![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to kerberos.1 CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / man|
Return to kerberos.1 CVS log | Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / man |
1.1 root 1: .\" $Source: /mit/kerberos/src/man/RCS/kerberos.1,v $
2: .\" $Author: jtkohl $
3: .\" $Header: kerberos.1,v 4.7 89/01/23 11:39:33 jtkohl Exp $
4: .\" Copyright 1989 by the Massachusetts Institute of Technology.
5: .\"
6: .\" For copying and distribution information,
7: .\" please see the file <mit-copyright.h>.
8: .\"
9: .TH KERBEROS 1 "Kerberos Version 4.0" "MIT Project Athena"
10: .SH NAME
11: kerberos \- introduction to the Kerberos system
12:
13: .SH DESCRIPTION
14: The
15: Kerberos
16: system authenticates
17: individual users in a network environment.
18: After authenticating yourself to
19: Kerberos,
20: you can use network utilities such as
21: .IR rlogin ,
22: .IR rcp ,
23: and
24: .IR rsh
25: without
26: having to present passwords to remote hosts and without having to bother
27: with
28: .I \.rhosts
29: files.
30: Note that these utilities will work without passwords only if
31: the remote machines you deal with
32: support the
33: Kerberos
34: system.
35: All Athena timesharing machines and public workstations support
36: Kerberos.
37: .PP
38: Before you can use
39: Kerberos,
40: you must register as an Athena user,
41: and you must make sure you have been added to
42: the
43: Kerberos
44: database.
45: You can use the
46: .I kinit
47: command to find out.
48: This command
49: tries to log you into the
50: Kerberos
51: system.
52: .I kinit
53: will prompt you for a username and password.
54: Enter your username and password.
55: If the utility lets you login without giving you a message,
56: you have already been registered.
57: .PP
58: If you enter your username and
59: .I kinit
60: responds with this message:
61: .nf
62:
63: Principal unknown (kerberos)
64:
65: .fi
66: you haven't been registered as a
67: Kerberos
68: user.
69: See your system administrator.
70: .PP
71: A Kerberos name contains three parts.
72: The first is the
73: .I principal name,
74: which is usually a user's or service's name.
75: The second is the
76: .I instance,
77: which in the case of a user is usually null.
78: Some users may have privileged instances, however,
79: such as ``root'' or ``admin''.
80: In the case of a service, the instance is the
81: name of the machine on which it runs; i.e. there
82: can be an
83: .I rlogin
84: service running on the machine ABC, which
85: is different from the rlogin service running on
86: the machine XYZ.
87: The third part of a Kerberos name
88: is the
89: .I realm.
90: The realm corresponds to the Kerberos service providing
91: authentication for the principal.
92: For example, at MIT there is a Kerberos running at the
93: Laboratory for Computer Science and one running at
94: Project Athena.
95: .PP
96: When writing a Kerberos name, the principal name is
97: separated from the instance (if not null) by a period,
98: and the realm (if not the local realm) follows, preceded by
99: an ``@'' sign.
100: The following are examples of valid Kerberos names:
101: .sp
102: .nf
103: .in +8
104: billb
105: jis.admin
106: [email protected]
107: [email protected]
108: .in -8
109: .fi
110: .PP
111: When you authenticate yourself with
112: Kerberos,
113: through either the workstation
114: .I toehold
115: system or the
116: .I kinit
117: command,
118: Kerberos
119: gives you an initial
120: Kerberos
121: .IR ticket .
122: (A
123: Kerberos
124: ticket
125: is an encrypted protocol message that provides authentication.)
126: Kerberos
127: uses this ticket for network utilities
128: such as
129: .I rlogin
130: and
131: .IR rcp .
132: The ticket transactions are done transparently,
133: so you don't have to worry about their management.
134: .PP
135: Note, however, that tickets expire.
136: Privileged tickets, such as root instance tickets,
137: expire in a few minutes, while tickets that carry more ordinary
138: privileges may be good for several hours or a day, depending on the
139: installation's policy.
140: If your login session extends beyond the time limit,
141: you will have to re-authenticate yourself to
142: Kerberos
143: to get new tickets.
144: Use the
145: .IR kinit
146: command to re-authenticate yourself.
147: .PP
148: If you use the
149: .I kinit
150: command to get your tickets,
151: make sure you use the
152: .I kdestroy
153: command
154: to destroy your tickets before you end your login session.
155: You should probably put the
156: .I kdestroy
157: command in your
158: .I \.logout
159: file so that your tickets will be destroyed automatically when you logout.
160: For more information about the
161: .I kinit
162: and
163: .I kdestroy
164: commands,
165: see the
166: .I kinit(1)
167: and
168: .I kdestroy(1)
169: manual pages.
170: .PP
171: Currently,
172: Kerberos
173: supports the following network services:
174: .IR rlogin ,
175: .IR rsh ,
176: and
177: .IR rcp .
178: Other services are being worked on,
179: such as the
180: .IR pop
181: mail system and NFS (network file system),
182: but are not yet available.
183:
184: .SH "SEE ALSO"
185: kdestroy(1), kinit(1), klist(1), kpasswd(1), des_crypt(3), kerberos(3),
186: kadmin(8)
187: .SH BUGS
188: Kerberos
189: will not do authentication forwarding.
190: In other words,
191: if you use
192: .I rlogin
193: to login to a remote host,
194: you cannot use
195: Kerberos
196: services from that host
197: until you authenticate yourself explicitly on that host.
198: Although you may need to authenticate yourself on the remote
199: host,
200: be aware that when you do so,
201: .I rlogin
202: sends your password across the network in clear text.
203:
204: .SH AUTHORS
205: Steve Miller, MIT Project Athena/Digital Equipment Corporation
206: .br
207: Clifford Neuman, MIT Project Athena
208:
209: The following people helped out on various aspects of the system:
210:
211: Jeff Schiller designed and wrote the administration server and its
212: user interface, kadmin.
213: He also wrote the dbm version of the database management system.
214:
215: Mark Colan developed the
216: Kerberos
217: versions of
218: .IR rlogin ,
219: .IR rsh ,
220: and
221: .IR rcp ,
222: as well as contributing work on the servers.
223:
224: John Ostlund developed the
225: Kerberos
226: versions of
227: .I passwd
228: and
229: .IR userreg .
230:
231: Stan Zanarotti pioneered Kerberos in a foreign realm (LCS),
232: and made many contributions based on that experience.
233:
234: Many people contributed code and/or useful ideas, including
235: Jim Aspnes,
236: Bob Baldwin,
237: John Barba,
238: Richard Basch,
239: Jim Bloom,
240: Bill Bryant,
241: Rob French,
242: Dan Geer,
243: David Jedlinsky,
244: John Kohl,
245: John Kubiatowicz,
246: Bob McKie,
247: Brian Murphy,
248: Ken Raeburn,
249: Chris Reed,
250: Jon Rochlis,
251: Mike Shanzer,
252: Bill Sommerfeld,
253: Jennifer Steiner,
254: Ted Ts'o,
255: and
256: Win Treese.
257:
258: .SH RESTRICTIONS
259:
260: COPYRIGHT 1985,1986 Massachusetts Institute of Technology
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.