kerberos(8) [freebsd man page]
KERBEROS(8) BSD System Manager's Manual KERBEROS(8) NAME
kerberos -- introduction to the Kerberos system DESCRIPTION
Kerberos is a network authentication system. Its purpose is to securely authenticate users and services in an insecure network environment. This is done with a Kerberos server acting as a trusted third party, keeping a database with secret keys for all users and services (collec- tively called principals). Each principal belongs to exactly one realm, which is the administrative domain in Kerberos. A realm usually corresponds to an organisation, and the realm should normally be derived from that organisation's domain name. A realm is served by one or more Kerberos servers. The authentication process involves exchange of 'tickets' and 'authenticators' which together prove the principal's identity. When you login to the Kerberos system, either through the normal system login or with the kinit(1) program, you acquire a ticket granting ticket which allows you to get new tickets for other services, such as telnet or ftp, without giving your password. For more information on how Kerberos works, and other general Kerberos questions see the Kerberos FAQ at http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html. For setup instructions see the Heimdal Texinfo manual. SEE ALSO
ftp(1), kdestroy(1), kinit(1), klist(1), kpasswd(1), telnet(1) HISTORY
The Kerberos authentication system was developed in the late 1980's as part of the Athena Project at the Massachusetts Institute of Technol- ogy. Versions one through three never reached outside MIT, but version 4 was (and still is) quite popular, especially in the academic commu- nity, but is also used in commercial products like the AFS filesystem. The problems with version 4 are that it has many limitations, the code was not too well written (since it had been developed over a long time), and it has a number of known security problems. To resolve many of these issues work on version five started, and resulted in IETF RFC 1510 in 1993. IETF RFC 1510 was obsoleted in 2005 with IETF RFC 4120, also known as Kerberos clarifications. With the arrival of IETF RFC 4120, the work on adding extensibility and internationalization have started (Kerberos extensions), and a new RFC will hopefully appear soon. This manual page is part of the Heimdal Kerberos 5 distribution, which has been in development at the Royal Institute of Technology in Stock- holm, Sweden, since about 1997. HEIMDAL
September 1, 2000 HEIMDAL
Check Out this Related Man Page
KERBEROS(1) General Commands Manual KERBEROS(1) NAME
kerberos - introduction to the Kerberos system DESCRIPTION
The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use net- work utilities such as rlogin, rcp, and rsh without having to present passwords to remote hosts and without having to bother with .rhosts files. Note that these utilities will work without passwords only if the remote machines you deal with support the Kerberos system. If you enter your username and kinit responds with this message: Principal unknown (kerberos) you haven't been registered as a Kerberos user. See your system administrator. A Kerberos name usually contains three parts. The first is the primary, which is usually a user's or service's name. The second is the instance, which in the case of a user is usually null. Some users may have privileged instances, however, such as ``root'' or ``admin''. In the case of a service, the instance is the fully qualified name of the machine on which it runs; i.e. there can be an rlogin service running on the machine ABC, which is different from the rlogin service running on the machine XYZ. The third part of a Kerberos name is the realm. The realm corresponds to the Kerberos service providing authentication for the principal. When writing a Kerberos name, the principal name is separated from the instance (if not null) by a slash, and the realm (if not the local realm) follows, preceded by an ``@'' sign. The following are examples of valid Kerberos names: david jennifer/admin joeuser@BLEEP.COM cbrown/root@FUBAR.ORG When you authenticate yourself with Kerberos you get an initial Kerberos ticket. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as rlogin and rcp. The ticket transactions are done trans- parently, so you don't have to worry about their management. Note, however, that tickets expire. Privileged tickets, such as those with the instance ``root'', expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day, depending on the installation's policy. If your login session extends beyond the time limit, you will have to re-authenticate yourself to Kerberos to get new tickets. Use the kinit command to re- authenticate yourself. If you use the kinit command to get your tickets, make sure you use the kdestroy command to destroy your tickets before you end your login session. You should put the kdestroy command in your .logout file so that your tickets will be destroyed automatically when you logout. For more information about the kinit and kdestroy commands, see the kinit(1) and kdestroy(1) manual pages. Kerberos tickets can be forwarded. In order to forward tickets, you must request forwardable tickets when you kinit. Once you have for- wardable tickets, most Kerberos programs have a command line option to forward them to the remote host. Currently, Kerberos support is available for the following network services: rlogin, rsh, rcp, telnet, ftp, krdist (a Kerberized version of rdist), ksu (a Kerberized version of su), login, and Xdm. SEE ALSO
kdestroy(1), kinit(1), klist(1), kpasswd(1), rsh(1), rcp(1), rlogin(1), telnet(1), ftp(1), krdist(1), ksu(1), sclient(1), xdm(1), des_crypt(3), hash(3), krb5strings(3), krb5.conf(5), kdc.conf(5), kadmin(8), kadmind(8), kdb5_util(8), telnetd(8), ftpd(8), rdistd(8), sserver(8), klogind(8c), kshd(8c), login(8c) BUGS
AUTHORS
Steve Miller, MIT Project Athena/Digital Equipment Corporation Clifford Neuman, MIT Project Athena HISTORY
Kerberos was developed at MIT. OpenVision rewrote and donated the administration server, which is used in the current version of Kerberos 5. RESTRICTIONS
Copyright 1985,1986,1989-1996 Massachusetts Institute of Technology KERBEROS(1)