kerberos man page on Ultrix
Printed from http://www.polarhome.com/service/man/?qf=kerberos&af=0&tf=2&of=Ultrix

kerberos(8krb)							kerberos(8krb)

Name
       kerberos - the kerberos daemon

Syntax
       /usr/etc/kerberos [ -p pause_seconds ] [ -a max_age ]
       [ -l log_file ] [ -r realm ] [ -s ] [ -n ] [ -m ]

Description
       The  daemon is used by a Kerberos principal, X, to assist it in authen‐
       ticating its identity to another Kerberos principal Y.  In  the	ULTRIX
       environment, X would typically be an application running on one machine
       while Y would be an application running on another machine.  Because  X
       and Y run on separate machines, the authentication of X by Y and Y by X
       is not an easy task.  If they ran on a single machine, A, the authenti‐
       cation of X could be performed easily by Y.  All Y need do is ask A for
       the user ID of X.  Since Y trusts the local machine, if the user ID  of
       X is the user ID Y expects, then X must be X.

       If  Y  were  to	authenticate  X when X runs on a different machine, B,
       using the same user ID method, then Y would  be	forced	to  trust  the
       machine	B  to  provide	a correct answer.  The security of this method
       breaks down as soon as any one machine that Y is willing	 to  trust  is
       subverted  by  a	 hostile  user.	 In addition, it breaks as soon as any
       machines that cannot be trusted by Y are allowed on the	physical  net‐
       work  to	 which A and B are connected.  Hostile users that have control
       over these rogue machines can force them to produce messages that  look
       as though they come from machine B.

       The  daemon  serves  as a single point of trust in a local area network
       (LAN).  The authentication of X to Y depends upon the trust that both X
       and  Y  have  in the daemon.  X trusts the daemon to give Y only enough
       information to authenticate itself as Y to X, and Y trusts  to  give  X
       only  enough information to authenticate itself as X to Y.  Y no longer
       needs to trust B to authenticate X.

       If X were to authenticate itself to Y, X would first  communicate  with
       the daemon in order to obtain a ticket that would allow it to authenti‐
       cate to Y.  The ticket can be defined as	 the  data  that  X  needs  to
       authenticate  itself  to Y.  X passes the ticket to Y, along with other
       information, to authenticate itself to Y.  Y then has  the  ability  to
       send a message back to X in order to authenticate its identity to X.

       There  is one master daemon per LAN.  The difference between a Kerberos
       master daemon and a Kerberos slave daemon is apparent  in  the  way  in
       which  the  Kerberos  database  on  the	machines  on which they run is
       updated.	 The Kerberos database stores information about Kerberos prin‐
       cipals.	 It  stores,  for instance, the Data Encryption Standard (DES)
       encryption key that is associated with each principal.

       There is only one Kerberos database per LAN, to which updates to	 indi‐
       vidual  principal  entries  should  be performed.  This is the Kerberos
       master database.	 The daemon that runs on the machine which stores  the
       Kerberos	 master database is the master daemon.	All the other Kerberos
       databases in the LAN are periodically updated by	 and  based  upon  the
       data  stored  in the Kerberos master database.  The machines that store
       this type of database run slave daemons.

       A realm is the common name given to a group of principals.  All princi‐
       pals  stored  in one Kerberos database belong to a single realm, and an
       individual daemon uses only one Kerberos database.  So, a  daemon  only
       allows  one principal in the realm to authenticate another principal in
       the realm.  Inter-realm authentication is not supported in  the	ULTRIX
       version of Kerberos.

Options
       -p     Allows  the user to select the number of seconds that the daemon
	      will pause, pause_seconds, after it has encountered an  unrecov‐
	      erable  error,  and before it exits.  This time interval must be
	      between five minutes (300), and one  hour	 (3600).   If  neither
	      this  option  nor	 the  -s option is used, the daemon will pause
	      forever before exiting.

       -a     Allows the user to specify the age in  seconds,  max_age,	 above
	      which  the  Kerberos database should be considered too old for a
	      Kerberos slave server to use.  The daemon determines the age  of
	      the Kerberos database by comparing the last modification time of
	      the file with the current time.  The file is modified every time
	      the database is changed.	Since a Kerberos slave server receives
	      its database in whole from  the  Kerberos	 master,  this	option
	      specifies	 the  maximum  amount of time allowed between database
	      transfers.  The time value must be between one hour  (3600)  and
	      three  days  (259200).  If neither this option nor the -s option
	      is used, the maximum age of the database is infinite.

       -l     Allows the user to select a different file, log_file, into which
	      the  daemon  will	 place Kerberos log messages.  If neither this
	      option nor the -s option is used, the log_file value is set to

       -r     Allows the user to change the name  of  the  realm,  realm,  for
	      which  the  daemon  will serve information.  If no realm name is
	      specified with the -r option, the daemon will server  the	 realm
	      of which the local host is a member.

       -s     Allows the user to tell the daemon to use the default values for
	      pause_seconds, max_age, and log_file  of	a  slave  server.   If
	      max_age  has  not been set with the -a option, the max_age value
	      is set to the slave server default of one day (86400).   If  the
	      pause_seconds  value  has	 not  been set with the -p option, the
	      pause_seconds value is set to the slave server default of 5 min‐
	      utes  (300).  If the log_file value has not been set with the -l
	      option, the log_file value is set to the slave  server  default,
	      Use  of  the -s option is equivalent to using the following list
	      of options with the daemon:
	      -a 86400 -p 300 -l /var/dss/kerberos/log/kerberos_slave.log

       -n     Allows the user to tell the daemon that the maximum age  of  the
	      Kerberos	database should be infinite.  This option is only use‐
	      ful if the -s option has been selected by the user, but the max‐
	      imum  age	 of  the  database  should  not	 be equal to the slave
	      default (300), but should be infinite.  This option  also	 over‐
	      rides the -a option.

       -m     Allows  the user to run the daemon in manual mode.  This implies
	      that the master key of the Kerberos database will be input  from
	      If this option is not used, the master key of the Kerberos data‐
	      base is read from the data file placed in the system.

See Also
       kdb_init(8krb), kdb_util(8krb), kdb_edit(8krb), kdb_destroy(8krb), ker‐
       beros(3krb), kprop(8krb) kpropd(8krb)

								kerberos(8krb)
[top]

List of man pages available for Ultrix

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net