1ae771770SStanislav Sedov.\" Copyright (c) 2000 Kungliga Tekniska Högskolan 2bbd80c28SJacques Vidrine.\" (Royal Institute of Technology, Stockholm, Sweden). 3bbd80c28SJacques Vidrine.\" All rights reserved. 4bbd80c28SJacques Vidrine.\" 5bbd80c28SJacques Vidrine.\" Redistribution and use in source and binary forms, with or without 6bbd80c28SJacques Vidrine.\" modification, are permitted provided that the following conditions 7bbd80c28SJacques Vidrine.\" are met: 8bbd80c28SJacques Vidrine.\" 9bbd80c28SJacques Vidrine.\" 1. Redistributions of source code must retain the above copyright 10bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer. 11bbd80c28SJacques Vidrine.\" 12bbd80c28SJacques Vidrine.\" 2. Redistributions in binary form must reproduce the above copyright 13bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer in the 14bbd80c28SJacques Vidrine.\" documentation and/or other materials provided with the distribution. 15bbd80c28SJacques Vidrine.\" 16bbd80c28SJacques Vidrine.\" 3. Neither the name of the Institute nor the names of its contributors 17bbd80c28SJacques Vidrine.\" may be used to endorse or promote products derived from this software 18bbd80c28SJacques Vidrine.\" without specific prior written permission. 19bbd80c28SJacques Vidrine.\" 20bbd80c28SJacques Vidrine.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21bbd80c28SJacques Vidrine.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22bbd80c28SJacques Vidrine.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23bbd80c28SJacques Vidrine.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24bbd80c28SJacques Vidrine.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25bbd80c28SJacques Vidrine.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26bbd80c28SJacques Vidrine.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27bbd80c28SJacques Vidrine.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28bbd80c28SJacques Vidrine.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29bbd80c28SJacques Vidrine.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30bbd80c28SJacques Vidrine.\" SUCH DAMAGE. 31bbd80c28SJacques Vidrine.\" 32ae771770SStanislav Sedov.\" $Id$ 335e9cd1aeSAssar Westerlund.\" 34*80ba60f6SGuangyuan Yang.Dd May 15, 2021 355e9cd1aeSAssar Westerlund.Dt KERBEROS 8 365e9cd1aeSAssar Westerlund.Os HEIMDAL 375e9cd1aeSAssar Westerlund.Sh NAME 385e9cd1aeSAssar Westerlund.Nm kerberos 395e9cd1aeSAssar Westerlund.Nd introduction to the Kerberos system 405e9cd1aeSAssar Westerlund.Sh DESCRIPTION 414137ff4cSJacques VidrineKerberos is a network authentication system. Its purpose is to 425e9cd1aeSAssar Westerlundsecurely authenticate users and services in an insecure network 435e9cd1aeSAssar Westerlundenvironment. 445e9cd1aeSAssar Westerlund.Pp 455e9cd1aeSAssar WesterlundThis is done with a Kerberos server acting as a trusted third party, 465e9cd1aeSAssar Westerlundkeeping a database with secret keys for all users and services 475e9cd1aeSAssar Westerlund(collectively called 485e9cd1aeSAssar Westerlund.Em principals ) . 495e9cd1aeSAssar Westerlund.Pp 505e9cd1aeSAssar WesterlundEach principal belongs to exactly one 515e9cd1aeSAssar Westerlund.Em realm , 525e9cd1aeSAssar Westerlundwhich is the administrative domain in Kerberos. A realm usually 535e9cd1aeSAssar Westerlundcorresponds to an organisation, and the realm should normally be 545e9cd1aeSAssar Westerlundderived from that organisation's domain name. A realm is served by one 555e9cd1aeSAssar Westerlundor more Kerberos servers. 565e9cd1aeSAssar Westerlund.Pp 575e9cd1aeSAssar WesterlundThe authentication process involves exchange of 585e9cd1aeSAssar Westerlund.Sq tickets 595e9cd1aeSAssar Westerlundand 605e9cd1aeSAssar Westerlund.Sq authenticators 615e9cd1aeSAssar Westerlundwhich together prove the principal's identity. 625e9cd1aeSAssar Westerlund.Pp 635e9cd1aeSAssar WesterlundWhen you login to the Kerberos system, either through the normal 645e9cd1aeSAssar Westerlundsystem login or with the 655e9cd1aeSAssar Westerlund.Xr kinit 1 665e9cd1aeSAssar Westerlundprogram, you acquire a 675e9cd1aeSAssar Westerlund.Em ticket granting ticket 685e9cd1aeSAssar Westerlundwhich allows you to get new tickets for other services, such as 695e9cd1aeSAssar Westerlund.Ic telnet 705e9cd1aeSAssar Westerlundor 715e9cd1aeSAssar Westerlund.Ic ftp , 725e9cd1aeSAssar Westerlundwithout giving your password. 735e9cd1aeSAssar Westerlund.Pp 74*80ba60f6SGuangyuan YangFor more information on how Kerberos works, see the tutorial at 75*80ba60f6SGuangyuan Yang.Lk https://kerberos.org/software/tutorial.html 76*80ba60f6SGuangyuan Yangor the informal 77*80ba60f6SGuangyuan Yang.Dq dialogue 78*80ba60f6SGuangyuan Yangat 79*80ba60f6SGuangyuan Yang.Lk https://web.mit.edu/kerberos/dialogue.html . 8045524cd7SAssar Westerlund.Pp 815e9cd1aeSAssar WesterlundFor setup instructions see the Heimdal Texinfo manual. 825e9cd1aeSAssar Westerlund.Sh SEE ALSO 834137ff4cSJacques Vidrine.Xr ftp 1 , 845e9cd1aeSAssar Westerlund.Xr kdestroy 1 , 855e9cd1aeSAssar Westerlund.Xr kinit 1 , 865e9cd1aeSAssar Westerlund.Xr klist 1 , 875e9cd1aeSAssar Westerlund.Xr kpasswd 1 , 885e9cd1aeSAssar Westerlund.Xr telnet 1 895e9cd1aeSAssar Westerlund.Sh HISTORY 905e9cd1aeSAssar WesterlundThe Kerberos authentication system was developed in the late 1980's as 915e9cd1aeSAssar Westerlundpart of the Athena Project at the Massachusetts Institute of 925e9cd1aeSAssar WesterlundTechnology. Versions one through three never reached outside MIT, but 935e9cd1aeSAssar Westerlundversion 4 was (and still is) quite popular, especially in the academic 945e9cd1aeSAssar Westerlundcommunity, but is also used in commercial products like the AFS 955e9cd1aeSAssar Westerlundfilesystem. 965e9cd1aeSAssar Westerlund.Pp 975e9cd1aeSAssar WesterlundThe problems with version 4 are that it has many limitations, the code 985e9cd1aeSAssar Westerlundwas not too well written (since it had been developed over a long 995e9cd1aeSAssar Westerlundtime), and it has a number of known security problems. To resolve many 100c19800e8SDoug Rabsonof these issues work on version five started, and resulted in IETF RFC 101c19800e8SDoug Rabson1510 in 1993. IETF RFC 1510 was obsoleted in 2005 with IETF RFC 4120, 102c19800e8SDoug Rabsonalso known as Kerberos clarifications. With the arrival of IETF RFC 103c19800e8SDoug Rabson4120, the work on adding extensibility and internationalization have 104c19800e8SDoug Rabsonstarted (Kerberos extensions), and a new RFC will hopefully appear 105c19800e8SDoug Rabsonsoon. 1065e9cd1aeSAssar Westerlund.Pp 107c19800e8SDoug RabsonThis manual page is part of the 1085e9cd1aeSAssar Westerlund.Nm Heimdal 1095e9cd1aeSAssar WesterlundKerberos 5 distribution, which has been in development at the Royal 1105e9cd1aeSAssar WesterlundInstitute of Technology in Stockholm, Sweden, since about 1997. 111