CERN and kerberos tokens
This is a short blog post probably only useful for people working at CERN.
For Linux boxes we use afs at CERN, with Kerberos as the authentication method. For people with the default SLC installation, this is set up nicely from the get go. For people like me that use another Linux distribution, or perhaps Mac OSX, it is something you have to set up for yourself.
Installing afs and kerberos is usually not a very compilcated task, and I will not go into that here. What I wanted to do, was to recommend on how to use it. The "kinit" command is used to get a kerberos ticket, and then one uses "aklog" to get the afs token (whatever this means, for me it is some security jibberish). Now you can actually add the flag "–afslog" to the kinit command and directly get the afs token as well. You should also add the "-f" flag to get a forwardable token for some reason.
There is a slight annoyance with the kerberos tickets, they are only valid for 25 hours at CERN. What I figured out today however, was that if you add the flag "–renewable" to the kinit command, then you can renew your ticket with "kinit –renew" without getting promted for a password.
Hence, what you should then do is something like this. Add first to your ~/.bashrc (or other rc if you use a different shell):
alias cernconnect="kdestroy && kinit --afslog -f --renewable user@CERN.CH"
Then, in your crontab ("crontab -e" in the terminal to edit), add the following line
@daily ID=afstoken kinit --renew
With this set up, you can just write "cernconnect" in the terminal and then write your password, and your computer will automatically take care of renewing your token every 24 hours. You can also add the flag "–password-file=/path/to/passwordfile" to kinit so that you do not have to write your password, but take care, if someone gets this file they get full access to your account! This should work on both Linux as well as OSX, though I have only tried it on Arch Linux for now.
