need to do to use kerberos?

When you issue a kinit, you would specify your NCSA login as follows:

kinit NCSAlogin

Then, with telnet or rlogin, you need to use the -l option. For example:

telnet -l NCSAlogin modi4.ncsa.uiuc.edu

I have a valid kerberos ticket, but I get the error 'telnetd: Authorization failed' when I use telnet.

There are a couple of reasons this is happening. First verify that you are using the kerberized telnet client, and not the generic one. If you still get this error with the kerberized version, check that your krb5.conf file has the following in the section [appdefaults]:

       telnet = {
                autologin = 1
        }

Alternatively, you can use the -a option to telnet.

I get the following kinit error: kinit: Cannot find KDC for requested realm while getting initial credentials.

This means that kinit cannot find the necessary configuration on the realm you are requesting.

Where is your krb5.conf located? The NCSA generated binaries look for both /etc/krb5.conf and /usr/local/krb5/etc/krb5.conf. If you have placed the krb5.conf file elsewhere, you need to use the environment variable KRB5_CONFIG to specify this. Check the instructions on the download page on how to do this.

Another possibility is that you are indvertently requesting a bad realm in some way. If you authenticate to multiple realms, you will be specifying the realm when you kinit. Realm names are case sensitive, so you need to make sure to enter

        kinit NCSAlogin@NCSA.EDU

A third possibility is that you are trying to connect from behind a firewall. Please see the firewall information, or check with your local system administrator.

I installed the UNIX kerberos clients from NCSA, but I get the following error when I issue a kinit:

kinit: Can't open/find configuration file (dce / krb) when parsing name jdoe

Some UNIX systems come with (unconfigured) kerberos 4 or DCE clients on them (HP and Solaris are two that do). What the error means is that you are running the kinit that came on the system and not the Kerberos 5 kinit you got from NCSA.

Check the instructions on the download page to set your path correctly.

I get the following error when I issue a kinit:

kinit: Principal unknown (kerberos).

Some Unix platforms - Solaris is one, have a vendor version of kerberos installed with the kerberized utilities located in /usr/bin. You can change the order of your path so the version of kinit that is used is the one you installed. Check the instructions on the download page to set your path correctly.

I get the following error when I issue a kinit in Windows:

Client not found in Kerberos database while logging in

The error means that you have not entered a valid Kerberos username. Please check that you have correctly entered your NCSA login.

I'm connecting from behind a firewall. What are my options?

Information on connecting from behind a firewall is available at http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/firewall.html

I have accounts in two Kerberos realms. How can I get credentials for both?

See the Kerberos and Multiple Principals page.

How do I use Kerberos with X in a Windows environment?

The commercial software Exceed (from Hummingbird Communications) can be configured to use Kerberos rsh to launch remote X clients without transmitting clear-text passwords. Details are available at http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberosold/exceed.html.

Questions about SSH

Can I use SSH2 clients to connect to NCSA?

SSH2 clients are not supported at NCSA, so you need to use SSH1 clients.

My NCSA login is different from my local login. What do I need to do to use ssh?

Use the -l option to ssh. For example:

ssh -l NCSAlogin modi4.ncsa.uiuc.edu

I use ssh to connect to NCSA's production machines; can I use scp to access UniTree?

See the UniTree FAQ

My account is in restricted mode; can I use scp to access files in my home directory?

You will need to use a kerberized ftp client; scp cannot be used when an account is in restricted mode.

What does the message " host key not found from the list of known hosts" mean?

The first time you use SSH to connect to a host you will get a message that says:

host key not found from the list of known hosts
do you still want to continue the connection[yes/no]?

Answer yes (y-e-s) to this and you will then be connected. You will see this message when you connect to a host for the first time only. ssh will add the host to its list.

I get the error "error in locking authority file" when I log in. What does this mean?

The following error:

/usr/bin/X11/xauth:  error in locking authority file

when logging in with ssh usually indicates that you are over your quota in your home directory. You can check this with the command quota -v. You will need to remove files to get below the quota.

I get the error "write failed flushing stdout buffer" when I use scp. What does this mean?

This error occurs when a command is trying to write to stdout or stderr (for example, an "echo" command or an undefined variable in your .cshrc file).

Another reason for the error is when your account on an NCSA system is terminated and goes into restricted mode (see section on Account Termination), you will not be able to use scp to copy files from that system to your home machine. If you try, you may see messages like the following:

Write failed flushing stdout buffer.
write stdout: Broken pipe

While your account is in restricted mode, you will need to use a kerberized ftp client to access your files. If you still have an active account, and you are seeing this error, please contact the NCSA Consulting Office for assistance.