In order to understand what is going on at the RCF during and after the Kerberos 5 transition, it is best to see the authentication structures that will exist during these two periods and understand the Kerberos TGT passing mechanism.
Authentication Infrastructure
During the Kerberos 5 transition, there will be three password databases in use at the RCF, as shown below:
The Kerberos 5 and NIS/UNIX databases can be used to authenticate to the Ssh gateways and internal systems at the RCF. AFS access through the traditional AFS command klog is tied to the native AFS password database. Since there are three databases and different access tools, users need to be aware of which database is being used by which tools.
After the transition, the NIS/UNIX and native AFS password databases will be removed from the facility. As shown in the figure below, access to the Ssh gateways and internal systems, AFS access with native AFS commands and AFS access through Kerberos 5 commands will be tied to the Kerberos 5 password database.
With the exception of Windows AFS users, users will not need to upgrade any software either during or after the Kerberos 5 transition. Unfortunately, Windows AFS users will need to install a Kerberos 5 aware AFS client to gain access to AFS resources after the Kerberos 5 transition. We expect to have these clients available to Windows users before we move to Kerberos 5 only.
The Kerberos TGT ticket passing
The Kerberos TGT or Ticket Granting Ticket is the key to the Kerberos 5 infrastructure at the RCF. The TGT is obtained by either logging in to the RCF with a Kerberos 5 password or by using the Kerberos 5 command kinit and your Kerberos 5 password to authenticate to Kerberos. This ticket is valid for 5 days, starting at the time you initially authenticate to Kerberos. The TGT can be thought of as a "certificate " that verifies your identity. In addition to accepting a Kerberos 5 password, all Ssh servers inside the RCF (but not the RCF Ssh gateways) also accept Kerberos 5 TGT for authentication purposes. In addition, all Ssh client binaries at the RCF automatically passes Kerberos 5 TGT's for authentication purposes to Ssh servers. It is this TGT ticket passing and authentication mechanism that provide the single sign on capability at the RCF.
The Ssh program at the RCF uses your Kerberos TGT to automatically authenticate you on systems to which you ssh. The Ssh program also forwards your Kerberos TGT to the destination system.
