1KERBEROS(1) General Commands Manual KERBEROS(1)
2
6 kerberos - introduction to the Kerberos system
7
9 The Kerberos system authenticates individual users in a network envi‐
10 ronment. After authenticating yourself to Kerberos, you can use Ker‐
11 beros-enabled programs without having to present passwords.
12 If you enter your username and kinit responds with this message:
14 kinit(v5): Client not found in Kerberos database while getting initial
16 credentials
17 you haven't been registered as a Kerberos user. See your system admin‐
19 istrator.
20 A Kerberos name usually contains three parts. The first is the pri‐
22 mary, which is usually a user's or service's name. The second is the
23 instance, which in the case of a user is usually null. Some users may
24 have privileged instances, however, such as ``root'' or ``admin''. In
25 the case of a service, the instance is the fully qualified name of the
26 machine on which it runs; i.e. there can be an rlogin service running
27 on the machine ABC, which is different from the rlogin service running
28 on the machine XYZ. The third part of a Kerberos name is the realm.
29 The realm corresponds to the Kerberos service providing authentication
30 for the principal.
31 When writing a Kerberos name, the principal name is separated from the
33 instance (if not null) by a slash, and the realm (if not the local
34 realm) follows, preceded by an ``@'' sign. The following are examples
35 of valid Kerberos names:
36 david
38 jennifer/admin
39 joeuser@BLEEP.COM
40 cbrown/root@FUBAR.ORG
41 When you authenticate yourself with Kerberos you get an initial Ker‐
43 beros ticket. (A Kerberos ticket is an encrypted protocol message that
44 provides authentication.) Kerberos uses this ticket for network utili‐
45 ties such as rlogin and rcp. The ticket transactions are done trans‐
46 parently, so you don't have to worry about their management.
47 Note, however, that tickets expire. Privileged tickets, such as those
49 with the instance ``root'', expire in a few minutes, while tickets that
50 carry more ordinary privileges may be good for several hours or a day,
51 depending on the installation's policy. If your login session extends
52 beyond the time limit, you will have to re-authenticate yourself to
53 Kerberos to get new tickets. Use the kinit command to re-authenticate
54 yourself.
55 If you use the kinit command to get your tickets, make sure you use the
57 kdestroy command to destroy your tickets before you end your login ses‐
58 sion. You should put the kdestroy command in your .logout file so that
59 your tickets will be destroyed automatically when you logout. For more
60 information about the kinit and kdestroy commands, see the kinit(1) and
61 kdestroy(1) manual pages.
62 Kerberos tickets can be forwarded. In order to forward tickets, you
64 must request forwardable tickets when you kinit. Once you have for‐
65 wardable tickets, most Kerberos programs have a command line option to
66 forward them to the remote host.
67
69 Several environment variables affect the operation of Kerberos-enabled
70 programs. These include:
71 KRB5CCNAME
73 Specifies the location of the credential cache, in the form
74 TYPE:residual. If no type prefix is present, the FILE type is
75 assumed and residual is the pathname of the cache file. A col‐
76 lection of multiple caches may be used by specifying the DIR
77 type and the pathname of a private directory (which must already
78 exist). The default cache file is /tmp/krb5cc_uid where uid is
79 the decimal user ID of the user.
80 KRB5_KTNAME
82 Specifies the location of the keytab file, in the form
83 TYPE:residual. If no type is present, the FILE type is assumed
84 and residual is the pathname of the keytab file. The default
85 keytab file is /etc/krb5.keytab.
86 KRB5_CONFIG
88 Specifies the location of the Kerberos configuration file. The
89 default is /etc/krb5.conf.
90 KRB5_KDC_PROFILE
92 Specifies the location of the KDC configuration file, which con‐
93 tains additional configuration directives for the Key Distribu‐
94 tion Center daemon and associated programs. The default is
95 /var/kerberos/krb5kdc/kdc.conf.
96 KRB5RCACHETYPE
98 Specifies the default type of replay cache to use for servers.
99 Valid types include "dfl" for the normal file type and "none"
100 for no replay cache. KRB5RCACHEDIR Specifies the default direc‐
101 tory for replay caches used by servers. The default is the
102 value of the TMPDIR environment variable, or /var/tmp if TMPDIR
103 is not set.
104 KRB5_TRACE
106 Specifies a filename to write trace log output to. Trace logs
107 can help illuminate decisions made internally by the Kerberos
108 libraries. The default is not to write trace log output any‐
109 where.
110 Most environment variables are disabled for certain programs, such as
112 login system programs and setuid programs, which are designed to be
113 secure when run within an untrusted process environment.
114
116 kdestroy(1), kinit(1), klist(1), kswitch(1), kpasswd(1), ksu(1),
117 krb5.conf(5), kdc.conf(5), kadmin(1), kadmind(8), kdb5_util(8),
118 krb5kdc(8)
119
122 Steve Miller, MIT Project Athena/Digital Equipment Corporation
123 Clifford Neuman, MIT Project Athena
124 Greg Hudson, MIT Kerberos Consortium
125
127 The MIT Kerberos 5 implementation was developed at MIT, with contribu‐
128 tions from many outside parties. It is currently maintained by the MIT
129 Kerberos Consortium.
130
132 Copyright 1985,1986,1989-1996,2002,2011 Massachusetts Institute of
133 Technology
134 KERBEROS(1)