550 Lipoa Parkway, Kihei, Maui, Hawai'i 96753 - Phone: (808) 879-5077

Secure Login

Table Of Contents
Obtaining Kerberos Software
Obtaining Secure Shell Software
Obtaining A SecurID Card
Using The SecurID Card
Kerberos Installation
Firewall Configuration
Interactive Login Nodes & IP addresses
Changing Your Password
Filezilla Information
Frequently Asked Questions


As of 15 January 1999, the DoD High Performance Computing Modernization Program (HPCMP) has required MHPCC to restrict access to our computers to valid users who:

  1. Are running Kerberos or Secure Shell software on their local computer, and
  2. Have a one-time password SecurID card issued to them by either HPCMP or MHPCC.

Kerberos Ticket Lifetime Policy
The HPCMP has also established a policy for Kerberos ticket lifetime. Please refer to the HPC Program wide Kerberos and SecurID Information Site, (pki required), for the most current information about Kerberos, including the matrix of ticket life.

Obtaining Kerberos Software

United States users must use Kerberos software to access MHPCC systems. Users can download a copy of Kerberos software from the following site

Obtaining Secure Shell Software

Due to export restrictions on Kerberos, international (non-United States) users must use Secure Shell software to access MHPCC systems. To download Secure Shell software if you are a foreign national or outside the US:

Possible non-kerberized SSH clients are available at:

US citizens or persons within the US requiring SSH software can obtain Secure Shell clients from: (pki required)

Click on Download Client Kits and proceed through a Kerberos Distribution Authorization Form checklist, prior to the download page display. Proceed to download the SSH client kit for your operating system.

Preliminary usage information is available at

Obtaining A SecurID Card

CARD If you are an HPCMP-sponsored user at MHPCC, you should have already received a card from a HPCMP.

If you are not an HPCMP-sponsored user, you will receive a card directly from MHPCC.

Along with the card, you will also receive:

  • Your SecurID PIN (personal identification number)
  • Your Kerberos password

Be sure to memorize and protect your PIN and password.

Using The SecurID Card

The front of the SecurID card has a display screen and keypad. See below. The back (not shown) has the serial number and expiration date of the card.

Display Screen


  • The large numbers are the six-digit passcode. Displays a random number every 60 seconds when an actual passcode is not active.
  • The horizontal bars on the left side show the life remaining for the passcode. Each bar represents 10 seconds.
  • The blinking dot in the lower right side indicates that the card is operating properly.
  • A vertical bar in the upper right side indicates that the number displayed is an active passcode.



  • 0 thru 9. Numeric keys.
  • <>. Enter key.
  • P. Protect (clear) key.

When prompted by Kerberos, use the SecurID card to generate a passcode:

  1. Check that the dot in the lower right corner of the display is blinking to verify card operation.
  2. Verify that at least 20 seconds (two horizontal bars) are remaining for the current passcode.
  3. On the keypad, type your PIN. Then press the <> key to enter your PIN.
  4. After using the passcode, press the P key to clear the display.

Kerberos Installation





The following steps explain how to configure Kerberos. Note that this only has to be done once.

Configure Kerberos to include the MHPCC or HPCMP realm. If you received your SecurID card from MHPCC directly, configure MHPCC as the default realm. If you received your card from HPCMP, you MUST use the instructions they provided, and configure HPCMP as your default realm.

It is very important to note that the clock on the computer system you are using for your Kerberos session is set to within five minutes of the actual time. Otherwise, the Kerberos authentication will fail.

MHPCC's servers and IBM SP nodes are time synchronized using NTP (Network Time Protocol). You can reference MHPCC's time HERE, and make adjustments for your local time zone. Other handy time references include the United States Naval Observatory on the Internet, and short wave radio stations WWV and WWVH at 2.5, 5, 10, 15, and 20 MHz.


Modify your path in your MHPCC and local account to reflect new Kerberos utilities by placing /usr/local/krb5/bin in THE BEGINNING of your path in your .cshrc or equivalent "dot" file.

Users must edit the krb5.conf file and verify the following entries exist. Be sure not to add any additional spaces, carriage returns, or line feeds to the file. Users receiving cards from MHPCC should use MHPCC as the default realm. Users receiving cards from HPCMP should use their host for the default realm.

MHPCC card holders:

krb5.conf (UNIX) add/modify the following lines:
        default_realm = MHPCC.HPC.MIL

        MHPCC.HPC.MIL = {
                kdc =
                kdc =
                admin_server =

[domain_realm] = MHPCC.HPC.MIL = MHPCC.HPC.MIL


HPCMP card holders:

krb5.conf (UNIX)  add/modify the following lines:
        default_realm = HPCMP.HPC.MIL

        HPCMP.HPC.MIL = { 
                kdc = 
                kdc = 
                admin_server = 
                default_domain = 

        MHPCC.HPC.MIL = {
                kdc =
                kdc =
                admin_server =

      = HPCMP.HPC.MIL 

IP address for is
IP address for is


The krb5.ini file should automatically be created in the proper location and with the proper entries for you.


Put the following information into the kerberos5 Configuration Manager. Please note the information below IS CASE SENSITIVE.

Default principal:

Firewall Configuration

The following information is provided if you must use Kerberos through a firewall at your site.

Between a client program and the KDC, your firewall may need to allow traffic on the following ports/protocols. (Note in the following tables that xxxx refers to an ephemeral port number greater than 1024 assigned by the system.)

Client Application To KDC Return Traffic
Initial ticket request (kinit) 88/udp xxxx/udp
Initial ticket request (pkinit) 88/tcp xxxx/tcp
Changing password (Unix kpasswd) 749/tcp xxxx/tcp
Changing password (Windows, old interface) 464/tcp xxxx/tcp
Changing password (Windows, new interface) 464/udp xxxx/udp
Running kadmin (also requires initial ticket, 88/tcp) 749/tcp xxxx/tcp

Between an application server and the KDC, your firewall may need to allow traffic on the following ports/protocols.

Application Server To KDC Return Traffic
Initial ticket request (kinit) 88/udp xxxx/udp
Initial ticket request (pkinit) 88/tcp xxxx/tcp

Between a client program and an application server, your firewall may need to allow traffic on the following ports/protocols.

Application Program/Server To Server To Client
rlogin/rlogind (without encryption) 543/tcp xxxx/tcp
rlogin/rlogind (with encryption) 2105/tcp xxxx/tcp
rsh/rshd 544/tcp xxxx/tcp
pop/popper 1109/tcp xxxx/tcp
telnet/telnetd (Same as non-Kerberos telnet/telnetd)
ftp/ftpd (Same as non-Kerberos ftp/ftpd)

FYI, MHPCC Kerberos-related IP addresses:

Interactive/Login Nodes & IP addresses



The following steps explain how to test your card.


  1. Enter kshell on your local machine, verify it is the kshell in the Kerberos directory.

  2. Enter kinit -f on your local machine with Kerberos.

  3. User is prompted for Kerberos password; enter off of sheet supplied by MHPCC or HPCMP.

  4. User is prompted for their passcode "Challenge for Security Dynamics mechanism: [ ]."

  5. On your SecurID card, enter your PIN then press the diamond to obtain a six-digit passcode. Enter this 6 digit number at the passcode prompt.

  6. Enter /usr/local/krb5/bin/klist -f or just klist -f to look for a forwardable ticket. You should see something similar to:
    Ticket cache: /tmp/krb5cc_471
    Default principal:
    Valid starting            Expires                    Service Principal
    13 Jan 99 04:14:52  13 Jan 99 14:09:23  krbtgt/MHPCC.HPC.MIL@MHPCC.HPC.MIL

  7. This indicates a valid ticket and successful connection to MHPCC's KDC.

  8. Connect to a Riptide interactive node by using ssh. You should not be prompted for a password.


  1. Double click on the Kerberos icon or krb.exe executable.

  2. Enter userid in the Name field.

  3. Enter your Kerberos password in the password field obtained off of sheet supplied by MHPCC or HPCMP.

  4. Enter your default realm in the Realm field in all upper case letters.

  5. Hit Enter.

  6. A pop-up will display prompting your for a SecurID Passcode

  7. On your SecurID card, enter your PIN then press the diamond to obtain a six-digit passcode. Enter this 6 digit number at the passcode prompt box.

  8. Click OK

  9. A green ticket should appear in the window with information similar to:
    Start Time                End time                  Service Principal
    13 Jan 99 04:14:52  13 Jan 99 14:09:23  krbtgt/MHPCC.HPC.MIL@MHPCC.HPC.MIL

  10. You now have a valid ticket. Execute the putty.exe or puttytel.exe that resides in the PUTTY directory under the HPCMP directory where Kerberos is installed.

  11. Be sure the ssh box is selected and type in fully qualified name of the interactive MHPCC node you wish to connect to.

  12. Click OPEN or hit ENTER



Changing Your Password

You can change your secure login password as follows:


Enter kpasswd userid@MHPCC.HPC.MIL at the Unix prompt.


From the Kerberos program, press the Change Password button.


From the Kerberos Configuration Manager control panel, press the Change Password button.

Filezilla Information

The latest version/update/release of Filezilla has some problems with firewalls and displaying the remote directory. Here are two workaround options for you to try after you have obtained a valid Kerberos ticket:


Within Filezilla:

File > Site Manager
Create a NEW SITE with these settings:
Host: system you want to go to EX:
Port: 22
Servertype: SFTP using SSH2
Logontype: Normal
User: your user_id at MHPCC
Password: hit the spacebar once and save&exit or connect
If you choose connect you'll be on MHPCC if you save&exit go back in and select and connect.


From the start button
select RUN
type cmd
go to the HPCMP Kerberos Putty directory
type pscp -l user_id system_name:file_name .
(this is the system_name you want to go to and the file name you wish to be and place it here)

Frequently Asked Questions

  1. Q: How long is my Kerberos password valid for? When does it expire?

    A: Kerberos passwords are valid for 180 days. When your passwords approaches 90 days in age, a message will appears notifying you of when your Kerberos password will expire.

  2. Q: I am getting the following error: /usr/krb5/bin/rlogin : no such file or directory error?

    A: Perform the following:

    1. Create a /usr/krb5/bin directory.

    2. Determine if your kerberos directory contains a rlogin OR a krlogin file.

    3. Link the two:

      ln -s /YOUR FULL KERBEROS DIRECTORY/krlogin /usr/krb5/bin/rlogin


      ln -s /YOUR FULL KERBEROS DIRECTORY/rlogin /usr/krb5/bin/rlogin

  3. Q: I am not authorized to log into my own directory.

    A: Do your login IDs differ from the machine you are logging in from and MHPCC? If so, the -l option must be used. Example: krsh -l mhpcc_loginid

  4. Q: My card was NOT issued by MHPCC and I receive a telnetd: Authorization failed error.

    A: You must email your principal login ID and realm to MHPCC to create your .k5login file. THIS IS NOT YOUR PRINCIPAL INVESTIGATOR, THIS IS NOT A NAME! [Help Desk humor. :) Ed.]

  5. Q: When using Filezilla, my remote directory does not display.

    A: Try setting Passive Mode on. It is located under the Edit menu, Settings >> Connection >> Firewall settings. Check the box for "on".

  6. Q: I'm behind a firewall, what do I do?

    A: Ports 88 and 749 must be open in order to access MHPCC. Try to use a proxy or gateway machine from your site. See the Firewall Configuration section of this document for more information. If the problem persistes, contact the Help Desk via email at .

  7. Q: Kerberos is already installed at my site but it is not version 5, or I can not modify the configuration file to add the MHPCC entries.

    A: Create your own Kerberos configuration file. You can install Kerberos version 5 in your home directory if necessary. Kerberos accesses /etc/krb5.conf by default, change this to access YOUR Kerberos configuration file. Set an environment variable called KRB5_CONFIG and point it to where YOUR krb5.conf file is located.

  8. Q: I've been successful in accessing MHPCC via Kerberos before and now I'm receiving one of the following errors:

    "Cannot contact any KDC in requested realm"
    "Encryption authentication error"
    "keytab file error

    A: Please perform the following:



    The IP address returned SHOULD be OR .6

    Verify that your /etc/hostfile contains kdc1.

    Determine how often your DNS table is refreshed.

    Destroy all tickets (kdestroy), start a new session, and try to access MHPCC

  9. Q: Due to the short Kerberos ticket life how do I ftp large files?

    A: Try one of the following suggestions obtained from ASC:

    Unix/Linux System commands:

    • Using krcp (kerberos remote copy) included in the Unix Kerberos kits

      How to transfer a file TO MHPCC:
      Syntax: krcp <filename> <username>@<remotehost>:<remotepath>
      How to transfer a file FROM MHPCC:
      Syntax:krcp <username>@<remotehost>:<remotepath>/<filename> <local path>

    • Using scp (secure copy) included in the Unix SSH kits

      How to transfer a file TO MHPCC:
      Syntax: scp <filename> <username>@<remotehost>:<remotepath>
      How to transfer a file FROM MHPCC:
      Syntax: scp <username>@<remotehost>:<remotepath>/<filename><local path>

    • Using sftp (secure file transfer protocol) included in the Unix SSH kits
      Use sftp exactly like ftp
      Syntax: sftp <machine name>


Click here to submit a help ticket

Maui High Performance Computing Center
Document URL:
Page returned at 09:20, Monday May 02, 2016 HST (GMT -10 hours)