SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 

MAN page from Fedora 9 krb5-libs-1.6.3-10.fc9.i386.rpm

KERBEROS

Section: User Commands (1)
Index 

NAME

kerberos - introduction to the Kerberos system 

DESCRIPTION

The Kerberos system authenticates individual users in a networkenvironment. After authenticating yourself to Kerberos, you can usenetwork utilities such asrlogin,rcp,andrshwithout having to present passwords to remote hosts and without havingto bother with.rhostsfiles. Note that these utilities will work without passwords only ifthe remote machines you deal with support the Kerberos system.

If you enter your username andkinitresponds with this message:

kinit(v5): Client not found in Kerberos database while getting initialcredentials

you haven't been registered as a Kerberos user. See your systemadministrator.

A Kerberos name usually contains three parts. The first is theprimary,which is usually a user's or service's name. The second is theinstance,which in the case of a user is usually null. Some users may haveprivileged instances, however, such as ``root'' or ``admin''. In thecase of a service, the instance is the fully qualified name of themachine on which it runs; i.e. there can be anrloginservice running on the machine ABC, which is different from the rloginservice running on the machine XYZ. The third part of a Kerberos nameis therealm.The realm corresponds to the Kerberos service providing authenticationfor the principal.

When writing a Kerberos name, the principal name is separated from theinstance (if not null) by a slash, and the realm (if not the localrealm) follows, preceded by an ``@'' sign. The following are examplesof valid Kerberos names:

davidjennifer/adminjoeuserAATTBLEEP.COMcbrown/rootAATTFUBAR.ORG

When you authenticate yourself with Kerberos you get an initial Kerberosticket.(A Kerberos ticket is an encrypted protocol message that providesauthentication.) Kerberos uses this ticket for network utilities suchasrloginandrcp.The ticket transactions are done transparently, so you don't have toworry about their management.

Note, however, that tickets expire. Privileged tickets, such as thosewith the instance ``root'', expire in a few minutes, while tickets thatcarry more ordinary privileges may be good for several hours or a day,depending on the installation's policy. If your login session extendsbeyond the time limit, you will have to re-authenticate yourself toKerberos to get new tickets. Use thekinitcommand to re-authenticate yourself.

If you use thekinitcommand to get your tickets, make sure you use thekdestroycommand to destroy your tickets before you end your login session. Youshould put thekdestroycommand in your.logoutfile so that your tickets will be destroyed automatically when youlogout. For more information about thekinitandkdestroycommands, see thekinit(1)andkdestroy(1)manual pages.

Kerberos tickets can be forwarded. In order to forward tickets, youmust requestforwardabletickets when youkinit.Once you have forwardable tickets, most Kerberos programs have a commandline option to forward them to the remote host.

Currently, Kerberos support is available for the following networkservices:rlogin,rsh,rcp,telnet,ftp,krdist(a Kerberized version ofrdist),ksu(a Kerberized version ofsu),login,andXdm. 

SEE ALSO

kdestroy(1), kinit(1), klist(1), kpasswd(1), rsh (1), rcp(1), rlogin(1),telnet(1), ftp(1), krdist(1), ksu(1), sclient(1), xdm(1), des_crypt(3),hash(3), krb5strings(3), krb5.conf(5), kdc.conf(5), kadmin(8),kadmind(8), kdb5_util(8), telnetd(8), ftpd(8), rdistd(8), sserver(8),klogind(8c), kshd(8c), login(8c) 

BUGS

 

AUTHORS

Steve Miller, MIT Project Athena/Digital Equipment Corporation
Clifford Neuman, MIT Project Athena 

HISTORY

Kerberos was developed at MIT. OpenVision rewrote and donated theadministration server, which is used in the current version of Kerberos5. 

RESTRICTIONS

Copyright 1985,1986,1989-1996,2002 Massachusetts Institute of Technology


 

Index

NAME
DESCRIPTION
SEE ALSO
BUGS
AUTHORS
HISTORY
RESTRICTIONS

This document was created byman2html,using the manual pages.