UNIX at Fermilab
In order to protect against unauthorized access to Fermilab computers, the Computing Division has implemented the Kerberos Network Authentication Service V5, developed at MIT, to provide what is known as strong authentication over the network.
"Authentication" refers to verifying the identities of networked users, clients and servers. "Strong" authentication is a means of verifying these identities without transmitting passwords over the network, and without requiring that the network itself be protected.
Kerberos v5 is the strong authentication program that Fermilab computers are required to run. Kerberos authenticates users by way of exchanging electronic tickets between clients and services. It cleverly encrypts and de-encrypts these tickets before and after transmitting them. A machine on which Kerberos v5 has been installed and which enforces the Kerberos authentication is referred to as a strengthened or Kerberized machine.
The "heart" of a Kerberos system is the Key Distribution Center (KDC), which maintains a database of member computers and users, and grants authentication requests. The set of member computers make up what's called a "strengthened realm". At Fermilab, the strengthened realm for UNIX machines is called FNAL.GOV.
All UNIX machines at Fermilab are required to be configured such that they are members of the FNAL.GOV realm. Off-site machines used for Fermilab-related work may also be configured as such.
Once you have authenticated to the FNAL.GOV realm on your desktop, you can freely access over the network any computer in this realm on which you have an account, without retyping your (FNAL.GOV) Kerberos password!
"Authentication" refers to verifying the identities of networked users, clients and servers. "Strong" authentication is a means of verifying these identities without transmitting passwords over the network, and without requiring that the network itself be protected.
Kerberos v5 is the strong authentication program that Fermilab computers are required to run. Kerberos authenticates users by way of exchanging electronic tickets between clients and services. It cleverly encrypts and de-encrypts these tickets before and after transmitting them. A machine on which Kerberos v5 has been installed and which enforces the Kerberos authentication is referred to as a strengthened or Kerberized machine.
The "heart" of a Kerberos system is the Key Distribution Center (KDC), which maintains a database of member computers and users, and grants authentication requests. The set of member computers make up what's called a "strengthened realm". At Fermilab, the strengthened realm for UNIX machines is called FNAL.GOV.
All UNIX machines at Fermilab are required to be configured such that they are members of the FNAL.GOV realm. Off-site machines used for Fermilab-related work may also be configured as such.
Once you have authenticated to the FNAL.GOV realm on your desktop, you can freely access over the network any computer in this realm on which you have an account, without retyping your (FNAL.GOV) Kerberos password!
