Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KERBEROS(1)		    General Commands Manual		   KERBEROS(1)

       kerberos	- introduction to the Kerberos system

       The  Kerberos  system authenticates individual users in a network envi-
       ronment.	 After authenticating yourself to Kerberos, you	can  use  net-
       work  utilities	such as	rlogin,	rcp, and rsh without having to present
       passwords to remote hosts and without having  to	 bother	 with  .rhosts
       files.	Note  that these utilities will	work without passwords only if
       the remote machines you deal with support  the  Kerberos	 system.   All
       Athena timesharing machines and public workstations support Kerberos.

       Before  you  can	use Kerberos, you must register	as an Athena user, and
       you must	make sure you have been	added to the Kerberos  database.   You
       can  use	 the kinit command to find out.	 This command tries to log you
       into the	Kerberos system.  kinit	will prompt you	 for  a	 username  and
       password.   Enter  your username	and password.  If the utility lets you
       login without giving you	a message, you have already been registered.

       If you enter your username and kinit responds with this message:

       Principal unknown (kerberos)

       you haven't been	registered as a	Kerberos user.	See your system	admin-

       A Kerberos name contains	three parts.  The first	is the principal name,
       which is	usually	a user's or service's name.  The  second  is  the  in-
       stance,	which  in  the case of a user is usually null.	Some users may
       have privileged instances, however, such	as ``root'' or ``admin''.   In
       the case	of a service, the instance is the name of the machine on which
       it runs;	i.e. there can be an rlogin service  running  on  the  machine
       ABC,  which is different	from the rlogin	service	running	on the machine
       XYZ.  The third part of a Kerberos name is the realm.  The realm	corre-
       sponds to the Kerberos service providing	authentication for the princi-
       pal.  For example, at MIT there is a Kerberos running at	the Laboratory
       for Computer Science and	one running at Project Athena.

       When  writing a Kerberos	name, the principal name is separated from the
       instance	(if not	null) by a period, and the realm  (if  not  the	 local
       realm)  follows,	preceded by an ``@'' sign.  The	following are examples
       of valid	Kerberos names:


       When you	authenticate yourself with Kerberos, through either the	 work-
       station toehold system or the kinit command, Kerberos gives you an ini-
       tial Kerberos ticket.  (A Kerberos ticket is an encrypted protocol mes-
       sage that provides authentication.)  Kerberos uses this ticket for net-
       work utilities such as rlogin and rcp.	The  ticket  transactions  are
       done transparently, so you don't	have to	worry about their management.

       Note,  however,	that tickets expire.  Privileged tickets, such as root
       instance	tickets, expire	in a few minutes,  while  tickets  that	 carry
       more  ordinary  privileges  may be good for several hours or a day, de-
       pending on the installation's policy.  If your  login  session  extends
       beyond  the  time  limit,  you will have	to re-authenticate yourself to
       Kerberos	to get new tickets.  Use the kinit command to  re-authenticate

       If you use the kinit command to get your	tickets, make sure you use the
       kdestroy	command	to destroy your	tickets	before you end your login ses-
       sion.   You  should  probably  put the kdestroy command in your .logout
       file so that your tickets will be destroyed automatically when you  lo-
       gout.   For more	information about the kinit and	kdestroy commands, see
       the kinit(1) and	kdestroy(1) manual pages.

       Currently, Kerberos supports the	following  network  services:  rlogin,
       rsh, rcp, pop, ftp, telnet, AFS and NFS.

       kdestroy(1), kinit(1), klist(1),	kpasswd(1), des_crypt(3), kerberos(3),

       Kerberos	will not do authentication forwarding.	In other words,	if you
       use  rlogin to login to a remote	host, you cannot use Kerberos services
       from that host until you	authenticate yourself explicitly on that host.
       Although	 you  may need to authenticate yourself	on the remote host, be
       aware that when you do so, rlogin sends your password across  the  net-
       work in clear text.

       Steve Miller, MIT Project Athena/Digital	Equipment Corporation
       Clifford	Neuman,	MIT Project Athena

       The following people helped out on various aspects of the system:

       Jeff Schiller designed and wrote	the administration server and its user
       interface, kadmin.  He also wrote the dbm version of the	database  man-
       agement system.

       Mark  Colan developed the Kerberos versions of rlogin, rsh, and rcp, as
       well as contributing work on the	servers.

       John Ostlund developed the Kerberos versions of passwd and userreg.

       Stan Zanarotti pioneered	Kerberos in a foreign realm  (LCS),  and  made
       many contributions based	on that	experience.

       Many people contributed code and/or useful ideas, including Jim Aspnes,
       Bob Baldwin, John Barba,	Richard	Basch, Jim  Bloom,  Bill  Bryant,  Rob
       French,	Dan  Geer,  David  Jedlinsky, John Kohl, John Kubiatowicz, Bob
       McKie, Brian  Murphy,  Ken  Raeburn,  Chris  Reed,  Jon	Rochlis,  Mike
       Shanzer,	Bill Sommerfeld, Jennifer Steiner, Ted Ts'o, and Win Treese.

       COPYRIGHT 1985,1986 Massachusetts Institute of Technology

MIT Project Athena	     Kerberos Version 4.0		   KERBEROS(1)


Want to link to this manual page? Use this URL:

home | help