Getting Started: Working in a Kerberized Environment
Getting set up to work in a Kerberized environment requires only
a few basic steps. First, you will need to prepare your machine
by installing and configuring the necessary software. Next, you
can prepare yourself as a user by knowing your PennKey and password,
and acquainting yourself with the role of Kerberos tickets. Finally,
you can practice using kerberized systems by authenticating yourself,
then properly obtaining and destroying Kerberos tickets during your
Preparing Your Machine |
Preparing Yourself As A User | Practicing
in Kerberized Systems
Preparing Your Machine
1 . You will require the following software:
Ticket manager software:
Kerberos for Macintosh (Macintosh) --OR--
Windows Identity Manager (Windows)
Network time synchronization software:
Built into operating system (Macintosh) --OR--
Supported client software for any Kerberized service(s) you will be using.
The following software is currently supported at Penn:
for IMAP, POP, SMTP email:
Thunderbird (Windows and Macintosh)
for host-based email, e.g., Mutt and other telnet services:
Host Explorer (Windows), dataComet Secure (Macintosh)
for file transfer via FTP:
FileZilla (Windows) and Fetch (Macintosh)
All the products listed above can be obtained from the PennConnect
CD, or can be individually downloaded from their respective links
on Penn's Supported
Your School or center may recommend other software instead of,
or in addition to these products.
2. Install necessary software. The "Easy"
install option on the PennConnect CD will automatically detect and
install all software necessary for your computer to work in a Kerberized
environment. If you only wish to install an individual software
application from the list above, you may download its installer
from a link on Penn's Supported
Products page, or you may select it from the "Custom"
install option on the PennConnect CD.
3. Configure your client software for Kerberos.
All ticket manager software distributed by the University is
preconfigured for the Penn environment, and requires no additional
You can view specific instructions on how to configure your network time
software for Windows Vista & XP; or Macintosh OS X.
Links to configuration instructions for supported client software
are available from Penn's Supported
Products page. In most cases, configuration is simply a
matter of locating the preferences menu for the software and
selecting the Kerberos option.
Preparing Yourself as a User
1. Register and memorize your PennKey and its associated
password. If you have not yet registered your PennKey,
see the "How to Register Your
PennKey" page for more information. Once you have registered
your PennKey and password, follow the tips on the "Protect
Your PennKey" page to help keep them secure.
2. Review the document Kerberos Tickets
and How They Work. Because the Kerberized environment
is different from what you are accustomed to, it's useful to understand
the role of tickets and how important it is to destroy them, particulary
on shared machines or machines in unlocked spaces.
3. Review the supporting documentation for the ticket manager
software for your operating system to familiarize yourself
with how it works. Links to the documentation can be found on the
product page for each ticket manager.
Practicing in Kerberized Systems
The following section gives a general overview of the steps involved in a typical
work session employing Kerberos security. Once you have completed the preparatory
steps detailed above, you may wish to practice each of the steps below to test
your setup and to increase your familiarity and comfort with Kerberos tools.
For more specific technical instructions, see the ticket
manager documentation for your operating system (Windows & Macintosh).
1. Launch the ticket manager software and authenticate
yourself with your PennKey and password. You will receive
a Ticket-Granting Ticket (TGT) that will be valid for 10 hours.
During the time the ticket is valid, you may use any Kerberized
services you are authorized to access without authenticating again.
You will, however, still need to authenticate to any Penn service
that is not Kerberized using whatever
username and password you have established for that service.
2. Access a Kerberized service using the appropriate client
software. You will receive a service ticket that is valid
for a predetermined length of time set by the service administrator.
If you access other Kerberized services, you will receive a service
ticket for each one.
3. Exit (quit) each client application before you leave
the machine. This step is essential in a lab or when using
a machine in any location (office, dorm room, etc.) where others
may access it. Otherwise, another person using the machine will
have access to that account, its information, and its privileges.
4. Destroy your tickets before you leave the machine. Be
aware that simply quitting the ticket manager software does not
automatically destroy the tickets -- you must manually instruct
the ticket manager to destroy all tickets. As with client applications,
this step is essential in a lab or when using a machine accessible
by others. Remember, failure to destroy a "master" ticket-granting
ticket (TGT) allows another person using the machine to have access
to any and all of your kerberized accounts,
information, and privileges -- regardless of whether those accounts
are currently open.