Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KERBEROS(1)							   KERBEROS(1)

       kerberos	- introduction to the Kerberos system

       The  Kerberos  system authenticates individual users in a network envi-
       ronment.	 After authenticating yourself to Kerberos, you	can  use  net-
       work  utilities	such as	rlogin,	rcp, and rsh without having to present
       passwords to remote hosts and without having  to	 bother	 with  .rhosts
       files.	Note  that these utilities will	work without passwords only if
       the remote machines you deal with support  the  Kerberos	 system.   All
       Athena timesharing machines and public workstations support Kerberos.

       Before  you  can	use Kerberos, you must register	as an Athena user, and
       you must	make sure you have been	added to the Kerberos  database.   You
       can  use	 the kinit command to find out.	 This command tries to log you
       into the	Kerberos system.  kinit	will prompt you	 for  a	 username  and
       password.   Enter  your username	and password.  If the utility lets you
       login without giving you	a message, you have already been registered.

       If you enter your username and kinit responds with this message:

       Principal unknown (kerberos)

       you haven't been	registered as a	Kerberos user.	See your system	admin-

       A Kerberos name contains	three parts.  The first	is the principal name,
       which is	usually	a  user's  or  service's  name.	  The  second  is  the
       instance,  which	in the case of a user is usually null.	Some users may
       have privileged instances, however, such	as ``root'' or ``admin''.   In
       the case	of a service, the instance is the name of the machine on which
       it runs;	i.e. there can be an rlogin service  running  on  the  machine
       ABC,  which is different	from the rlogin	service	running	on the machine
       XYZ.  The third part of a Kerberos name is the realm.  The realm	corre-
       sponds to the Kerberos service providing	authentication for the princi-
       pal.  For example, at MIT there is a Kerberos running at	the Laboratory
       for Computer Science and	one running at Project Athena.

       When  writing a Kerberos	name, the principal name is separated from the
       instance	(if not	null) by a period, and the realm  (if  not  the	 local
       realm)  follows,	preceded by an ``@'' sign.  The	following are examples
       of valid	Kerberos names:


       When you	authenticate yourself with Kerberos, through either the	 work-
       station toehold system or the kinit command, Kerberos gives you an ini-
       tial Kerberos ticket.  (A Kerberos ticket is an encrypted protocol mes-
       sage that provides authentication.)  Kerberos uses this ticket for net-
       work utilities such as rlogin and rcp.	The  ticket  transactions  are
       done  transparently, so you don't have to worry about their management.

       Note, however, that tickets expire.  Privileged tickets,	such  as  root
       instance	 tickets,  expire  in  a few minutes, while tickets that carry
       more ordinary privileges	may be	good  for  several  hours  or  a  day,
       depending  on the installation's	policy.	 If your login session extends
       beyond the time limit, you will have  to	 re-authenticate  yourself  to
       Kerberos	 to get	new tickets.  Use the kinit command to re-authenticate

       If you use the kinit command to get your	tickets, make sure you use the
       kdestroy	command	to destroy your	tickets	before you end your login ses-
       sion.  You should probably put the kdestroy  command  in	 your  .logout
       file  so	 that  your  tickets  will be destroyed	automatically when you
       logout.	For more information about the kinit  and  kdestroy  commands,
       see the kinit(1)	and kdestroy(1)	manual pages.

       Currently,  Kerberos  supports  the following network services: rlogin,
       rsh, rcp, pop, ftp, telnet, AFS and NFS.

       kdestroy(1), kinit(1), klist(1),	kpasswd(1), des_crypt(3), kerberos(3),

       Kerberos	will not do authentication forwarding.	In other words,	if you
       use rlogin to login to a	remote host, you cannot	use Kerberos  services
       from that host until you	authenticate yourself explicitly on that host.
       Although	you may	need to	authenticate yourself on the remote  host,  be
       aware  that  when you do	so, rlogin sends your password across the net-
       work in clear text.

       Steve Miller, MIT Project Athena/Digital	Equipment Corporation
       Clifford	Neuman,	MIT Project Athena

       The following people helped out on various aspects of the system:

       Jeff Schiller designed and wrote	the administration server and its user
       interface,  kadmin.  He also wrote the dbm version of the database man-
       agement system.

       Mark Colan developed the	Kerberos versions of rlogin, rsh, and rcp,  as
       well as contributing work on the	servers.

       John Ostlund developed the Kerberos versions of passwd and userreg.

       Stan  Zanarotti	pioneered  Kerberos in a foreign realm (LCS), and made
       many contributions based	on that	experience.

       Many people contributed code and/or useful ideas, including Jim Aspnes,
       Bob  Baldwin,  John  Barba,  Richard Basch, Jim Bloom, Bill Bryant, Rob
       French, Dan Geer, David Jedlinsky, John	Kohl,  John  Kubiatowicz,  Bob
       McKie,  Brian  Murphy,  Ken  Raeburn,  Chris  Reed,  Jon	 Rochlis, Mike
       Shanzer,	Bill Sommerfeld, Jennifer Steiner, Ted Ts'o, and Win Treese.

       COPYRIGHT 1985,1986 Massachusetts Institute of Technology

MIT Project Athena	     Kerberos Version 4.0		   KERBEROS(1)


Want to link to this manual page? Use this URL:

home | help