Who Am I ?

5/27/14 - Information here is obsolete, please see:

As noted in Authentication you have a single Fermilab user name.
Its use varies depending on what you are doing.
We will give a summary here for each of the 5 security realms,
in order of simplicity ( Windows, Services, AFS, SSL Certs, Kerberos )


Use the standard username. Not discussed here


Use the standard username and Services password when connecting to any of these web services.


You need an AFS token for access to /afs/
You get this automatically when ssh'ing to a interactive system.
View it with 'tokens'

User's (AFS ID 1060) tokens for [Expires Mar 12 12:40]

These do expire. Renew by doing kinit.
AFS has a klog command which used to give a token using a separate AFS password. This is disabled at Fermilab.

SSL Certificates

You intially get an OSG cert in your browser, then save this on local disk using a passphrase.
It is up to you to remember that passphrase.

Your certificate is identified by your CN: Common Name field, something like

Firstname Lastname 123

When it is renewed, this identity will be retained, avoiding the need to reregister with services.


You do have a single username, shared with Services etc.
But you may deal with several kerberos principals derived from that username.

  • default principal
    Kerberos identities are based on a 'princial' which includes that name.
    See the output of klist :
    Default principal: your-username@FNAL.GOV

You get an active ticket for kerberos access with 'kinit'.
This ticket is a file on local disk, usually in /tmp, see $KRB5CCNAME

  • cron principal
    Because cron jobs may need a ticket, and you are not there to type a password,
    we have a special kcron command to generate a special principaly that looks like
    Default principal: your-username/cron/
  • root principal
    Some people need to access sensitive accounts,
    and may be authorized to have 'root' principals used only briefly.
    kinit your-username/root@FNAL.GOV
  • service principal
    Shared accounts which may have 'service' principals, for which there is no password.
    Again, these need to be entered in the appriopriate .k5login files for access.
  • .k5login access
    These cron and root principals are distinct from your default principals.
    If used for access to remote account, they need to be put in your .k5login access file.
  • KX509 proxies
    Access to Grid resources ( jobs, FTP transfers ) is via X509 SSL certificates,
    which may be generated from your kerberos ticket.
    For job submission, this is handled by the kproxy script.
    For file access, you may need to run the 'getcert' command,