| 1 |
|
|---|
| 2 | KERBEROS(8) BSD System Manager's Manual KERBEROS(8)
|
|---|
| 3 |
|
|---|
| 4 | NNAAMMEE
|
|---|
| 5 | kkeerrbbeerrooss -- introduction to the Kerberos system
|
|---|
| 6 |
|
|---|
| 7 | DDEESSCCRRIIPPTTIIOONN
|
|---|
| 8 | Kerberos is a network authentication system. Its purpose is to securely
|
|---|
| 9 | authenticate users and services in an insecure network environment.
|
|---|
| 10 |
|
|---|
| 11 | This is done with a Kerberos server acting as a trusted third party,
|
|---|
| 12 | keeping a database with secret keys for all users and services (collec-
|
|---|
| 13 | tively called _p_r_i_n_c_i_p_a_l_s).
|
|---|
| 14 |
|
|---|
| 15 | Each principal belongs to exactly one _r_e_a_l_m, which is the administrative
|
|---|
| 16 | domain in Kerberos. A realm usually corresponds to an organisation, and
|
|---|
| 17 | the realm should normally be derived from that organisation's domain
|
|---|
| 18 | name. A realm is served by one or more Kerberos servers.
|
|---|
| 19 |
|
|---|
| 20 | The authentication process involves exchange of `tickets' and
|
|---|
| 21 | `authenticators' which together prove the principal's identity.
|
|---|
| 22 |
|
|---|
| 23 | When you login to the Kerberos system, either through the normal system
|
|---|
| 24 | login or with the kinit(1) program, you acquire a _t_i_c_k_e_t _g_r_a_n_t_i_n_g _t_i_c_k_e_t
|
|---|
| 25 | which allows you to get new tickets for other services, such as tteellnneett or
|
|---|
| 26 | ffttpp, without giving your password.
|
|---|
| 27 |
|
|---|
| 28 | For more information on how Kerberos works, and other general Kerberos
|
|---|
| 29 | questions see the Kerberos FAQ at
|
|---|
| 30 | _h_t_t_p_:_/_/_w_w_w_._n_r_l_._n_a_v_y_._m_i_l_/_C_C_S_/_p_e_o_p_l_e_/_k_e_n_h_/_k_e_r_b_e_r_o_s_-_f_a_q_._h_t_m_l.
|
|---|
| 31 |
|
|---|
| 32 | For setup instructions see the Heimdal Texinfo manual.
|
|---|
| 33 |
|
|---|
| 34 | SSEEEE AALLSSOO
|
|---|
| 35 | ftp(1), kdestroy(1), kinit(1), klist(1), kpasswd(1), telnet(1)
|
|---|
| 36 |
|
|---|
| 37 | HHIISSTTOORRYY
|
|---|
| 38 | The Kerberos authentication system was developed in the late 1980's as
|
|---|
| 39 | part of the Athena Project at the Massachusetts Institute of Technology.
|
|---|
| 40 | Versions one through three never reached outside MIT, but version 4 was
|
|---|
| 41 | (and still is) quite popular, especially in the academic community, but
|
|---|
| 42 | is also used in commercial products like the AFS filesystem.
|
|---|
| 43 |
|
|---|
| 44 | The problems with version 4 are that it has many limitations, the code
|
|---|
| 45 | was not too well written (since it had been developed over a long time),
|
|---|
| 46 | and it has a number of known security problems. To resolve many of these
|
|---|
| 47 | issues work on version five started, and resulted in IETF RFC 1510 in
|
|---|
| 48 | 1993. IETF RFC 1510 was obsoleted in 2005 with IETF RFC 4120, also known
|
|---|
| 49 | as Kerberos clarifications. With the arrival of IETF RFC 4120, the work
|
|---|
| 50 | on adding extensibility and internationalization have started (Kerberos
|
|---|
| 51 | extensions), and a new RFC will hopefully appear soon.
|
|---|
| 52 |
|
|---|
| 53 | This manual page is part of the HHeeiimmddaall Kerberos 5 distribution, which
|
|---|
| 54 | has been in development at the Royal Institute of Technology in Stock-
|
|---|
| 55 | holm, Sweden, since about 1997.
|
|---|
| 56 |
|
|---|
| 57 | HEIMDAL September 1, 2000 HEIMDAL
|
|---|
