1KERBEROS(1)                 General Commands Manual                KERBEROS(1)
2
3
4

NAME

6       kerberos - introduction to the Kerberos system
7

DESCRIPTION

9       The  Kerberos  system authenticates individual users in a network envi‐
10       ronment.  After authenticating yourself to Kerberos, you can  use  net‐
11       work  utilities  such as rlogin, rcp, and rsh without having to present
12       passwords to remote hosts and without having  to  bother  with  .rhosts
13       files.   Note  that these utilities will work without passwords only if
14       the remote machines you deal with support the Kerberos system.
15
16       If you enter your username and kinit responds with this message:
17
18       kinit(v5): Client not found in Kerberos database while getting  initial
19       credentials
20
21       you haven't been registered as a Kerberos user.  See your system admin‐
22       istrator.
23
24       A Kerberos name usually contains three parts.  The first  is  the  pri‐
25       mary,  which  is usually a user's or service's name.  The second is the
26       instance, which in the case of a user is usually null.  Some users  may
27       have  privileged instances, however, such as ``root'' or ``admin''.  In
28       the case of a service, the instance is the fully qualified name of  the
29       machine  on  which it runs; i.e. there can be an rlogin service running
30       on the machine ABC, which is different from the rlogin service  running
31       on  the  machine  XYZ.  The third part of a Kerberos name is the realm.
32       The realm corresponds to the Kerberos service providing  authentication
33       for the principal.
34
35       When  writing a Kerberos name, the principal name is separated from the
36       instance (if not null) by a slash, and the  realm  (if  not  the  local
37       realm)  follows, preceded by an ``@'' sign.  The following are examples
38       of valid Kerberos names:
39
40               david
41               jennifer/admin
42               joeuser@BLEEP.COM
43               cbrown/root@FUBAR.ORG
44
45       When you authenticate yourself with Kerberos you get  an  initial  Ker‐
46       beros ticket.  (A Kerberos ticket is an encrypted protocol message that
47       provides authentication.)  Kerberos uses this ticket for network utili‐
48       ties  such  as rlogin and rcp.  The ticket transactions are done trans‐
49       parently, so you don't have to worry about their management.
50
51       Note, however, that tickets expire.  Privileged tickets, such as  those
52       with the instance ``root'', expire in a few minutes, while tickets that
53       carry more ordinary privileges may be good for several hours or a  day,
54       depending  on the installation's policy.  If your login session extends
55       beyond the time limit, you will have  to  re-authenticate  yourself  to
56       Kerberos  to get new tickets.  Use the kinit command to re-authenticate
57       yourself.
58
59       If you use the kinit command to get your tickets, make sure you use the
60       kdestroy command to destroy your tickets before you end your login ses‐
61       sion.  You should put the kdestroy command in your .logout file so that
62       your tickets will be destroyed automatically when you logout.  For more
63       information about the kinit and kdestroy commands, see the kinit(1) and
64       kdestroy(1) manual pages.
65
66       Kerberos  tickets  can  be forwarded.  In order to forward tickets, you
67       must request forwardable tickets when you kinit.  Once  you  have  for‐
68       wardable  tickets, most Kerberos programs have a command line option to
69       forward them to the remote host.
70
71       Currently, Kerberos support is available for the following network ser‐
72       vices:  rlogin,  rsh, rcp, telnet, ftp, krdist (a Kerberized version of
73       rdist), ksu (a Kerberized version of su), login, and Xdm.
74

SEE ALSO

76       kdestroy(1),  kinit(1),  klist(1),   kpasswd(1),   rsh   (1),   rcp(1),
77       rlogin(1),  telnet(1),  ftp(1),  krdist(1), ksu(1), sclient(1), xdm(1),
78       des_crypt(3), hash(3), krb5strings(3), krb5.conf(5), kdc.conf(5),  kad‐
79       min(8),   kadmind(8),  kdb5_util(8),  telnetd(8),  ftpd(8),  rdistd(8),
80       sserver(8), klogind(8c), kshd(8c), login(8c)
81

BUGS

AUTHORS
84       Steve Miller, MIT Project Athena/Digital Equipment Corporation
85       Clifford Neuman, MIT Project Athena
86

HISTORY
88       Kerberos was developed at MIT.   OpenVision  rewrote  and  donated  the
89       administration server, which is used in the current version of Kerberos
90       5.
91

RESTRICTIONS
93       Copyright 1985,1986,1989-1996,2002 Massachusetts Institute of  Technol‐
94       ogy
95
96
97
98                                                                   KERBEROS(1)



        

    


            
        

        

            Impressum