Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

kerberos(8) [netbsd man page]

KERBEROS(8)						    BSD System Manager's Manual 					       KERBEROS(8)

NAME

     kerberos -- introduction to the Kerberos system

DESCRIPTION

     Kerberos is a network authentication system. Its purpose is to securely authenticate users and services in an insecure network environment.

     This is done with a Kerberos server acting as a trusted third party, keeping a database with secret keys for all users and services (collec-
     tively called principals).

     Each principal belongs to exactly one realm, which is the administrative domain in Kerberos. A realm usually corresponds to an organisation,
     and the realm should normally be derived from that organisation's domain name. A realm is served by one or more Kerberos servers.

     The authentication process involves exchange of 'tickets' and 'authenticators' which together prove the principal's identity.

     When you login to the Kerberos system, either through the normal system login or with the kinit(1) program, you acquire a ticket granting
     ticket which allows you to get new tickets for other services, such as telnet or ftp, without giving your password.

     For more information on how Kerberos works, and other general Kerberos questions see the Kerberos FAQ at
     http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html.

     For setup instructions see the Heimdal Texinfo manual.

SEE ALSO

     ftp(1), kdestroy(1), kinit(1), klist(1), kpasswd(1), telnet(1)

HISTORY

     The Kerberos authentication system was developed in the late 1980's as part of the Athena Project at the Massachusetts Institute of Technol-
     ogy. Versions one through three never reached outside MIT, but version 4 was (and still is) quite popular, especially in the academic commu-
     nity, but is also used in commercial products like the AFS filesystem.

     The problems with version 4 are that it has many limitations, the code was not too well written (since it had been developed over a long
     time), and it has a number of known security problems. To resolve many of these issues work on version five started, and resulted in IETF RFC
     1510 in 1993. IETF RFC 1510 was obsoleted in 2005 with IETF RFC 4120, also known as Kerberos clarifications. With the arrival of IETF RFC
     4120, the work on adding extensibility and internationalization have started (Kerberos extensions), and a new RFC will hopefully appear soon.

     This manual page is part of the Heimdal Kerberos 5 distribution, which has been in development at the Royal Institute of Technology in Stock-
     holm, Sweden, since about 1997.

BSD
								 September 1, 2000							       BSD

Check Out this Related Man Page

kinit(8krb)															       kinit(8krb)

Name
       kinit - Kerberos login utility

Syntax
       /usr/bin/kinit [ -irv ]

Description
       You  use the command to log into the Kerberos authentication and authorization system.  You also use the command when your original tickets
       have expired.  When you use the command without options, the utility prompts for a username and a Kerberos password and attempts to authen-
       ticate to the local Kerberos server.

       If  Kerberos  authenticates you correctly, retrieves your initial ticket and puts it in the ticket file specified by the KRBTKFILE environ-
       ment variable.  If you have not defined this variable, the ticket is stored in the file

       Make sure you use the command to destroy any active tickets before ending your login session.  You may want to put the command in a file so
       that all tickets are destroyed automatically when you log out.  Only registered Kerberos users can use the Kerberos system.

Options
       -i     Causes to prompt you for a Kerberos instance.

       -r     Causes to prompt you for a Kerberos realm.  This option lets you authenticate yourself with a remote Kerberos server.

       -v     Initiates verbose mode.	This causes to print the name of the ticket file used and a status message indicating the success or fail-
	      ure of your login attempt.

Restrictions
       Although user-level authentication is not supported, is useful for testing the installation of Kerberos functionality, by determining if  a
       newly  installed  principal  can  obtain  a  ticket-granting  ticket.  For example, to determine if the running on machine X can obtain its
       ticket-granting ticket, you can run input the principal name, the instance, X, and the password of If succeeds, then Kerberos is  correctly
       installed on machine X.

       The option has not been fully implemented.

Files
       See Also
	      kdestroy(8krb), klist(8krb)

																       kinit(8krb)
Man Page