You are here: Home / Systems / HPSS tape archive / PFTP with kerberos

PFTP with kerberos

How to use PFTP with kerberos authentication

Kerberos service und HPSS

Kerberos authentication allows ticket based secure passwordless authentication of users to services after an initial login to the Kerberos server. After authentication you use the pftp command for data transfer.

If you want to use this service, please contact . Thereafter you will receive an email with your initial (interim) password and short usage instructions.

The Kerberos password is not your LDAP password. You can change it using

kpasswd

To initially login to the Kerberos server and get your initial Kerberos ticket use:

kinit -AV

After you requested the initial ticket you can verify it using:

klist -a

There you may see a ticket like that:

Ticket cache: FILE:/home/dkrz/k205085/krb5cc_k205085
Default principal: [Email protection active, please enable JavaScript.]

Valid starting     Expires            Service principal
07/03/18 12:59:03  07/10/18 22:59:03  krbtgt/[Email protection active, please enable JavaScript.]
       renew until 08/14/18 22:59:03
       Addresses: (none)

The output contains the following information:

  • Ticket cache = name of the cache file, should be place in your $HOME
  • Default principal = ticket owner: [Email protection active, please enable JavaScript.] = should be your principal
  • Valid starting = the ticket is valid beginning with that date
  • Expires = the ticket is valid until that date
  • Service principal = always krbtgt/XXX@XXX for the initial ticket
  • renew until = the date to which the 'Expires' date can be extended with the renew command
  • Addresses (-a switch) = bind addresses, should be (none) to switch between hosts


The ticket can only be used for authentication up to the 'Expires' date. The defaults for ticket life-times are currently:

Maximum ticket life: 7 days 12:00:00
Maximum renewable life: 42 days 12:00:00

To prolong the 'Expires' date without entering your password, use the -R option:

kinit -AVR

Note that the ticket may only be prolonged before the 'Expires' date, and cannot be prolonged after the 'renew until' date. You can also request a new initial ticket without -R switch but then you will have to retype your password.

For detailed information, please refer to the manual pages of the commands above:

man kinit
man klist

 

Document Actions