manpagez: man pages & more
man kerberos(1)
Home | html | info | man
kerberos(1)                                                        kerberos(1)


       kerberos - introduction to the Kerberos system


       The  Kerberos  system authenticates individual users in a network envi-
       ronment.  After authenticating yourself to Kerberos, you can  use  net-
       work  utilities  such as rlogin, rcp, and rsh without having to present
       passwords to remote hosts and without having  to  bother  with  .rhosts
       files.   Note  that these utilities will work without passwords only if
       the remote machines you deal with support the Kerberos system.

       If you enter your username and kinit responds with this message:

       kinit(v5): Client not found in Kerberos database while getting  initial

       you haven't been registered as a Kerberos user.  See your system admin-

       A Kerberos name usually contains three parts.  The first  is  the  pri-
       mary,  which  is usually a user's or service's name.  The second is the
       instance, which in the case of a user is usually null.  Some users  may
       have  privileged instances, however, such as ``root'' or ``admin''.  In
       the case of a service, the instance is the fully qualified name of  the
       machine  on  which it runs; i.e. there can be an rlogin service running
       on the machine ABC, which is different from the rlogin service  running
       on  the  machine  XYZ.  The third part of a Kerberos name is the realm.
       The realm corresponds to the Kerberos service providing  authentication
       for the principal.

       When  writing a Kerberos name, the principal name is separated from the
       instance (if not null) by a slash, and the  realm  (if  not  the  local
       realm)  follows, preceded by an ``@'' sign.  The following are examples
       of valid Kerberos names:


       When you authenticate yourself with Kerberos you get  an  initial  Ker-
       beros ticket.  (A Kerberos ticket is an encrypted protocol message that
       provides authentication.)  Kerberos uses this ticket for network utili-
       ties  such  as rlogin and rcp.  The ticket transactions are done trans-
       parently, so you don't have to worry about their management.

       Note, however, that tickets expire.  Privileged tickets, such as  those
       with the instance ``root'', expire in a few minutes, while tickets that
       carry more ordinary privileges may be good for several hours or a  day,
       depending  on the installation's policy.  If your login session extends
       beyond the time limit, you will have  to  re-authenticate  yourself  to
       Kerberos  to get new tickets.  Use the kinit command to re-authenticate

       If you use the kinit command to get your tickets, make sure you use the
       kdestroy command to destroy your tickets before you end your login ses-
       sion.  You should put the kdestroy command in your .logout file so that
       your tickets will be destroyed automatically when you logout.  For more
       information about the kinit and kdestroy commands, see the kinit(1) and
       kdestroy(1) manual pages.

       Kerberos  tickets  can  be forwarded.  In order to forward tickets, you
       must request forwardable tickets when you kinit.  Once  you  have  for-
       wardable  tickets, most Kerberos programs have a command line option to
       forward them to the remote host.

       Currently, Kerberos support is available for the following network ser-
       vices:  rlogin,  rsh, rcp, telnet, ftp, krdist (a Kerberized version of
       rdist), ksu (a Kerberized version of su), login, and Xdm.


       kdestroy(1),  kinit(1),  klist(1),   kpasswd(1),   rsh   (1),   rcp(1),
       rlogin(1),  telnet(1),  ftp(1),  krdist(1), ksu(1), sclient(1), xdm(1),
       des_crypt(3), hash(3), krb5strings(3), krb5.conf(5), kdc.conf(5),  kad-
       min(8),   kadmind(8),  kdb5_util(8),  telnetd(8),  ftpd(8),  rdistd(8),
       sserver(8), klogind(8c), kshd(8c), login(8c)



       Steve Miller, MIT Project Athena/Digital Equipment Corporation
       Clifford Neuman, MIT Project Athena


       Kerberos was developed at MIT.   OpenVision  rewrote  and  donated  the
       administration server, which is used in the current version of Kerberos


       Copyright 1985,1986,1989-1996,2002 Massachusetts Institute of  Technol-


Mac OS X 10.6 - Generated Thu Sep 17 20:07:56 CDT 2009
© 2000-2021
Individual documents may contain additional copyright information.