NCSA Home
Contact Us | Intranet | Search

Current Firewall Options

These are the current options for connecting to NCSA through a firewall. Please refer to the Kerberos and SSH through Firewalls and NATs document for specifics on what ports need to be open, etc.

Using Kerberos

Currently there is a problem in the kerberos proxy code that is not accepting forwardable tickets when connecting through a firewall (using a NAT). So the current solution is to get a non-forwardable ticket, connect to the remote host, and then kinit to get a new credential. Here are the following steps on UNIX or Windows:

UNIX

On a UNIX machine you can run kinit with the -F flag: 

   % kinit -F
This will get you a ticket that is not forwardable. You can then use Kerberos telnet, rlogin, rsh utilities to connect to a NCSA machine. When connecting you will need to use the -N flag so that it will not try to forward your ticket. Also be sure to use the -x (encryption) flag with any of those commands. 
   % telnet -Nx <machine name>
   % rsh -Nx <machine name>
   % rlogin -Nx <machine name>
Once connected you can run kinit to get a new credential and your AFS token.

NOTE: Make sure you are using an encrypted session from your host to NCSA, otherwise when you run kinit on the NCSA machine you password will be in the clear.

Windows

On a Windows machine you can pull up the Credentials Manager. Under File->Options there is a checkbox for "Forwardable" in the "Ticket options" section. Make sure this box is not checked. Now you can use telnet or rsh to connect. When using telnet, make sure the "Enable encryption" box is checked and the "Forward credentials" box is unchecked. When using rsh, be sure to use the -x (encryption) flag. Once connected you can run kinit to get a new credential and your AFS token.

NOTE: Make sure you are using an encrypted session from your host to NCSA, otherwise when you run kinit on the NCSA machine you password will be in the clear.

Windows users also have an option of getting an addressless ticket. In the the Credentials Manager, under File->Options there is a checkbox for "No IP Address". Make sure that box is checked, destroy any current credentials, and get a new ticket. This addressless ticket should work through NATs.

Using SSH

If you have the appropriate configurations set up for your firewall (refer to the firewall web page), you should not see any problems using SSH. Using password authentication you should get a kerberos ticket and AFS token when connecting to NCSA machines. All SSH connections are encrypted, so your password will not be transmitted in the clear.

Back to NCSA Kerberos Information

Questions or comments about this page may be sent to kerberos@ncsa.uiuc.edu

University of Illinois home page NCSA Home | About NCSA | NCSA Projects | Blue Waters | NCSA News | NCSA User Info
Contact NCSA | NCSA Intranet | Site Map
Contact webmaster with questions regarding this page. Last updated October 26, 2006.
All rights reserved. ©2009 Board of Trustees of the University of Illinois.