kerberos(7) - phpMan

Command: man perldoc info search(apropos)  

KERBEROS(7)                                MIT Kerberos                               KERBEROS(7)



NAME
       kerberos - Overview of using Kerberos

DESCRIPTION
       The  Kerberos  system  authenticates  individual  users  in  a network environment.  After
       authenticating yourself to Kerberos, you can use Kerberos-enabled programs without  having
       to present passwords or certificates to those programs.

       If you receive the following response from kinit(1):

       kinit: Client not found in Kerberos database while getting initial credentials

       you haven't been registered as a Kerberos user.  See your system administrator.

       A  Kerberos name usually contains three parts.  The first is the primary, which is usually
       a user's or service's name.  The second is the instance, which in the case of  a  user  is
       usually  null.   Some users may have privileged instances, however, such as root or admin.
       In the case of a service, the instance is the fully qualified name of the machine on which
       it  runs;  i.e.  there  can  be an ssh service running on the machine ABC (ssh/ABC@REALM),
       which is different from the ssh service running on the machine XYZ  (ssh/XYZ@REALM).   The
       third part of a Kerberos name is the realm.  The realm corresponds to the Kerberos service
       providing authentication for the principal.  Realms are conventionally all-uppercase,  and
       often  match  the end of hostnames in the realm (for instance, host01.example.com might be
       in realm EXAMPLE.COM).

       When writing a Kerberos name, the principal name is separated from the  instance  (if  not
       null) by a slash, and the realm (if not the local realm) follows, preceded by an "@" sign.
       The following are examples of valid Kerberos names:

          david
          jennifer/admin
          joeuser AT BLEEP.COM
          cbrown/root AT FUBAR.ORG

       When you authenticate yourself with Kerberos you get an initial Kerberos ticket.  (A  Ker-
       beros  ticket  is  an  encrypted protocol message that provides authentication.)  Kerberos
       uses this ticket for network utilities such as ssh.   The  ticket  transactions  are  done
       transparently, so you don't have to worry about their management.

       Note, however, that tickets expire.  Administrators may configure more privileged tickets,
       such as those with service or instance of root or admin, to expire in a few minutes, while
       tickets  that  carry  more ordinary privileges may be good for several hours or a day.  If
       your login session extends beyond the time limit, you will have to  re-authenticate  your-
       self to Kerberos to get new tickets using the kinit(1) command.

       Some  tickets  are  renewable beyond their initial lifetime.  This means that kinit -R can
       extend their lifetime without requiring you to re-authenticate.

       If you wish to delete your local tickets, use the kdestroy(1) command.

       Kerberos tickets can be forwarded.  In order to forward tickets, you must request forward-
       able  tickets  when  you kinit.  Once you have forwardable tickets, most Kerberos programs
       have a command line option to forward them to the remote host.  This can  be  useful  for,
       e.g.,  running  kinit on your local machine and then sshing into another to do work.  Note
       that this should not be done on untrusted machines since they will then have your tickets.

ENVIRONMENT VARIABLES
       Several environment variables affect the operation of  Kerberos-enabled  programs.   These
       include:

       KRB5CCNAME
              Default  name  for the credentials cache file, in the form TYPE:residual.  The type
              of the default cache may determine the availability of a cache collection.  FILE is
              not a collection type; KEYRING, DIR, and KCM are.

              If  not  set,  the  value  of  default_ccache_name  from  configuration  files (see
              KRB5_CONFIG) will be used.  If that is also not set, the default type is FILE,  and
              the residual is the path /tmp/krb5cc_*uid*, where uid is the decimal user ID of the
              user.

       KRB5_KTNAME
              Specifies the location of the default keytab file, in the form  TYPE:residual.   If
              no  type  is  present, the FILE type is assumed and residual is the pathname of the
              keytab file.  If unset, FILE:/etc/krb5.keytab will be used.

       KRB5_CONFIG
              Specifies the  location  of  the  Kerberos  configuration  file.   The  default  is
              /etc/krb5.conf.   Multiple  filenames  can  be specified, separated by a colon; all
              files which are present will be read.

       KRB5_KDC_PROFILE
              Specifies the location of the KDC configuration  file,  which  contains  additional
              configuration directives for the Key Distribution Center daemon and associated pro-
              grams.  The default is /var/kerberos/krb5kdc/kdc.conf.

       KRB5RCACHETYPE
              Specifies the default type of replay cache to use for servers.  Valid types include
              dfl for the normal file type and none for no replay cache.  The default is dfl.

       KRB5RCACHEDIR
              Specifies  the default directory for replay caches used by servers.  The default is
              the value of the TMPDIR environment variable, or /var/tmp if TMPDIR is not set.

       KRB5_TRACE
              Specifies a filename to write trace log output to.  Trace logs can help  illuminate
              decisions   made   internally   by   the  Kerberos  libraries.   For  example,  env
              KRB5_TRACE=/dev/stderr  kinit  would  send  tracing  information  for  kinit(1)  to
              /dev/stderr.  The default is not to write trace log output anywhere.

       KRB5_CLIENT_KTNAME
              Default     client     keytab     file     name.     If    unset,    FILE:/var/ker-
              beros/krb5/user/%{euid}/client.keytab will be used).

       KPROP_PORT
              kprop(8) port to use.  Defaults to 754.

       Most environment variables are disabled for certain programs, such as  login  system  pro-
       grams  and  setuid  programs, which are designed to be secure when run within an untrusted
       process environment.

SEE ALSO
       kdestroy(1),   kinit(1),   klist(1),   kswitch(1),   kpasswd(1),   ksu(1),   krb5.conf(5),
       kdc.conf(5), kadmin(1), kadmind(8), kdb5_util(8), krb5kdc(8)

BUGS
AUTHORS
       Steve Miller, MIT Project Athena/Digital Equipment Corporation
       Clifford Neuman, MIT Project Athena
       Greg Hudson, MIT Kerberos Consortium
       Robbie Harwood, Red Hat, Inc.


HISTORY
       The  MIT Kerberos 5 implementation was developed at MIT, with contributions from many out-
       side parties.  It is currently maintained by the MIT Kerberos Consortium.

RESTRICTIONS
       Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts Institute of Technology

AUTHOR
       MIT

COPYRIGHT
       1985-2018, MIT




1.17                                                                                  KERBEROS(7)

Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache
Under GNU General Public License
2024-04-28 07:17 @3.12.161.161 CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
Valid XHTML 1.0!Valid CSS!