kerberos(7)

1KERBEROS(7)                      MIT Kerberos                      KERBEROS(7)
2
3
4

NAME

6       kerberos - Overview of using Kerberos
7

DESCRIPTION

9       The  Kerberos  system authenticates individual users in a network envi‐
10       ronment.  After authenticating yourself to Kerberos, you can  use  Ker‐
11       beros-enabled  programs without having to present passwords or certifi‐
12       cates to those programs.
13
14       If you receive the following response from kinit(1):
15
16       kinit: Client not found in Kerberos database while getting initial cre‐
17       dentials
18
19       you haven't been registered as a Kerberos user.  See your system admin‐
20       istrator.
21
22       A Kerberos name usually contains three parts.  The first  is  the  pri‐
23       mary,  which  is usually a user's or service's name.  The second is the
24       instance, which in the case of a user is usually null.  Some users  may
25       have privileged instances, however, such as root or admin.  In the case
26       of a service, the instance is the fully qualified name of  the  machine
27       on  which  it runs; i.e. there can be an ssh service running on the ma‐
28       chine ABC (ssh/ABC@REALM), which is different from the ssh service run‐
29       ning  on the machine XYZ (ssh/XYZ@REALM).  The third part of a Kerberos
30       name is the realm.  The realm corresponds to the Kerberos service  pro‐
31       viding  authentication  for  the  principal.  Realms are conventionally
32       all-uppercase, and often match the end of hostnames in the  realm  (for
33       instance, host01.example.com might be in realm EXAMPLE.COM).
34
35       When  writing a Kerberos name, the principal name is separated from the
36       instance (if not null) by a slash, and the  realm  (if  not  the  local
37       realm) follows, preceded by an "@" sign.  The following are examples of
38       valid Kerberos names:
39
40          david
41          jennifer/admin
42          joeuser@BLEEP.COM
43          cbrown/root@FUBAR.ORG
44
45       When you authenticate yourself with Kerberos you get  an  initial  Ker‐
46       beros ticket.  (A Kerberos ticket is an encrypted protocol message that
47       provides authentication.)  Kerberos uses this ticket for network utili‐
48       ties  such  as ssh.  The ticket transactions are done transparently, so
49       you don't have to worry about their management.
50
51       Note, however, that tickets expire.  Administrators may configure  more
52       privileged  tickets,  such as those with service or instance of root or
53       admin, to expire in a few minutes, while tickets that carry more  ordi‐
54       nary  privileges may be good for several hours or a day.  If your login
55       session extends beyond the time limit, you will have to re-authenticate
56       yourself to Kerberos to get new tickets using the kinit(1) command.
57
58       Some  tickets  are renewable beyond their initial lifetime.  This means
59       that kinit -R can extend their lifetime without requiring you to re-au‐
60       thenticate.
61
62       If you wish to delete your local tickets, use the kdestroy(1) command.
63
64       Kerberos  tickets  can  be forwarded.  In order to forward tickets, you
65       must request forwardable tickets when you kinit.  Once  you  have  for‐
66       wardable  tickets, most Kerberos programs have a command line option to
67       forward them to the remote host.  This can be useful for, e.g., running
68       kinit  on  your  local machine and then sshing into another to do work.
69       Note that this should not be done on untrusted machines since they will
70       then have your tickets.
71

ENVIRONMENT VARIABLES

73       Several  environment variables affect the operation of Kerberos-enabled
74       programs.  These include:
75
76       KRB5CCNAME
77              Default name  for  the  credentials  cache  file,  in  the  form
78              TYPE:residual.   The type of the default cache may determine the
79              availability of a cache collection.  FILE is  not  a  collection
80              type; KEYRING, DIR, and KCM are.
81
82              If  not set, the value of default_ccache_name from configuration
83              files (see KRB5_CONFIG) will be used.  If that is also not  set,
84              the  default  type  is  FILE,  and  the  residual  is  the  path
85              /tmp/krb5cc_*uid*, where uid is the decimal user ID of the user.
86
87       KRB5_KTNAME
88              Specifies the location of the default keytab file, in  the  form
89              TYPE:residual.   If no type is present, the FILE type is assumed
90              and residual is the pathname of  the  keytab  file.   If  unset,
91              FILE:/etc/krb5.keytab will be used.
92
93       KRB5_CONFIG
94              Specifies  the location of the Kerberos configuration file.  The
95              default is /etc/krb5.conf.  Multiple filenames can be specified,
96              separated by a colon; all files which are present will be read.
97
98       KRB5_KDC_PROFILE
99              Specifies the location of the KDC configuration file, which con‐
100              tains additional configuration directives for the Key  Distribu‐
101              tion  Center  daemon  and  associated  programs.  The default is
102              /var/kerberos/krb5kdc/kdc.conf.
103
104       KRB5RCACHENAME
105              (New in release 1.18) Specifies the location of the default  re‐
106              play  cache,  in  the form type:residual.  The file2 type with a
107              pathname residual specifies a replay cache file in the version-2
108              format  in  the  specified location.  The none type (residual is
109              ignored) disables the replay cache.  The dfl type  (residual  is
110              ignored)  indicates the default, which uses a file2 replay cache
111              in a temporary directory.  The default is dfl:.
112
113       KRB5RCACHETYPE
114              Specifies  the  type   of   the   default   replay   cache,   if
115              KRB5RCACHENAME is unspecified.  No residual can be specified, so
116              none and dfl are the only useful types.
117
118       KRB5RCACHEDIR
119              Specifies the directory used by the dfl replay cache type.   The
120              default  is  the  value  of  the TMPDIR environment variable, or
121              /var/tmp if TMPDIR is not set.
122
123       KRB5_TRACE
124              Specifies a filename to write trace log output to.   Trace  logs
125              can  help  illuminate  decisions made internally by the Kerberos
126              libraries.  For example, env KRB5_TRACE=/dev/stderr kinit  would
127              send  tracing  information for kinit(1) to /dev/stderr.  The de‐
128              fault is not to write trace log output anywhere.
129
130       KRB5_CLIENT_KTNAME
131              Default client  keytab  file  name.   If  unset,  FILE:/var/ker‐
132              beros/krb5/user/%{euid}/client.keytab will be used).
133
134       KPROP_PORT
135              kprop(8) port to use.  Defaults to 754.
136
137       GSS_MECH_CONFIG
138              Specifies a filename containing GSSAPI mechanism module configu‐
139              ration.  The default is to read /etc/gss/mech and files  with  a
140              .conf suffix within the directory /etc/gss/mech.d.
141
142       Most  environment  variables are disabled for certain programs, such as
143       login system programs and setuid programs, which are designed to be se‐
144       cure when run within an untrusted process environment.
145

BUGS

AUTHORS

153       Steve Miller, MIT Project Athena/Digital Equipment Corporation
154       Clifford Neuman, MIT Project Athena
155       Greg Hudson, MIT Kerberos Consortium
156       Robbie Harwood, Red Hat, Inc.
157
158

HISTORY

160       The  MIT Kerberos 5 implementation was developed at MIT, with contribu‐
161       tions from many outside parties.  It is currently maintained by the MIT
162       Kerberos Consortium.
163

RESTRICTIONS

165       Copyright  1985,  1986, 1989-1996, 2002, 2011, 2018 Masachusetts Insti‐
166       tute of Technology
167

AUTHOR

169       MIT
170

COPYRIGHT

172       1985-2021, MIT
173
174
175
176
1771.19.2                                                             KERBEROS(7)