You are here: Home / Systems / HPSS tape archive / PFTP with kerberos

PFTP with kerberos

how to use PFTP with kerberos authentication

Kerberos service und HPSS

Kerberos authentication allows ticket based secure passwordless authentication of users to services after an initial login to the Kerberos server. After authentication you use the pftp command for data transfer.

If you want to use this service, please register first with Beratung.  You will receive an email with your initial (interim) password.

The Kerberos password is not your LDAP password. You can change it using


To initially login to the Kerberos server and get your initial Kerberos ticket use:

kinit -AV

After you requested the initial ticket you can verify it using:

klist -ae

There you may see a ticket like that:

                Ticket cache: FILE:/home/dkrz/k205085/krb5cc_k205085
                Default principal: [Email protection active, please enable JavaScript.]

                Valid starting     Expires            Service principal
                07/03/18 12:59:03  07/10/18 22:59:03  krbtgt/[Email protection active, please enable JavaScript.]
                        renew until 08/14/18 22:59:03, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
                        Addresses: (none)

The output contains the following informations:
        - Ticket cache = name of the cache file, should be place in your $HOME
        - Default principal = ticket owner: [Email protection active, please enable JavaScript.] = should be your principal
        - Valid starting = the ticket is valid beginning with that date
        - Expires = the ticket is valid until that date
        - Service principal = always krbtgt/XXX@XXX for the initial ticket
        - renew until = the date to which the 'Expires' date can be extended with the renew command
        - Etype (-e switch) = encryption type of the ticket
        - Addresses (-a switch) = bind adresses, should be empty to switch between hosts

The ticket can only be used for authentication up to the 'Expires' date. To prolong the 'Expires' date passwordless use:

kinit -AVR

The ticket can only be prolonged up to the 'renew until' date. You can also request a new initial ticket without '-R switch' but then you have to retype your password.

Document Actions