DirectNET

Data Center Management Solutions including UPS Systems, Data Center Cooling, KVM over IP & IP Power Strips, Server Racks and Server Rack accessories; KVM Switches and KVM Extenders; Rackmount Monitors and Rackmount Keyboards.


NAVIGATION
Home
Store
INSIDE MAC
Television Shows
Broadcast Shows
Daily News Shows
Special Shows
EVENTS
DAILY TIPS
Design
Mac OS X
Mac OS X UNIX
COMMUNITY
Surveys
NEWS
Current
Press
Archive
FEATURES
Editorial
Dr. Mac
Reviews
Reader Reports
RESOURCES
FAQ
Documentation
Learning Center
MAN pages
Glossary
Tutorials
Tips
Links

OUR PARTNERS 


       kerberos - introduction to the Kerberos system

DESCRIPTION

       The  Kerberos  system  authenticates individual users in a
       network environment.   After  authenticating  yourself  to
       Kerberos,  you  can  use network utilities such as rlogin,
       rcp, and rsh without having to present passwords to remote
       hosts  and  without  having  to bother with .rhosts files.
       Note that these utilities will work without passwords only
       if  the remote machines you deal with support the Kerberos
       system.

       If you enter your username and kinit  responds  with  this
       message:

       Principal unknown (kerberos)

       you  haven't been registered as a Kerberos user.  See your
       system administrator.

       A Kerberos name usually contains three parts.   The  first
       is  the  primary,  which  is usually a user's or service's
       name.  The second is the instance, which in the case of  a
       user  is  usually  null.   Some  users may have privileged
       instances, however, such as ``root'' or ``admin''.  In the
       case  of  a  service,  the instance is the fully qualified
       name of the machine on which it runs; i.e. there can be an
       rlogin  service  running on the machine ABC, which is dif-
       ferent from the rlogin service running on the machine XYZ.
       The third part of a Kerberos name is the realm.  The realm
       corresponds to the Kerberos service providing  authentica-
       tion for the principal.

       When  writing a Kerberos name, the principal name is sepa-
       rated from the instance (if not null) by a slash, and  the
       realm  (if  not  the  local realm) follows, preceded by an
       ``@'' sign.  The following are examples of valid  Kerberos
       names:

               david
               jennifer/admin
               joeuser@BLEEP.COM
               cbrown/root@FUBAR.ORG

       When  you  authenticate  yourself with Kerberos you get an
       initial  Kerberos  ticket.   (A  Kerberos  ticket  is   an
       encrypted  protocol message that provides authentication.)
       Kerberos uses this ticket for network  utilities  such  as
       rlogin  and  rcp.  The ticket transactions are done trans-
       parently, so you don't have to worry about  their  manage-
       ment.

       minutes, while tickets that carry more ordinary privileges
       may be good for several hours or a day, depending  on  the
       installation's  policy.   If  your  login  session extends
       beyond the time limit, you will  have  to  re-authenticate
       yourself  to  Kerberos  to get new tickets.  Use the kinit
       command to re-authenticate yourself.

       If you use the kinit command to  get  your  tickets,  make
       sure  you use the kdestroy command to destroy your tickets
       before you end your login session.   You  should  put  the
       kdestroy command in your .logout file so that your tickets
       will be destroyed automatically when you logout.  For more
       information about the kinit and kdestroy commands, see the
       kinit(1) and kdestroy(1) manual pages.

       Kerberos tickets can be forwarded.  In  order  to  forward
       tickets,  you  must  request  forwardable tickets when you
       kinit.  Once you have forwardable tickets,  most  Kerberos
       programs have a command line option to forward them to the
       remote host.

       Currently, Kerberos support is available for the following
       network services: rlogin, rsh, rcp, telnet, ftp, krdist (a
       Kerberized version of rdist), ksu (a Kerberized version of
       su), login, and Xdm.

SEE ALSO

       kdestroy(1),  kinit(1),  klist(1),  kpasswd(1),  rsh  (1),
       rcp(1), rlogin(1), telnet(1), ftp(1),  krdist(1),  ksu(1),
       sclient(1), xdm(1), des_crypt(3), hash(3), krb5strings(3),
       krb5.conf(5),    kdc.conf(5),    kadmin(8),    kadmind(8),
       kdb5_util(8),  telnetd(8), ftpd(8), rdistd(8), sserver(8),
       klogind(8c), kshd(8c), login(8c)

BUGS

AUTHORS

       Steve Miller, MIT Project Athena/Digital Equipment  Corpo-
       ration
       Clifford Neuman, MIT Project Athena

HISTORY

       Kerberos  was  developed  at  MIT.  OpenVision rewrote and
       donated the administration server, which is  used  in  the
       current version of Kerberos 5.

RESTRICTIONS

       Copyright  1985,1986,1989-1996  Massachusetts Institute of
       Technology

Copyright © 2000-2010 Inside Mac Media, Inc. All rights reserved.
Apple assumes no responsibility with regard to the selection, performance, or use of the products or services. All understandings, agreements, or warranties, if any, take place directly between the vendors and prospective users.
Apple, the Apple logo, Mac, PowerMac G4, PowerMac G5, Xserve, Xserve RAID, PowerBook, iBook, Airport, AirPort Extreme, iMac, eMac, iLife, iMovie, iCal, iPhoto, iTunes, QuickTime, FireWire, iPod, iSight, AppleWorks, Macintosh, Jaguar, Panther, Mac OS, Mac OS X and Mac OS X Server are trademarks of Apple Computer, Inc.