1 .\" Copyright 1989, 2011 by the Massachusetts Institute of Technology.
3 .\" For copying and distribution information,
4 .\" please see the file <mit-copyright.h>.
8 kerberos \- introduction to the Kerberos system
10 The Kerberos system authenticates individual users in a network
11 environment. After authenticating yourself to Kerberos, you can use
12 Kerberos-enabled programs without having to present passwords.
14 If you enter your username and
16 responds with this message:
18 kinit(v5): Client not found in Kerberos database while getting initial
21 you haven't been registered as a Kerberos user. See your system
24 A Kerberos name usually contains three parts. The first is the
26 which is usually a user's or service's name. The second is the
28 which in the case of a user is usually null. Some users may have
29 privileged instances, however, such as ``root'' or ``admin''. In the
30 case of a service, the instance is the fully qualified name of the
31 machine on which it runs; i.e. there can be an
33 service running on the machine ABC, which is different from the rlogin
34 service running on the machine XYZ. The third part of a Kerberos name
37 The realm corresponds to the Kerberos service providing authentication
40 When writing a Kerberos name, the principal name is separated from the
41 instance (if not null) by a slash, and the realm (if not the local
42 realm) follows, preceded by an ``@'' sign. The following are examples
43 of valid Kerberos names:
54 When you authenticate yourself with Kerberos you get an initial Kerberos
56 (A Kerberos ticket is an encrypted protocol message that provides
57 authentication.) Kerberos uses this ticket for network utilities such
62 The ticket transactions are done transparently, so you don't have to
63 worry about their management.
65 Note, however, that tickets expire. Privileged tickets, such as those
66 with the instance ``root'', expire in a few minutes, while tickets that
67 carry more ordinary privileges may be good for several hours or a day,
68 depending on the installation's policy. If your login session extends
69 beyond the time limit, you will have to re-authenticate yourself to
70 Kerberos to get new tickets. Use the
72 command to re-authenticate yourself.
76 command to get your tickets, make sure you use the
78 command to destroy your tickets before you end your login session. You
83 file so that your tickets will be destroyed automatically when you
84 logout. For more information about the
94 Kerberos tickets can be forwarded. In order to forward tickets, you
99 Once you have forwardable tickets, most Kerberos programs have a command
100 line option to forward them to the remote host.
101 .SH "ENVIRONMENT VARIABLES"
102 Several environment variables affect the operation of Kerberos-enabled
103 programs. These include:
106 Specifies the location of the credential cache, in the form
107 \fITYPE\fP:\fIresidual\fP. If no type prefix is present, the
108 \fBFILE\fP type is assumed and \fIresidual\fP is the pathname of the
109 cache file. A collection of multiple caches may be used by specifying
110 the \fBDIR\fP type and the pathname of a private directory (which must
111 already exist). The default cache file is /tmp/krb5cc_\fIuid\fP where
112 \fIuid\fP is the decimal user ID of the user.
115 Specifies the location of the keytab file, in the form
116 \fITYPE\fP:\fIresidual\fP. If no type is present, the \fBFILE\fP type
117 is assumed and \fIresidual\fP is the pathname of the keytab file. The
118 default keytab file is /etc/krb5.keytab.
121 Specifies the location of the Kerberos configuration file. The
122 default is /etc/krb5.conf.
125 Specifies the location of the KDC configuration file, which contains
126 additional configuration directives for the Key Distribution Center
127 daemon and associated programs. The default is
128 /usr/local/var/krb5kdc/kdc.conf.
131 Specifies the default type of replay cache to use for servers. Valid
132 types include "dfl" for the normal file type and "none" for no replay
135 Specifies the default directory for replay caches used by servers.
136 The default is the value of the \fBTMPDIR\fP environment variable, or
137 /var/tmp if \fBTMPDIR\fP is not set.
140 Specifies a filename to write trace log output to. Trace logs can
141 help illuminate decisions made internally by the Kerberos libraries.
142 The default is not to write trace log output anywhere.
144 Most environment variables are disabled for certain programs, such as
145 login system programs and setuid programs, which are designed to be
146 secure when run within an untrusted process environment.
148 kdestroy(1), kinit(1), klist(1), kswitch(1), kpasswd(1), ksu(1),
149 krb5.conf(5), kdc.conf(5), kadmin(1), kadmind(8), kdb5_util(8),
153 Steve Miller, MIT Project Athena/Digital Equipment Corporation
155 Clifford Neuman, MIT Project Athena
157 Greg Hudson, MIT Kerberos Consortium
159 The MIT Kerberos 5 implementation was developed at MIT, with
160 contributions from many outside parties. It is currently maintained
161 by the MIT Kerberos Consortium.
163 Copyright 1985,1986,1989-1996,2002,2011 Massachusetts Institute of Technology