Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Getting Started: Working in a Kerberized Environment

Getting set up to work in a Kerberized environment requires only a few basic steps. First, you will need to prepare your machine by installing and configuring the necessary software. Next, you can prepare yourself as a user by knowing your PennKey and password, and acquainting yourself with the role of Kerberos tickets. Finally, you can practice using kerberized systems by authenticating yourself, then properly obtaining and destroying Kerberos tickets during your work session.

Preparing Your Machine | Preparing Yourself As A User | Practicing in Kerberized Systems


Preparing Your Machine


1 . You will require the following software:

  • Ticket manager software:

    Kerberos for Macintosh (Macintosh) --OR--
    Windows Identity Manager (Windows)

  • Network time synchronization software:

    Built into operating system (Macintosh) --OR--
    Dimension4 (Windows)

  • Supported client software for any Kerberized service(s) you will be using.
    The following software is currently supported at Penn:

  • for IMAP, POP, SMTP email:
    Thunderbird (Windows and Macintosh)

    for host-based email, e.g., Mutt and other telnet services:
    Host Explorer (Windows), dataComet Secure (Macintosh)

    for file transfer via FTP:
    FileZilla (Windows) and Fetch (Macintosh)

All the products listed above can be obtained from the PennConnect CD, or can be individually downloaded from their respective links on Penn's Supported Products page.

Your School or center may recommend other software instead of, or in addition to these products.

2. Install necessary software. The "Easy" install option on the PennConnect CD will automatically detect and install all software necessary for your computer to work in a Kerberized environment. If you only wish to install an individual software application from the list above, you may download its installer from a link on Penn's Supported Products page, or you may select it from the "Custom" install option on the PennConnect CD.

3. Configure your client software for Kerberos.

  • All ticket manager software distributed by the University is preconfigured for the Penn environment, and requires no additional configuration.

  • You can view specific instructions on how to configure your network time software for Windows Vista & XP; or Macintosh OS X.

  • Links to configuration instructions for supported client software are available from Penn's Supported Products page. In most cases, configuration is simply a matter of locating the preferences menu for the software and selecting the Kerberos option.


Preparing Yourself as a User

1. Register and memorize your PennKey and its associated password. If you have not yet registered your PennKey, see the "How to Register Your PennKey" page for more information. Once you have registered your PennKey and password, follow the tips on the "Protect Your PennKey" page to help keep them secure.

2. Review the document Kerberos Tickets and How They Work. Because the Kerberized environment is different from what you are accustomed to, it's useful to understand the role of tickets and how important it is to destroy them, particulary on shared machines or machines in unlocked spaces.

3. Review the supporting documentation for the ticket manager software for your operating system to familiarize yourself with how it works. Links to the documentation can be found on the product page for each ticket manager.


Practicing in Kerberized Systems

The following section gives a general overview of the steps involved in a typical work session employing Kerberos security. Once you have completed the preparatory steps detailed above, you may wish to practice each of the steps below to test your setup and to increase your familiarity and comfort with Kerberos tools. For more specific technical instructions, see the ticket manager documentation for your operating system (Windows & Macintosh).

1. Launch the ticket manager software and authenticate yourself with your PennKey and password. You will receive a Ticket-Granting Ticket (TGT) that will be valid for 10 hours. During the time the ticket is valid, you may use any Kerberized services you are authorized to access without authenticating again. You will, however, still need to authenticate to any Penn service that is not Kerberized using whatever username and password you have established for that service.

2. Access a Kerberized service using the appropriate client software. You will receive a service ticket that is valid for a predetermined length of time set by the service administrator. If you access other Kerberized services, you will receive a service ticket for each one.

3. Exit (quit) each client application before you leave the machine. This step is essential in a lab or when using a machine in any location (office, dorm room, etc.) where others may access it. Otherwise, another person using the machine will have access to that account, its information, and its privileges.

4. Destroy your tickets before you leave the machine. Be aware that simply quitting the ticket manager software does not automatically destroy the tickets -- you must manually instruct the ticket manager to destroy all tickets. As with client applications, this step is essential in a lab or when using a machine accessible by others. Remember, failure to destroy a "master" ticket-granting ticket (TGT) allows another person using the machine to have access to any and all of your kerberized accounts, information, and privileges -- regardless of whether those accounts are currently open.

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania