Skip to content

CERN and kerberos tokens

May 9, 2011

This is a short blog post probably only useful for people working at CERN.

For Linux boxes we use afs at CERN, with Kerberos as the authentication method. For people with the default SLC installation, this is set up nicely from the get go. For people like me that use another Linux distribution, or perhaps Mac OSX, it is something you have to set up for yourself.

Installing afs and kerberos is usually not a very compilcated task, and I will not go into that here. What I wanted to do, was to recommend on how to use it. The "kinit" command is used to get a kerberos ticket, and then one uses "aklog" to get the afs token (whatever this means, for me it is some security jibberish). Now you can actually add the flag "–afslog" to the kinit command and directly get the afs token as well. You should also add the "-f" flag to get a forwardable token for some reason.

There is a slight annoyance with the kerberos tickets, they are only valid for 25 hours at CERN. What I figured out today however, was that if you add the flag "–renewable" to the kinit command, then you can renew your ticket with "kinit –renew" without getting promted for a password.

Hence, what you should then do is something like this. Add first to your ~/.bashrc (or other rc if you use a different shell):

alias cernconnect="kdestroy && kinit --afslog -f --renewable user@CERN.CH"

Then, in your crontab ("crontab -e" in the terminal to edit), add the following line

@daily ID=afstoken kinit --renew

With this set up, you can just write "cernconnect" in the terminal and then write your password, and your computer will automatically take care of renewing your token every 24 hours. You can also add the flag "–password-file=/path/to/passwordfile" to kinit so that you do not have to write your password, but take care, if someone gets this file they get full access to your account! This should work on both Linux as well as OSX, though I have only tried it on Arch Linux for now.

3 Comments leave one →
  1. August 28, 2014 9:48 pm

    Wrong about only helping fellow CERN employees; I’m at an ad agency! This post helped me out đŸ˜€ I’m completely unfamiliar with kerberos, but after a quick google, this and a stack exchange post helped me figure out the root issue and way to solve what my issue was for accessing an internal company site.

    I added a cron job to run hourly to renew the certificate.

    Thank you,


  2. simone permalink
    December 24, 2015 5:13 pm


    I’m a fellow CERN user and I’m using Arch too! I’m strugling to get kerberos and afs working though. I tried your way but it looks like something has changed since 2011, are you still using arch? Do you have any new recipe to shere?

    thank you,


    • December 24, 2015 8:17 pm

      Sorry I am not working at CERN anymore so I do not actively use AFS. It was working fine until I left one year ago so the changes must have been quite recent.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: