1KERBEROS(7)                      MIT Kerberos                      KERBEROS(7)
2
3
4

NAME

6       kerberos - Overview of using Kerberos
7

DESCRIPTION

9       The  Kerberos  system authenticates individual users in a network envi‐
10       ronment.  After authenticating yourself to Kerberos, you can  use  Ker‐
11       beros-enabled  programs without having to present passwords or certifi‐
12       cates to those programs.
13
14       If you receive the following response from kinit(1):
15
16       kinit: Client not found in Kerberos database while getting initial cre‐
17       dentials
18
19       you haven't been registered as a Kerberos user.  See your system admin‐
20       istrator.
21
22       A Kerberos name usually contains three parts.  The first  is  the  pri‐
23       mary,  which  is usually a user's or service's name.  The second is the
24       instance, which in the case of a user is usually null.  Some users  may
25       have privileged instances, however, such as root or admin.  In the case
26       of a service, the instance is the fully qualified name of  the  machine
27       on  which  it  runs;  i.e.  there  can be an ssh service running on the
28       machine ABC (ssh/ABC@REALM), which is different from  the  ssh  service
29       running  on  the machine XYZ (ssh/XYZ@REALM).  The third part of a Ker‐
30       beros name is the realm.  The realm corresponds to the Kerberos service
31       providing  authentication for the principal.  Realms are conventionally
32       all-uppercase, and often match the end of hostnames in the  realm  (for
33       instance, host01.example.com might be in realm EXAMPLE.COM).
34
35       When  writing a Kerberos name, the principal name is separated from the
36       instance (if not null) by a slash, and the  realm  (if  not  the  local
37       realm) follows, preceded by an "@" sign.  The following are examples of
38       valid Kerberos names:
39
40          david
41          jennifer/admin
42          joeuser@BLEEP.COM
43          cbrown/root@FUBAR.ORG
44
45       When you authenticate yourself with Kerberos you get  an  initial  Ker‐
46       beros ticket.  (A Kerberos ticket is an encrypted protocol message that
47       provides authentication.)  Kerberos uses this ticket for network utili‐
48       ties  such  as ssh.  The ticket transactions are done transparently, so
49       you don't have to worry about their management.
50
51       Note, however, that tickets expire.  Administrators may configure  more
52       privileged  tickets,  such as those with service or instance of root or
53       admin, to expire in a few minutes, while tickets that carry more  ordi‐
54       nary  privileges may be good for several hours or a day.  If your login
55       session extends beyond the time limit, you will have to re-authenticate
56       yourself to Kerberos to get new tickets using the kinit(1) command.
57
58       Some  tickets  are renewable beyond their initial lifetime.  This means
59       that kinit -R can  extend  their  lifetime  without  requiring  you  to
60       re-authenticate.
61
62       If you wish to delete your local tickets, use the kdestroy(1) command.
63
64       Kerberos  tickets  can  be forwarded.  In order to forward tickets, you
65       must request forwardable tickets when you kinit.  Once  you  have  for‐
66       wardable  tickets, most Kerberos programs have a command line option to
67       forward them to the remote host.  This can be useful for, e.g., running
68       kinit  on  your  local machine and then sshing into another to do work.
69       Note that this should not be done on untrusted machines since they will
70       then have your tickets.
71

ENVIRONMENT VARIABLES

73       Several  environment variables affect the operation of Kerberos-enabled
74       programs.  These include:
75
76       KRB5CCNAME
77              Default name  for  the  credentials  cache  file,  in  the  form
78              TYPE:residual.   The type of the default cache may determine the
79              availability of a cache collection.  FILE is  not  a  collection
80              type; KEYRING, DIR, and KCM are.
81
82              If  not set, the value of default_ccache_name from configuration
83              files (see KRB5_CONFIG) will be used.  If that is also not  set,
84              the  default  type  is  FILE,  and  the  residual  is  the  path
85              /tmp/krb5cc_*uid*, where uid is the decimal user ID of the user.
86
87       KRB5_KTNAME
88              Specifies the location of the default keytab file, in  the  form
89              TYPE:residual.   If no type is present, the FILE type is assumed
90              and residual is the pathname of  the  keytab  file.   If  unset,
91              FILE:/etc/krb5.keytab will be used.
92
93       KRB5_CONFIG
94              Specifies  the location of the Kerberos configuration file.  The
95              default is /etc/krb5.conf.  Multiple filenames can be specified,
96              separated by a colon; all files which are present will be read.
97
98       KRB5_KDC_PROFILE
99              Specifies the location of the KDC configuration file, which con‐
100              tains additional configuration directives for the Key  Distribu‐
101              tion  Center  daemon  and  associated  programs.  The default is
102              /var/kerberos/krb5kdc/kdc.conf.
103
104       KRB5RCACHETYPE
105              Specifies the default type of replay cache to use  for  servers.
106              Valid types include dfl for the normal file type and none for no
107              replay cache.  The default is dfl.
108
109       KRB5RCACHEDIR
110              Specifies the  default  directory  for  replay  caches  used  by
111              servers.   The  default  is  the value of the TMPDIR environment
112              variable, or /var/tmp if TMPDIR is not set.
113
114       KRB5_TRACE
115              Specifies a filename to write trace log output to.   Trace  logs
116              can  help  illuminate  decisions made internally by the Kerberos
117              libraries.  For example, env KRB5_TRACE=/dev/stderr kinit  would
118              send  tracing  information  for  kinit(1)  to  /dev/stderr.  The
119              default is not to write trace log output anywhere.
120
121       KRB5_CLIENT_KTNAME
122              Default client  keytab  file  name.   If  unset,  FILE:/var/ker‐
123              beros/krb5/user/%{euid}/client.keytab will be used).
124
125       KPROP_PORT
126              kprop(8) port to use.  Defaults to 754.
127
128       Most  environment  variables are disabled for certain programs, such as
129       login system programs and setuid programs, which  are  designed  to  be
130       secure when run within an untrusted process environment.
131

SEE ALSO

133       kdestroy(1),   kinit(1),   klist(1),  kswitch(1),  kpasswd(1),  ksu(1),
134       krb5.conf(5),   kdc.conf(5),   kadmin(1),   kadmind(8),   kdb5_util(8),
135       krb5kdc(8)
136

BUGS

AUTHORS
139       Steve Miller, MIT Project Athena/Digital Equipment Corporation
140       Clifford Neuman, MIT Project Athena
141       Greg Hudson, MIT Kerberos Consortium
142       Robbie Harwood, Red Hat, Inc.
143
144

HISTORY
146       The  MIT Kerberos 5 implementation was developed at MIT, with contribu‐
147       tions from many outside parties.  It is currently maintained by the MIT
148       Kerberos Consortium.
149

RESTRICTIONS
151       Copyright  1985,  1986, 1989-1996, 2002, 2011, 2018 Masachusetts Insti‐
152       tute of Technology
153

AUTHOR
155       MIT
156

158       1985-2019, MIT
159
160
161
162
1631.17                                                               KERBEROS(7)



        

    


            
        

        

            Impressum