OpenBSD manual page server

Manual Page Search Parameters




KERBEROS(1)                                           KERBEROS(1)


NAME
       kerberos - introduction to the Kerberos system


DESCRIPTION
       The  Kerberos  system  authenticates individual users in a
       network environment.   After  authenticating  yourself  to
       Kerberos,  you  can  use network utilities such as rlogin,
       rcp, and rsh without having to present passwords to remote
       hosts  and  without  having  to bother with .rhosts files.
       Note that these utilities will work without passwords only
       if  the remote machines you deal with support the Kerberos
       system.  All Athena timesharing machines and public  work-
       stations support Kerberos.

       Before  you  can  use  Kerberos,  you  must register as an
       Athena user, and you must make sure you have been added to
       the  Kerberos  database.  You can use the kinit command to
       find out.  This command tries to log you into the Kerberos
       system.   kinit  will  prompt you for a username and pass-
       word.  Enter your username and password.  If  the  utility
       lets  you  login  without  giving  you a message, you have
       already been registered.

       If you enter your username and kinit  responds  with  this
       message:

       Principal unknown (kerberos)

       you  haven't been registered as a Kerberos user.  See your
       system administrator.

       A Kerberos name contains three parts.  The  first  is  the
       principal  name,  which  is  usually a user's or service's
       name.  The second is the instance, which in the case of  a
       user  is  usually  null.   Some  users may have privileged
       instances, however, such as ``root'' or ``admin''.  In the
       case of a service, the instance is the name of the machine
       on which it runs; i.e. there can be an rlogin service run-
       ning  on  the  machine  ABC,  which  is different from the
       rlogin service running on the machine XYZ.  The third part
       of a Kerberos name is the realm.  The realm corresponds to
       the Kerberos  service  providing  authentication  for  the
       principal.   For  example, at MIT there is a Kerberos run-
       ning at the Laboratory for Computer Science and  one  run-
       ning at Project Athena.

       When  writing a Kerberos name, the principal name is sepa-
       rated from the instance (if not null) by a period, and the
       realm  (if  not  the  local realm) follows, preceded by an
       ``@'' sign.  The following are examples of valid  Kerberos
       names:

               billb



MIT Project Athena     Kerberos Version 4.0                     1





KERBEROS(1)                                           KERBEROS(1)


               jis.admin
               srz@lcs.mit.edu
               treese.root@athena.mit.edu

       When  you  authenticate  yourself  with  Kerberos, through
       either the workstation toehold system or  the  kinit  com-
       mand,  Kerberos  gives you an initial Kerberos ticket.  (A
       Kerberos ticket is an encrypted protocol message that pro-
       vides authentication.)  Kerberos uses this ticket for net-
       work utilities such as rlogin and rcp.  The ticket  trans-
       actions are done transparently, so you don't have to worry
       about their management.

       Note, however, that tickets expire.   Privileged  tickets,
       such  as  root  instance tickets, expire in a few minutes,
       while tickets that carry more ordinary privileges  may  be
       good  for several hours or a day, depending on the instal-
       lation's policy.  If your login session extends beyond the
       time  limit,  you will have to re-authenticate yourself to
       Kerberos to get new tickets.  Use the kinit command to re-
       authenticate yourself.

       If  you  use  the  kinit command to get your tickets, make
       sure you use the kdestroy command to destroy your  tickets
       before  you  end  your login session.  You should probably
       put the kdestroy command in your .logout file so that your
       tickets  will  be destroyed automatically when you logout.
       For more information about the  kinit  and  kdestroy  com-
       mands, see the kinit(1) and kdestroy(1) manual pages.

       Currently,  Kerberos  supports  the following network ser-
       vices: rlogin, rsh, rcp, pop, ftp, telnet, AFS and NFS.


SEE ALSO
BUGS
       Kerberos will not do authentication forwarding.  In  other
       words,  if  you  use rlogin to login to a remote host, you
       cannot use Kerberos services  from  that  host  until  you
       authenticate  yourself  explicitly on that host.  Although
       you may need to authenticate yourself on the remote  host,
       be  aware  that when you do so, rlogin sends your password
       across the network in clear text.


AUTHORS
       Steve Miller, MIT Project Athena/Digital Equipment  Corpo-
       ration
       Clifford Neuman, MIT Project Athena

       The  following people helped out on various aspects of the
       system:

       Jeff Schiller designed and wrote the administration server



MIT Project Athena     Kerberos Version 4.0                     2





KERBEROS(1)                                           KERBEROS(1)


       and  its  user  interface,  kadmin.  He also wrote the dbm
       version of the database management system.

       Mark Colan developed the Kerberos versions of rlogin, rsh,
       and rcp, as well as contributing work on the servers.

       John Ostlund developed the Kerberos versions of passwd and
       userreg.

       Stan Zanarotti  pioneered  Kerberos  in  a  foreign  realm
       (LCS),  and  made many contributions based on that experi-
       ence.

       Many people contributed code and/or useful ideas,  includ-
       ing  Jim  Aspnes,  Bob Baldwin, John Barba, Richard Basch,
       Jim Bloom,  Bill  Bryant,  Rob  French,  Dan  Geer,  David
       Jedlinsky,  John  Kohl, John Kubiatowicz, Bob McKie, Brian
       Murphy,  Ken  Raeburn,  Chris  Reed,  Jon  Rochlis,   Mike
       Shanzer,  Bill Sommerfeld, Jennifer Steiner, Ted Ts'o, and
       Win Treese.


RESTRICTIONS
       COPYRIGHT 1985,1986 Massachusetts Institute of Technology

































MIT Project Athena     Kerberos Version 4.0                     3