How to Login with kerberos

This section covers the procedure for accessing PDC resources . Before following this section, make sure you have a PDC account successfully created and you have recieved your username and password.

In order to log in to PDC computers you require:

  1. A Kerberos installation
  2. A SSH implementation that supports Kerberos.

Logging into PDC is a two stage process. You must first generate Kerberos credentials using kinit, which requires a password, then use those credentials together with SSH to log in to cluster on which you have an active allocation.

General information about Kerberos

PDC uses Kerberos authentication protocol.

alternate text

Kerberos tickets are stored on your local machine, and are then forwarded when you try to log in to the remote system. You’ll need the following software in versions that are appropriate for your operating system:

  • Kerberos v5 software (from Heimdal) - which is necessary for getting a Kerberos ticket, and
  • SSH software supporting GSSAPI with KeyExchange (from modified OpenSSH).

Commonly used Kerberos commands

Here is a list of commonly used kerberos commands for users.

Command Description
kinit kinit obtains and caches an initial ticket-granting ticket for principal. kinit [username]@NADA.KTH.SE
klist klist lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file.
kdestroy The kdestroy utility destroys the user’s active Kerberos authorization tickets by overwriting and deleting the credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed.
kpasswd The kpasswd command is used to change a Kerberos principal’s password. kpasswd first prompts for the current Kerberos password, then prompts the user twice for the new password, and the password is changed.

Login nodes

On our clusters we have several login nodes. Main one and one used as backup in case the first one is out of commission. The login nodenames uses the following syntax…

Cluster Type Address
Beskow Primary
Tegner Primary (
Tegner Secondary (

Beskow login node fingerprints

Type Hash Fingerprint
ECDSA SHA256 oPQwKHSjzCNphyQwmKWng7VhDDDjALc6ItTjq0Nhbe8
ECDSA MD5 22:e8:03:3f:f6:2d:77:2d:f5:ad:89:16:81:94:fb:6a
ED25519 SHA256 /OhtVDBRgstP9/COMP2xAvuAvUhAwijs5NT2kCLOoKs
ED25519 MD5 bf:df:b7:a1:8c:67:5e:34:5d:5a:d8:d4:7f:09:81:98
RSA SHA256 oMiRP4a4Ffe7Co8J8E8AD3U/OlrRJfwSzGi4FOKSfcQ
RSA MD5 6c:54:c7:14:7c:98:ca:35:1b:c5:e2:9f:60:87:c0:f5

Troubleshooting login problems

A lot of solutions for login errors can be found in our FAQ section at Kerberos or at Login

If you do not find a solution, please Contact Support with the following information…

  • Username

  • Which operating system and version you are using

  • Any output/error message you got from

    kinit -f <username>@NADA.KTH.SE
  • The output from

    klist -f
  • The output from…

    ssh -vvv -o GSSAPIDelegateCredentials=yes -o GSSAPIKeyExchange=yes \
    -o GSSAPIAuthentication=yes <PDC username>@<cluster>