MAN page from Fedora 9 krb5-libs-1.6.3-10.fc9.i386.rpm
Section: User Commands (1)Index
kerberos - introduction to the Kerberos system
The Kerberos system authenticates individual users in a networkenvironment. After authenticating yourself to Kerberos, you can usenetwork utilities such asrlogin
without having to present passwords to remote hosts and without havingto bother with.rhosts
files. Note that these utilities will work without passwords only ifthe remote machines you deal with support the Kerberos system.
If you enter your username andkinitresponds with this message:
kinit(v5): Client not found in Kerberos database while getting initialcredentials
you haven't been registered as a Kerberos user. See your systemadministrator.
A Kerberos name usually contains three parts. The first is theprimary,which is usually a user's or service's name. The second is theinstance,which in the case of a user is usually null. Some users may haveprivileged instances, however, such as ``root'' or ``admin''. In thecase of a service, the instance is the fully qualified name of themachine on which it runs; i.e. there can be anrloginservice running on the machine ABC, which is different from the rloginservice running on the machine XYZ. The third part of a Kerberos nameis therealm.The realm corresponds to the Kerberos service providing authenticationfor the principal.
When writing a Kerberos name, the principal name is separated from theinstance (if not null) by a slash, and the realm (if not the localrealm) follows, preceded by an ``@'' sign. The following are examplesof valid Kerberos names:
When you authenticate yourself with Kerberos you get an initial Kerberosticket.(A Kerberos ticket is an encrypted protocol message that providesauthentication.) Kerberos uses this ticket for network utilities suchasrloginandrcp.The ticket transactions are done transparently, so you don't have toworry about their management.
Note, however, that tickets expire. Privileged tickets, such as thosewith the instance ``root'', expire in a few minutes, while tickets thatcarry more ordinary privileges may be good for several hours or a day,depending on the installation's policy. If your login session extendsbeyond the time limit, you will have to re-authenticate yourself toKerberos to get new tickets. Use thekinitcommand to re-authenticate yourself.
If you use thekinitcommand to get your tickets, make sure you use thekdestroycommand to destroy your tickets before you end your login session. Youshould put thekdestroycommand in your.logoutfile so that your tickets will be destroyed automatically when youlogout. For more information about thekinitandkdestroycommands, see thekinit(1)andkdestroy(1)manual pages.
Kerberos tickets can be forwarded. In order to forward tickets, youmust requestforwardabletickets when youkinit.Once you have forwardable tickets, most Kerberos programs have a commandline option to forward them to the remote host.
Currently, Kerberos support is available for the following networkservices:rlogin,rsh,rcp,telnet,ftp,krdist(a Kerberized version ofrdist),ksu(a Kerberized version ofsu),login,andXdm.
(1), rsh (1), rcp
Steve Miller, MIT Project Athena/Digital Equipment Corporation
Clifford Neuman, MIT Project Athena
Kerberos was developed at MIT. OpenVision rewrote and donated theadministration server, which is used in the current version of Kerberos5.
Copyright 1985,1986,1989-1996,2002 Massachusetts Institute of Technology
- SEE ALSO
This document was created byman2html,using the manual pages.