ncsa

User Information Home
Compute Resources
Software
Data
Security
Allocations
Consulting
Training
Advanced Support for TeraGrid Applications

Kerberos Installation Notes for non-NCSA Unix Systems

If you run into trouble see the troubleshooting notes.

To use NCSA's systems, you need to have special versions of telnet, rsh, rlogin, etc. These commands are more secure than their traditional counterparts because they use Kerberos to prevent your password from being transmitted over the Internet.

Note: These instructions are for installing the Kerberos client on remote machines that are not on NCSA's internal network. If you have a machine on NCSA's network then you can refer to the Installing Kerberos on NCSA systems page.

1. Downloading

   Browser Requirements

   To download the Kerberos versions of the commands, go to the NCSA Kerberos 5 Binary download page. Select your operating system. Under "Type of Distribution", select "Clients Only".

   Your default Kerberos password is on the "Password and System Information" sheet that was sent to you when you received your account at NCSA. You will use this password to download the Kerberos software and to connect to NCSA systems in the future. If you do not know your Kerberos password, contact the NCSA Consulting Office at consult@ncsa.uiuc.edu or 217-244-1144. NCSA consultants can reset your password to the default.

   Download the Kerberos binary file for your operating system and copy it to your home directory.

   If you have root permissions on your Unix system or know someone who does, go to step #2. Otherwise, go to step #3.

2. Installing the Kerberos Software with root Permissions

   Create the directory /usr/local/krb5 with permissions 0755, move the Kerberos binary download file into it, and change to that directory:

      mkdir /usr/local/krb5
      chmod 755 /usr/local/krb5
      mv krb5*.tar.Z /usr/local/krb5
      cd /usr/local/krb5
   

   Unpack the distribution file into the directory you created:

      uncompress krb5*.tar.Z
      tar xf krb5*.tar
   

   To use the new secure versions of telnet, rsh, rlogin, etc, you need to change the PATH and MANPATH environment variables so the new versions are used instead of the old versions. If you are using csh or tcsh as your login shell, add the following lines to the end of your .cshrc file in your home directory:

   set path=(/usr/local/krb5/bin $path)
   if ($?MANPATH) then
      setenv MANPATH "/usr/local/krb5/man:$MANPATH"
   endif
   

   The new path will go into effect the next time you log in to your Unix system.

   NOTE: If you are using sh, ksh, or bash, the format for setting the value of PATH is different. Check with your local system adminstrator for details.

Go to step #4.

3. Installing the Kerberos Software without root Permissions

   If you do not have permission to create the directory /usr/local/krb5, you can put the Kerberos software in an alternate location such as a subdirectory krb5 of your home directory.

   To determine the location of your home directory, enter:

      cd
      pwd
   

   If your home directory is /home/jdoe, enter these commands:

      mkdir /home/jdoe/krb5
      chmod 755 /home/jdoe/krb5
      mv krb5*.tar.Z /home/jdoe/krb5
      cd /home/jdoe/krb5
   

   Unpack the distribution file into the directory you created:

      uncompress krb5*.tar.Z
      tar xf krb5*.tar
   

   Set the environment variable KRB5_CONFIG to point to the location of the Kerberos configuration file. For example, if you put the Kerberos software in /home/jdoe/krb5, you would put the following in your .cshrc file:

   setenv KRB5_CONFIG /home/jdoe/krb5/etc/krb5.conf
   

   To use the new secure versions of telnet, rsh, rlogin, etc, you need to change the PATH and MANPATH environment variables so the new versions are used instead of the old versions. If you installed the kerberos software in an alternate location such as /home/jdoe/krb5, you would add the following to the end of .cshrc:

   set path=(/home/jdoe/krb5/bin $path)
   if ($?MANPATH) then
      setenv MANPATH "/home/jdoe/krb5/man:$MANPATH"
   endif
   
   

   NOTE: the instructions above assume you are using csh or tcsh as your login shell. If you are using sh, ksh, or bash, the format for setting environment variables is different. Check with your local system adminstrator for details.

4. Connecting to NCSA systems

   You are now ready to connect to NCSA's computers using Kerberos. First, log in to your Unix system again to set the environment variable PATH to use the new versions of telnet, rsh, etc. To get a Kerberos ticket, enter the command:

      kinit NCSAlogin
   

   where NCSAlogin is your NCSA login name. For example,

      % kinit jdoe
      Password for jdoe@NCSA.EDU:
   

   If your NCSA login name is the same as your local machine login name, you can just enter the command kinit. At the prompt, enter your Kerberos password.

   You can now use telnet to connect to an NCSA system. For example,

      % telnet -l jdoe modi4.ncsa.uiuc.edu
      Trying 141.142.7.4...
      Connected to modi4.ncsa.uiuc.edu (141.142.7.4).
      Escape character is '^]'.
      [ Kerberos V5 accepts you as ``jdoe@NCSA.EDU'' ]
      [ Kerberos V5 accepted forwarded credentials ]
      Unauthorized Use Prohibited
   

5. Time Synchronization

   In order for Kerberos to work properly, your machine and the Kerberos servers time need to be within 5 minutes of each other. If they are too far off you may see a message like the following:

   kinit: Clock skew too great in KDC reply while getting initial credentials
   

   If this is a problem, you can log into an NCSA UNIX system (such as modi4.ncsa.uiuc.edu) and run the "date" command to get the time. Use the "date" command to set the system clock on your Unix system to the same time. Note: On Unix systems, you need to have root permissions in order to set the time.

---

Back to NCSA Kerberos Information

Question or comments about this page may be sent to consult@ncsa.uiuc.edu