Kerberos(5)Kerberos(5)NAME
Kerberos - introduction to the Kerberos system
DESCRIPTION
The Kerberos system authenticates individual users in a network envi‐
ronment. After authenticating yourself to Kerberos, you can use net‐
work utilities such as and without having to present passwords to the
remote hosts and without having to edit and use files. Note that these
utilities will work without passwords only if the remote machines you
deal with support the Kerberos system.
If you enter your username and the remote machine is not a Kerberos
system, you will get the following message:
You will have to see your system administrator when the above message
is encountered.
A Kerberos name usually contains three parts. The first is the pri‐
mary, which is usually a user's or service's name. The second is the
instance, which in the case of a user is usually null. Some users may
have privileged instances, such as "root" or "admin". In the case of a
service, the instance is the fully qualified name of the machine on
which it runs; that is, there can be an service running on the machine
ABC, which is different from the service running on the machine XYZ.
The third part of a Kerberos name is the realm. The realm corresponds
to the Kerberos service providing authentication for the principal.
When writing a Kerberos name, the principal name is separated from the
instance (if not null) by a slash and the realm (if not the local
realm) follows, preceded by an sign. The following are examples of
valid Kerberos names:
When you authenticate yourself with Kerberos, you get an initial Ker‐
beros ticket. A Kerberos ticket is an encrypted protocol message that
provides authentication. Kerberos uses this ticket for network utili‐
ties such as and The ticket transactions are done transparently, so you
do not have to worry about their management.
Note, however, that tickets will expire. Privileged tickets, such as
those with the instance "root", expire within a few minutes, while
tickets that carry more ordinary privileges may be valid for several
hours or a day, depending on the Kerberos server configuration. If
your login session extends beyond the lifetime limit, you will have to
re-authenticate yourself to Kerberos to get new tickets. Use the com‐
mand to re-authenticate yourself.
If you use the command to get your tickets, make sure you use the com‐
mand to destroy your tickets before you end your login session. You
should put the command in your file so that your tickets will be
destroyed automatically when you logout. For more information about
the and commands, see kinit(1) and kdestroy(1).
Kerberos tickets can be forwarded. In order to forward tickets, you
must request forwardable tickets when you use the command. Once you
have forwardable tickets, most Kerberos programs have a command line
option to forward them to the remote host.
Currently, Kerberos support is available for the following network ser‐
vices: and
Kerberos supports the following encryption types:
DES CBC mode with CRC-32.
DES CBC mode with RSA-MD4.
DES CBC mode with RSA-MD5.
DES CBC mode with RSA-MD5.
Alias to
DES CBC mode RAW.
Triple DES CBC mode RAW.
Triple DES CBC mode with HMAC/SHA1.
Triple DES CBC mode with HMAC/SHA1.
Alias to
Triple DES CBC mode with HMAC/SHA1.
Alias to
DES with HMAC/SHA1.
ArcFour with HMAC/MD5.
ArcFour with HMAC/MD5.
Alias to
ArcFour with HMAC/MD5.
Alias to
Exportable ArcFour with HMAC/MD5.
Exportable ArcFour with HMAC/MD5.
Exportable ArcFour with HMAC/MD5.
Alias to
Exportable ArcFour with HMAC/MD5.
Alias to
AES-128 CTS mode with 96-bit SHA-1 HMAC.
AES-128 CTS mode with 96-bit SHA-1 HMAC.
Alias to
AES-256 CTS mode with 96-bit SHA-1 HMAC.
AES-256 CTS mode with 96-bit SHA-1 HMAC.
Alias to
AUTHOR
was developed by the Massachusetts Institute of Technology by Steve
Miller, MIT Project Athena/Digital Equipment Corporation, and Clifford
Neuman, MIT Project Athena.
SEE ALSOkdestroy(1), kinit(1), klist(1), kpasswd(1), libkrb5(3), krb5.conf(4).
Kerberos(5)
