FNAL Kerberos Access
 
Home Research Classes

You need Kerberos to access FNAL directly. This installer will give you that.

  • If you plan to use cvs access and TortoiseCVS, download and install it first. The dzero kerberos installer will detect it and modify it to use a kerberized version of ssh (see WARNING below).
  • If you want to use the VNC front end you need to have VNC already installed as well. The free version is fine, but download the server/viewer combination as that will have an installer which will leave marks in the system that the dzero installer (below) can locate (you can turn off the server install, which is what I usually do).
  • Download and install DZEROKerberos-2.0.0.msi (2/5/2007 - Vista compatible)

This will get you the following:

  • A Program Files short cut that will start a MSDOS window where you can type "kinit -f" to log into Fermilab.
  • If you have TortoiseCVS installed, the ext ssh program will default to a kerberized version of ssh.
    • See warning below about host keys!
  • A GUI front end for using rsync will be installed.
    • rsync is used to transfer directories back and forth. For example, you can keep a local copy of your web files, edit them with a good GUI program, and then upload them back.
    • The front end will write out a small settings file so you can double click from the Explorer (or right click for more options).
  • A GUI front end for using VNC will be installed (if you already have real VNC installed).
    • VNC is used to export your desktop from Linux to another workstation.
    • To access a server at fermilab, this GUI front end will use ssh tunneling.
    • This front end also saves a settings files for quick reuse.
    • If you install this package before installing VNC, the GUI front end wont' be installed.
      • After you install RealVNC, go to the control panel, select "add/remove programs", select "DZERO Kerberos", and click the "change" button. When presented with the list of options to installed, drill down and enable "VNC Front End". If it is already enabled, then you should disable it, complete the installation, and then run the installer again, renabling it. I don't totally understand the installer database!!
    • To cut/paste between Windows and Linux you need a special program called vncconfig running in your VNC session.
    • Before you can use this to connect to your system, you must have started a vncserver already.
      1. Use the regular FNAL Kerberos command line to ssh into your target system.
      2. Use the command vncserver :2 -geometry 1024x768 -- where "2" is the display number (you'll have to fill that in on the VNC Front End Dialog), and geometry is the screen size. VNC Viewer can go full screen, and does panning, so I'd suggest going to the size of the screen you normally use. Also, if you are running on clued0 you can find a modern version of vncserver already built and ready to go in ~gwatts/vncserver-4 (or similar).
      3. You can now use the VNC front end to start things off.
  • This version of Kerberos requires your external IP address be included in the Kerberos configuration file. A small service is installed that will keep this up to date.

Warnings:

  • If you have cygwin installed, you should make sure that all versions of all programs that use the main cygwin dll (bash, or anything else) are quit! You can do this at any time: before, after, during the installation. But it must be done before you use any features that are installed with this program.
    • I have seen cases where a bash shell remains running in the background despite my having killed everything. Sometimes you'll need to check the "Process List" to make sure everything is "dead"
    • The reason is that cygwin holds some configuration data in memory, this package alters some of that information in the registry, and cygwin's shared resources needs to re-read it before it can be used.
    • The extra info is, btw, a new mount point to make it easy to find the kerberos configuration file.
  • If you have enabled the Windows Firewall service, you'll get a request asking if it is ok that ssh open a port. I have never clicked yes, and I have never had trouble accessing the internet.
    • This is most likely to happen when you run the VNC front end the first time.
  • The installer will modify the default ssh program used by TortoiseCVS. If any user has already selected "cvs -> preferences" to display the options dialog, however, their preferences will not be modified. There are a number of things that can be done by a user to fix this problem:
    • Using regedt, find the ExternalSSH entries (there are two of them) in HKEY_CURRENT_USER/Software/TortoiseCVS. Remove them both. Now Tortoise will automatically update them from the machine wide defaults, which the kerberos installer modifies properly.
    • Get the machine defaults from another user in the cvs preferences/tool tab, and copy them into the local users version.
  • The first time you contact a new machine using ssh and TortoiseCVS you'll get an error message that there is a bogus response from the cvs server. The response will have something about registering the machine's ssh fingerprint. It should happen only the first time you contact the machine and can be safely ignored.
  • This installer must be run as administrator. However, no problems if it is used by a non-administrator user. Just make the non-admin user is not logged in when you do the install (or that they log off before they try to use the kerberos interface). A short script needs to run when the log in to define a user-local-/specific ENV variable.

Trouble Shooting:

This package provides some front ends which basically run shell commands. Many errors can happen, and the front ends aren't very good at parsing the command's output. There are several things that can help you:

  • If you suspect something is wrong with the way your configuration file is getting written or updated, look in the System Application log for error messages from the KerberosUpdater service.
    • Right click on "My Computer", select "Manage", Open System Tools, Event Viewer, Application.
  • Both the rsync and vnc front ends include a check-box called "Log Output". This will cause all interactions with the command line to be logged. Look at it closely to see if you can understand what went wrong (mistyped password, etc.).

There are a few known bugs or missing features.

  • This installer will not work on a multi-user machine (a terminal server, for example). Some per-user modifications to the environment variables have to be made. I'll be adding this shortly.
  • The various programs (kinit, klist, etc.) aren't integrated into cygwin (if installed) yet. I'll also be adding that shortly.

Suggestions

Feel free to email me with suggestions. There is a larger chance of it getting included if you send me source code to effect a change or new feature! :-) I'll put something up about getting at the source code soon.

Version History

  • 1.5.1. Actually tested in a Terminal Server and multi-user Windows XP environment. One small bug found and fixed.
  • 1.5.0. Works on a fresh install of Windows (don't need to add the /home mount point by hand), clean up dealing with various icons in the menu system, and other minor fixes.
  • 1.4.0. Second released versoin. Too far back; don't remember the upgrades.