Secure Login

Table Of Contents
Introduction Obtaining Kerberos Software Obtaining Secure Shell Software Obtaining A SecurID Card Using The SecurID Card Kerberos Installation Configuration Firewall Configuration Interactive Login Nodes & IP addresses Testing Changing Your Password Filezilla Information Frequently Asked Questions Help	Kerberos (Greek) or Cerberus (Roman): Three-headed guard dog of the entrance to the infernal regions.

Introduction

As of 15 January 1999, the DoD High Performance Computing Modernization Program (HPCMP) has required MHPCC to restrict access to our computers to valid users who:

1. Are running Kerberos or Secure Shell software on their local computer, and
2. Have a one-time password SecurID card issued to them by either HPCMP or MHPCC.

Kerberos Ticket Lifetime Policy
The HPCMP has also established a policy for Kerberos ticket lifetime. Please refer to the HPC Program wide Kerberos and SecurID Information Site, https://www.hpcmo.hpc.mil/security/kerberos/, for the most current information about Kerberos, including the matrix of ticket life.

Obtaining Kerberos Software

United States users must use Kerberos software to access MHPCC systems. Users can download a copy of Kerberos software from the following sites http://www.hpcmo.hpc.mil/security/kerberos/. OR https://www.hpcmo.hpc.mil/security/kerberos/. (Restricted to '.mil' and HPCMP sites)

Obtaining Secure Shell Software

Due to export restrictions on Kerberos, international (non-United States) users must use Secure Shell software to access MHPCC systems. To download Secure Shell software if you are a foreign national or outside the US:

You can obtain Secure Shell clients from: www.ssh.fi. Download information is available from www.ssh.fi/sshprotocols2 /download.html.

Possible non-kerberized SSH clients are also available at: www.ssh.com AND www.openssh.org..

US citizens or persons within the US requiring SSH software can obtain Secure Shell clients from: http://www.hpcmo.hpc.mil/security/kerberos/. OR https://www.hpcmo.hpc.mil/security/kerberos/. (Restricted to '.mil' and HPCMP sites)

Click on Download Client Kits and proceed through a Kerberos Distribution Authorization Form checklist, prior to the download page display. Proceed to download the SSH client kit for your operating system.

Preliminary usage information is available at http://www.tac.nyc.ny.us/~kim/ssh.

Obtaining A SecurID Card

If you are an HPCMP-sponsored user at MHPCC, you should have already received a card from a HPCMP.

If you are not an HPCMP-sponsored user, you will receive a card directly from MHPCC.

Along with the card, you will also receive:

• Your SecurID PIN (personal identification number)
• Your Kerberos password

Be sure to memorize and protect your PIN and password.

Using The SecurID Card

The front of the SecurID card has a display screen and keypad. See below. The back (not shown) has the serial number and expiration date of the card.

Display Screen

• The large numbers are the six-digit passcode. Displays a random number every 60 seconds when an actual passcode is not active.
• The horizontal bars on the left side show the life remaining for the passcode. Each bar represents 10 seconds.
• The blinking dot in the lower right side indicates that the card is operating properly.
• A vertical bar in the upper right side indicates that the number displayed is an active passcode.

Keypad

• 0 thru 9. Numeric keys.
• . Enter key.
• P. Protect (clear) key.

When prompted by Kerberos, use the SecurID card to generate a passcode:

1. Check that the dot in the lower right corner of the display is blinking to verify card operation.
2. Verify that at least 20 seconds (two horizontal bars) are remaining for the current passcode.
3. On the keypad, type your PIN. Then press the key to enter your PIN.
4. After using the passcode, press the P key to clear the display.

Kerberos Installation

PC:

1. Close all open programs.
2. Download the Kerberos Client Kit from http://www.hpcmo.hpc.mil/security/kerberos/.
3. The Client Kit is self-expalantory. Just double-click on it and follow the prompts. This putty versions eliminates many of the previous known Kerberos PC problems.
4. Run krb5 to obtain a ticket.
5. Enter your principal name, password, and the realm of MHPCC.HPC.MIL. After a few moments, you should receive a green ticket.
6. Run putty to access a system via Kerberos.
7. Click on ssh kerberos protocol.
8. In the Host Name box, enter desired hostname.
9. After a successful login then you may choose to "configure" your various sessions (colors, backspace key, etc.).

Macintosh:

1. Go to the web site at http://www.hpcmo.hpc.mil/security/kerberos/
2. On the left side (under the section 'Public') click on Client Kits
3. Under the section 'Client Software' of the Kerberos paragraph click on Macintosh
4. Click on MacOSX_Krb5Kit-20050422.dmg to download the kit
5. A folder will be created on your desktop labeled OSX Combined
6. Open this folder and double click on the icon Kerberos5_Clients.pkg
7. Follow the instructions presented in the pop up window for installing the software. The software will be installed in /usr/local/pkg/openssh/current/bin
8. A symbolic link will be created to /usr/local/bin for all ssh applications
9. Ensure /usr/local/bin is in the Users' path
10. To get a Kerberos ticket click on 'Kerberos' in the Utilities folder inside the Applications folder located in the user's home directory
11. Enter the appropriate Name, Realm and Password followed by the 6 digit value from the User's SecurID Card in response to the Security Dynamics challenge
12. After a ticket is granted, open a terminal window and ssh to the HPC system in question with the command below
13. For example, to access the MHPCC Manasystem one would use the command: ssh -l userid mlogin3.mana.mhpcc.hpc.mil where userid is the user's login ID on Mana

If using OSSH, it may be necessary to start the PRNGD daemon, before you can use the ssh client:

EX: /usr/local/ossh/sbin/prngd -c /usr/local/ossh/etc/prngd.conf /usr/ local/ossh/dev/egd-pool

Configuration

The following steps explain how to configure Kerberos. Note that this only has to be done once.

Configure Kerberos to include the MHPCC or HPCMP realm. If you received your SecurID card from MHPCC directly, configure MHPCC as the default realm. If you received your card from HPCMP, you MUST use the instructions they provided, and configure HPCMP as your default realm.

NOTE It is very important to note that the clock on the computer system you are using for your Kerberos session is set to within five minutes of the actual time. Otherwise, the Kerberos authentication will fail.

MHPCC's servers and IBM SP nodes are time synchronized using NTP (Network Time Protocol). You can reference MHPCC's time HERE, and make adjustments for your local time zone. Other handy time references include the United States Naval Observatory on the Internet, and short wave radio stations WWV and WWVH at 2.5, 5, 10, 15, and 20 MHz.

UNIX:

Modify your path in your MHPCC and local account to reflect new Kerberos utilities by placing /usr/local/krb5/bin in THE BEGINNING of your path in your .cshrc or equivalent "dot" file.

Users must edit the krb5.conf file and verify the following entries exist. Be sure not to add any additional spaces, carriage returns, or line feeds to the file. Users receiving cards from MHPCC should use MHPCC as the default realm. Users receiving cards from HPCMP should use their host for the default realm.

MHPCC card holders:

krb5.conf (UNIX) add/modify the following lines:
------------------------------------------------------------
[libdefaults]
        default_realm = MHPCC.HPC.MIL

[realms]
        MHPCC.HPC.MIL = {
                kdc = kdc1.mhpcc.hpc.mil
                kdc = kdc2.mhpcc.hpc.mil
                admin_server = kdcadmin.mhpcc.hpc.mil
        }



[domain_realm]
        .mhpcc.hpc.mil = MHPCC.HPC.MIL
        mhpcc.hpc.mil = MHPCC.HPC.MIL

------------------------------------------------------------

HPCMP card holders:

krb5.conf (UNIX)  add/modify the following lines:
------------------------------------------------------------
[libdefaults]
        default_realm = HPCMP.HPC.MIL

[realms]
        HPCMP.HPC.MIL = { 
                kdc = kdc1.hpcmp.hpc.mil 
                kdc = kdc2.hpcmp.hpc.mil 
                admin_server = kdc1.hpcmp.hpc.mil 
                default_domain = hpcmp.hpc.mil 
        }

        MHPCC.HPC.MIL = {
                kdc = kdc1.mhpcc.hpc.mil
                kdc = kdc2.mhpcc.hpc.mil
                admin_server = kdcadmin.mhpcc.hpc.mil
        }

[domain_realm]
               .hpcmp.hpc.mil = HPCMP.HPC.MIL 
               .mhpcc.hpc.mil = MHPCC.HPC.MIL
               mhpcc.hpc.mil = MHPCC.HPC.MIL

------------------------------------------------------------

PC:

The krb5.ini file should automatically be created in the proper location and with the proper entries for you.

Macintosh:

Put the following information into the kerberos5 Configuration Manager. Please note the information below IS CASE SENSITIVE.

Firewall Configuration

The following information is provided if you must use Kerberos through a firewall at your site.

Between a client program and the KDC, your firewall may need to allow traffic on the following ports/protocols. (Note in the following tables that xxxx refers to an ephemeral port number greater than 1024 assigned by the system.)

Between an application server and the KDC, your firewall may need to allow traffic on the following ports/protocols.

Between a client program and an application server, your firewall may need to allow traffic on the following ports/protocols.

FYI, MHPCC Kerberos-related IP addresses:

Interactive/Login Nodes & IP addresses

Testing

The following steps explain how to test your card.

UNIX:

1. Enter kshell on your local machine, verify it is the kshell in the Kerberos directory.

2. Enter kinit -f on your local machine with Kerberos.

3. User is prompted for Kerberos password; enter off of sheet supplied by MHPCC or HPCMP.

4. User is prompted for their passcode "Challenge for Security Dynamics mechanism: [ ]."

5. On your SecurID card, enter your PIN then press the diamond to obtain a six-digit passcode. Enter this 6 digit number at the passcode prompt.

6. Enter /usr/local/krb5/bin/klist -f or just klist -f to look for a forwardable ticket. You should see something similar to:

   Ticket cache: /tmp/krb5cc_471
   Default principal:  my.user.id@MHPCC.HPC.MIL
   Valid starting            Expires                    Service Principal
   13 Jan 99 04:14:52  13 Jan 99 14:09:23  krbtgt/MHPCC.HPC.MIL@MHPCC.HPC.MIL
   

7. This indicates a valid ticket and successful connection to MHPCC's KDC.

8. Connect to a Mana interactive node by using ssh. You should not be prompted for a password.

PC:

1. Double click on the Kerberos icon or krb.exe executable.

2. Enter userid in the Name field.

3. Enter your Kerberos password in the password field obtained off of sheet supplied by MHPCC or HPCMP.

4. Enter your default realm in the Realm field in all upper case letters.

5. Hit Enter.

6. A pop-up will display prompting your for a SecurID Passcode

7. On your SecurID card, enter your PIN then press the diamond to obtain a six-digit passcode. Enter this 6 digit number at the passcode prompt box.

8. Click OK

9. A green ticket should appear in the window with information similar to:

   Start Time                End time                  Service Principal
   13 Jan 99 04:14:52  13 Jan 99 14:09:23  krbtgt/MHPCC.HPC.MIL@MHPCC.HPC.MIL
   

10. You now have a valid ticket. Execute the putty.exe or puttytel.exe that resides in the PUTTY directory under the HPCMP directory where Kerberos is installed.

11. Be sure the ssh box is selected and type in fully qualified name of the interactive MHPCC node you wish to connect to.

12. Click OPEN or hit ENTER

Macintosh:

TBD

Changing Your Password

You can change your secure login password as follows:

UNIX:

Enter kpasswd userid@MHPCC.HPC.MIL at the Unix prompt.

PC:

From the Kerberos program, press the Change Password button.

Macintosh:

From the Kerberos Configuration Manager control panel, press the Change Password button.

Filezilla Information

The latest version/update/release of Filezilla has some problems with firewalls and displaying the remote directory. Here are two workaround options for you to try after you have obtained a valid Kerberos ticket:

OPTION 1:

Within Filezilla:

File > Site Manager
Create a NEW SITE with these settings:
Host: system you want to go to EX: mlogin3.mana.mhpcc.hpc.mil
Port: 22
Servertype: SFTP using SSH2
Logontype: Normal
User: your user_id at MHPCC
Password: hit the spacebar once and save&exit or connect
If you choose connect you'll be on MHPCC if you save&exit go back in and select and connect.

OPTION 2:

From the start button
select RUN
type cmd
go to the HPCMP Kerberos Putty directory
type pscp -l user_id system_name:file_name .
(this is the system_name you want to go to and the file name you wish to be and place it here)

Frequently Asked Questions

1. Q: How long is my Kerberos password valid for? When does it expire?

   A: Kerberos passwords are valid for 180 days. When your passwords approaches 90 days in age, a message will appears notifying you of when your Kerberos password will expire.

2. Q: I am getting the following error: /usr/krb5/bin/rlogin : no such file or directory error?

   A: Perform the following:

   1. Create a /usr/krb5/bin directory.

   2. Determine if your kerberos directory contains a rlogin OR a krlogin file.

   3. Link the two:

      ln -s /YOUR FULL KERBEROS DIRECTORY/krlogin /usr/krb5/bin/rlogin

      OR

      ln -s /YOUR FULL KERBEROS DIRECTORY/rlogin /usr/krb5/bin/rlogin

3. Q: I am not authorized to log into my own directory.

   A: Do your login IDs differ from the machine you are logging in from and MHPCC? If so, the -l option must be used. Example: krsh -l mhpcc_loginid mlogin3.mana.mhpcc.hpc.mil.

4. Q: My card was NOT issued by MHPCC and I receive a telnetd: Authorization failed error.

   A: You must email your principal login ID and realm to MHPCC to create your .k5login file. THIS IS NOT YOUR PRINCIPAL INVESTIGATOR, THIS IS NOT A NAME! [Help Desk humor. :) Ed.]

5. Q: When using Filezilla, my remote directory does not display.

   A: Try setting Passive Mode on. It is located under the Edit menu, Settings >> Connection >> Firewall settings. Check the box for "on".

6. Q: I'm behind a firewall, what do I do?

   A: Ports 88 and 749 must be open in order to access MHPCC. Try to use a proxy or gateway machine from your site. See the Firewall Configuration section of this document for more information. If the problem persistes, contact the Help Desk via email at .

7. Q: Kerberos is already installed at my site but it is not version 5, or I can not modify the configuration file to add the MHPCC entries.

   A: Create your own Kerberos configuration file. You can install Kerberos version 5 in your home directory if necessary. Kerberos accesses /etc/krb5.conf by default, change this to access YOUR Kerberos configuration file. Set an environment variable called KRB5_CONFIG and point it to where YOUR krb5.conf file is located.

8. Q: I've been successful in accessing MHPCC via Kerberos before and now I'm receiving one of the following errors:

   "Cannot contact any KDC in requested realm"
   "Encryption authentication error"
   "keytab file error
   

   A: Please perform the following:

   nslookup kdc1.mhpcc.hpc.mil
   

   traceroute kdc1.mhpcc.hpc.mil
   

   The IP address returned SHOULD be 140.31.199.5 OR .6

   Verify that your /etc/hostfile contains kdc1.

   Determine how often your DNS table is refreshed.

   Destroy all tickets (kdestroy), start a new session, and try to access MHPCC

9. Q: Due to the short Kerberos ticket life how do I ftp large files?
   

   A: Try one of the following suggestions obtained from ASC:
   

   Unix/Linux System commands:
   

   • Using krcp (kerberos remote copy) included in the Unix Kerberos kits
     

     How to transfer a file TO MHPCC:
     Syntax: krcp <filename> <username>@<remotehost>:<remotepath>
     How to transfer a file FROM MHPCC:
     Syntax:krcp <username>@<remotehost>:<remotepath>/<filename> <local path>
     

   • Using scp (secure copy) included in the Unix SSH kits
     

     How to transfer a file TO MHPCC:
     Syntax: scp <filename> <username>@<remotehost>:<remotepath>
     How to transfer a file FROM MHPCC:
     Syntax: scp <username>@<remotehost>:<remotepath>/<filename><local path>
     

   • Using sftp (secure file transfer protocol) included in the Unix SSH kits
     Use sftp exactly like ftp
     Syntax: sftp <machine name>
     

   Windows Applications:
   The current suggested workaround for normal ftp problems is to download the SFTP mod for Filezilla. Instructions on how to download and implement sftp in Filezilla are located at https://www.hpcmo.hpc.mil/security/kerberos/private/news/filezilla-sftp20040414.html.

   Users can also download the Cygwin ssh kit for Windows. Cygwin is a Unix emulator where users can use both the scp and sftp commands listed above via windows.

Help

Click here to submit a CCAC help ticket

Click here to submit a MHPCC help ticket