Kerberos

The Active Directory of the D.ETHZ.CH domain provides the Kerberos service for ETH. Kerberos can be used just to verify authentication but also to access NFS4 (and CIFS) shares on Linux systems.

Kerberos uses tickets with a limited life time that can be used instead of a password for authentication. To get a ticket an ETH user name and the ETH password for email is needed.

Kerberos works best if only ETH user name names are used, also for local users.

Configuration

Configuring Kerberos on a Linux system can be simple or extensive, depending on what is needed:

The minimal configuration is recommended for all Linux systems.
If Kerberos tickets should be automatically obtained at login then PAM and the SSH service should also be configured.
For users that login to other systems via SSH configuring ticket renewal for SSH is recommended.

Obtaining Tickets

A local user can use the kinit, klist and kdestroy utilities once the minimal configuration is done.

To get a ticket run

kinit

To list your ticket(s) run:

klist

To destroy your ticket run:

kdestroy

For security reasons it is good practice to destroy tickets when not needed anymore, expecially on multi-user systems.