| 1 | .\" Copyright (c) 2000 Kungliga Tekniska Högskolan
|
|---|
| 2 | .\" (Royal Institute of Technology, Stockholm, Sweden).
|
|---|
| 3 | .\" All rights reserved.
|
|---|
| 4 | .\"
|
|---|
| 5 | .\" Redistribution and use in source and binary forms, with or without
|
|---|
| 6 | .\" modification, are permitted provided that the following conditions
|
|---|
| 7 | .\" are met:
|
|---|
| 8 | .\"
|
|---|
| 9 | .\" 1. Redistributions of source code must retain the above copyright
|
|---|
| 10 | .\" notice, this list of conditions and the following disclaimer.
|
|---|
| 11 | .\"
|
|---|
| 12 | .\" 2. Redistributions in binary form must reproduce the above copyright
|
|---|
| 13 | .\" notice, this list of conditions and the following disclaimer in the
|
|---|
| 14 | .\" documentation and/or other materials provided with the distribution.
|
|---|
| 15 | .\"
|
|---|
| 16 | .\" 3. Neither the name of the Institute nor the names of its contributors
|
|---|
| 17 | .\" may be used to endorse or promote products derived from this software
|
|---|
| 18 | .\" without specific prior written permission.
|
|---|
| 19 | .\"
|
|---|
| 20 | .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|---|
| 21 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|---|
| 22 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|---|
| 23 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|---|
| 24 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|---|
| 25 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|---|
| 26 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|---|
| 27 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|---|
| 28 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|---|
| 29 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|---|
| 30 | .\" SUCH DAMAGE.
|
|---|
| 31 | .\"
|
|---|
| 32 | .\" $Id$
|
|---|
| 33 | .\"
|
|---|
| 34 | .Dd September 1, 2000
|
|---|
| 35 | .Dt KERBEROS 8
|
|---|
| 36 | .Os HEIMDAL
|
|---|
| 37 | .Sh NAME
|
|---|
| 38 | .Nm kerberos
|
|---|
| 39 | .Nd introduction to the Kerberos system
|
|---|
| 40 | .Sh DESCRIPTION
|
|---|
| 41 | Kerberos is a network authentication system. Its purpose is to
|
|---|
| 42 | securely authenticate users and services in an insecure network
|
|---|
| 43 | environment.
|
|---|
| 44 | .Pp
|
|---|
| 45 | This is done with a Kerberos server acting as a trusted third party,
|
|---|
| 46 | keeping a database with secret keys for all users and services
|
|---|
| 47 | (collectively called
|
|---|
| 48 | .Em principals ) .
|
|---|
| 49 | .Pp
|
|---|
| 50 | Each principal belongs to exactly one
|
|---|
| 51 | .Em realm ,
|
|---|
| 52 | which is the administrative domain in Kerberos. A realm usually
|
|---|
| 53 | corresponds to an organisation, and the realm should normally be
|
|---|
| 54 | derived from that organisation's domain name. A realm is served by one
|
|---|
| 55 | or more Kerberos servers.
|
|---|
| 56 | .Pp
|
|---|
| 57 | The authentication process involves exchange of
|
|---|
| 58 | .Sq tickets
|
|---|
| 59 | and
|
|---|
| 60 | .Sq authenticators
|
|---|
| 61 | which together prove the principal's identity.
|
|---|
| 62 | .Pp
|
|---|
| 63 | When you login to the Kerberos system, either through the normal
|
|---|
| 64 | system login or with the
|
|---|
| 65 | .Xr kinit 1
|
|---|
| 66 | program, you acquire a
|
|---|
| 67 | .Em ticket granting ticket
|
|---|
| 68 | which allows you to get new tickets for other services, such as
|
|---|
| 69 | .Ic telnet
|
|---|
| 70 | or
|
|---|
| 71 | .Ic ftp ,
|
|---|
| 72 | without giving your password.
|
|---|
| 73 | .Pp
|
|---|
| 74 | For more information on how Kerberos works, and other general Kerberos
|
|---|
| 75 | questions see the Kerberos FAQ at
|
|---|
| 76 | .Pa http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html .
|
|---|
| 77 | .Pp
|
|---|
| 78 | For setup instructions see the Heimdal Texinfo manual.
|
|---|
| 79 | .Sh SEE ALSO
|
|---|
| 80 | .Xr ftp 1 ,
|
|---|
| 81 | .Xr kdestroy 1 ,
|
|---|
| 82 | .Xr kinit 1 ,
|
|---|
| 83 | .Xr klist 1 ,
|
|---|
| 84 | .Xr kpasswd 1 ,
|
|---|
| 85 | .Xr telnet 1
|
|---|
| 86 | .Sh HISTORY
|
|---|
| 87 | The Kerberos authentication system was developed in the late 1980's as
|
|---|
| 88 | part of the Athena Project at the Massachusetts Institute of
|
|---|
| 89 | Technology. Versions one through three never reached outside MIT, but
|
|---|
| 90 | version 4 was (and still is) quite popular, especially in the academic
|
|---|
| 91 | community, but is also used in commercial products like the AFS
|
|---|
| 92 | filesystem.
|
|---|
| 93 | .Pp
|
|---|
| 94 | The problems with version 4 are that it has many limitations, the code
|
|---|
| 95 | was not too well written (since it had been developed over a long
|
|---|
| 96 | time), and it has a number of known security problems. To resolve many
|
|---|
| 97 | of these issues work on version five started, and resulted in IETF RFC
|
|---|
| 98 | 1510 in 1993. IETF RFC 1510 was obsoleted in 2005 with IETF RFC 4120,
|
|---|
| 99 | also known as Kerberos clarifications. With the arrival of IETF RFC
|
|---|
| 100 | 4120, the work on adding extensibility and internationalization have
|
|---|
| 101 | started (Kerberos extensions), and a new RFC will hopefully appear
|
|---|
| 102 | soon.
|
|---|
| 103 | .Pp
|
|---|
| 104 | This manual page is part of the
|
|---|
| 105 | .Nm Heimdal
|
|---|
| 106 | Kerberos 5 distribution, which has been in development at the Royal
|
|---|
| 107 | Institute of Technology in Stockholm, Sweden, since about 1997.
|
|---|
