1 .\" $Id: kerberos.1,v 1.3 1997/11/07 12:37:34 bg Exp $
2 .\" Copyright 1989 by the Massachusetts Institute of Technology.
4 .\" For copying and distribution information,
5 .\" please see the file <mit-copyright.h>.
7 .TH KERBEROS 1 "Kerberos Version 4.0" "MIT Project Athena"
9 kerberos \- introduction to the Kerberos system
15 individual users in a network environment.
16 After authenticating yourself to
18 you can use network utilities such as
24 having to present passwords to remote hosts and without having to bother
28 Note that these utilities will work without passwords only if
29 the remote machines you deal with
33 All Athena timesharing machines and public workstations support
38 you must register as an Athena user,
39 and you must make sure you have been added to
47 tries to log you into the
51 will prompt you for a username and password.
52 Enter your username and password.
53 If the utility lets you login without giving you a message,
54 you have already been registered.
56 If you enter your username and
58 responds with this message:
61 Principal unknown (kerberos)
64 you haven't been registered as a
67 See your system administrator.
69 A Kerberos name contains three parts.
72 which is usually a user's or service's name.
75 which in the case of a user is usually null.
76 Some users may have privileged instances, however,
77 such as ``root'' or ``admin''.
78 In the case of a service, the instance is the
79 name of the machine on which it runs; i.e. there
82 service running on the machine ABC, which
83 is different from the rlogin service running on
85 The third part of a Kerberos name
88 The realm corresponds to the Kerberos service providing
89 authentication for the principal.
90 For example, at MIT there is a Kerberos running at the
91 Laboratory for Computer Science and one running at
94 When writing a Kerberos name, the principal name is
95 separated from the instance (if not null) by a period,
96 and the realm (if not the local realm) follows, preceded by
98 The following are examples of valid Kerberos names:
105 treese.root@athena.mit.edu
109 When you authenticate yourself with
111 through either the workstation
123 is an encrypted protocol message that provides authentication.)
125 uses this ticket for network utilities
130 The ticket transactions are done transparently,
131 so you don't have to worry about their management.
133 Note, however, that tickets expire.
134 Privileged tickets, such as root instance tickets,
135 expire in a few minutes, while tickets that carry more ordinary
136 privileges may be good for several hours or a day, depending on the
137 installation's policy.
138 If your login session extends beyond the time limit,
139 you will have to re-authenticate yourself to
144 command to re-authenticate yourself.
148 command to get your tickets,
149 make sure you use the
152 to destroy your tickets before you end your login session.
153 You should probably put the
157 file so that your tickets will be destroyed automatically when you logout.
158 For more information about the
171 supports the following network services:
183 kdestroy(1), kinit(1), klist(1), kpasswd(1), des_crypt(3), kerberos(3),
187 will not do authentication forwarding.
191 to login to a remote host,
194 services from that host
195 until you authenticate yourself explicitly on that host.
196 Although you may need to authenticate yourself on the remote
198 be aware that when you do so,
200 sends your password across the network in clear text.
203 Steve Miller, MIT Project Athena/Digital Equipment Corporation
205 Clifford Neuman, MIT Project Athena
207 The following people helped out on various aspects of the system:
209 Jeff Schiller designed and wrote the administration server and its
210 user interface, kadmin.
211 He also wrote the dbm version of the database management system.
213 Mark Colan developed the
220 as well as contributing work on the servers.
222 John Ostlund developed the
229 Stan Zanarotti pioneered Kerberos in a foreign realm (LCS),
230 and made many contributions based on that experience.
232 Many people contributed code and/or useful ideas, including
258 COPYRIGHT 1985,1986 Massachusetts Institute of Technology