Sie sind hier: Startseite / Systems / HPSS tape archive / PFTP with kerberos
Alle Inhalte des Nutzerportal sind nur auf Englisch verfügbar.

PFTP with kerberos

how to use PFTP with kerberos authentication

Kerberos service und HPSS

Kerberos authentication provides the opportunity for ticket based secure passwordless authentication of users to services after an initial login to the Kerberos server.

You just use the pftp

If you want to use this service, please register first with Beratung

After registering for this service you will get an email with your initial (interim) password.

Kerberos password is at the moment not the LDAP password. You can change it using



To interact with the Kerberos authentication system you have a set of commands you can use:

To initially login to the Kerberos server and get your initial Kerberos ticket use:

kinit -AV

After you requested the initial ticket you can verify it using:

klist -ae

There you may see a ticket like that:

                Ticket cache: FILE:/home/dkrz/k205085/krb5cc_k205085
                Default principal: [Email protection active, please enable JavaScript.]

                Valid starting     Expires            Service principal
                07/03/18 12:59:03  07/10/18 22:59:03  krbtgt/[Email protection active, please enable JavaScript.]
                        renew until 08/14/18 22:59:03, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
                        Addresses: (none)

The output contains the following informations:
        - Ticket cache = name of the cache file, should be place in your $HOME
        - Default principal = ticket owner: [Email protection active, please enable JavaScript.] = should be your principal
        - Valid starting = the ticket is valid beginning with that date
        - Expires = the ticket is valid until that date
        - Service principal = always krbtgt/XXX@XXX for the initial ticket
        - renew until = the date to which the 'Expires' date can be extended with the renew command
        - Etype (-e switch) = encryption type of the ticket
        - Addresses (-a switch) = bind adresses, should be empty to switch between hosts

The ticket can only be used for authentication if it's valid. And it is valid before 'Expires' date.
To expand the 'Expires' date passwordless for the next 'Expires' period and not longer than 'renew until' date use:

kinit -AVR

You can also request a new initial ticket without '-R switch' but then you have to retype your password.

If you have questions how to use Kerberos with HPSS or it doesn't work as expected, write an email to Beratung