aboutsummaryrefslogtreecommitdiff
path: root/src/man/kerberos.man
diff options
context:
space:
mode:
Diffstat (limited to 'src/man/kerberos.man')
-rw-r--r--src/man/kerberos.man180
1 files changed, 180 insertions, 0 deletions
diff --git a/src/man/kerberos.man b/src/man/kerberos.man
new file mode 100644
index 0000000..7b2b5d9
--- /dev/null
+++ b/src/man/kerberos.man
@@ -0,0 +1,180 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KERBEROS" "7" " " "1.17" "MIT Kerberos"
+.SH NAME
+kerberos \- Overview of using Kerberos
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The Kerberos system authenticates individual users in a network
+environment. After authenticating yourself to Kerberos, you can use
+Kerberos\-enabled programs without having to present passwords.
+.sp
+If you enter your username and kinit(1) responds with this
+message:
+.sp
+kinit(v5): Client not found in Kerberos database while getting initial
+credentials
+.sp
+you haven\(aqt been registered as a Kerberos user. See your system
+administrator.
+.sp
+A Kerberos name usually contains three parts. The first is the
+\fBprimary\fP, which is usually a user\(aqs or service\(aqs name. The second
+is the \fBinstance\fP, which in the case of a user is usually null.
+Some users may have privileged instances, however, such as \fBroot\fP or
+\fBadmin\fP\&. In the case of a service, the instance is the fully
+qualified name of the machine on which it runs; i.e. there can be an
+rlogin service running on the machine ABC, which is different from the
+rlogin service running on the machine XYZ. The third part of a
+Kerberos name is the \fBrealm\fP\&. The realm corresponds to the Kerberos
+service providing authentication for the principal.
+.sp
+When writing a Kerberos name, the principal name is separated from the
+instance (if not null) by a slash, and the realm (if not the local
+realm) follows, preceded by an "@" sign. The following are examples
+of valid Kerberos names:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+david
+jennifer/admin
+joeuser@BLEEP.COM
+cbrown/root@FUBAR.ORG
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+When you authenticate yourself with Kerberos you get an initial
+Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol
+message that provides authentication.) Kerberos uses this ticket for
+network utilities such as rlogin and rcp. The ticket transactions are
+done transparently, so you don\(aqt have to worry about their management.
+.sp
+Note, however, that tickets expire. Privileged tickets, such as those
+with the instance \fBroot\fP, expire in a few minutes, while tickets
+that carry more ordinary privileges may be good for several hours or a
+day, depending on the installation\(aqs policy. If your login session
+extends beyond the time limit, you will have to re\-authenticate
+yourself to Kerberos to get new tickets. Use the kinit(1)
+command to re\-authenticate yourself.
+.sp
+If you use the kinit command to get your tickets, make sure you use
+the kdestroy command to destroy your tickets before you end your login
+session. You should put the kdestroy command in your \fB\&.logout\fP file
+so that your tickets will be destroyed automatically when you logout.
+For more information about the kinit and kdestroy commands, see the
+kinit(1) and kdestroy(1) manual pages.
+.sp
+Kerberos tickets can be forwarded. In order to forward tickets, you
+must request \fBforwardable\fP tickets when you kinit. Once you have
+forwardable tickets, most Kerberos programs have a command line option
+to forward them to the remote host.
+.SH ENVIRONMENT VARIABLES
+.sp
+Several environment variables affect the operation of Kerberos\-enabled
+programs. These inclide:
+.INDENT 0.0
+.TP
+\fBKRB5CCNAME\fP
+Specifies the location of the credential cache, in the form
+\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP
+type is assumed and \fIresidual\fP is the pathname of the cache file.
+A collection of multiple caches may be used by specifying the
+\fBdir\fP type and the pathname of a private directory (which must
+already exist). The default cache file is /tmp/krb5cc_*uid*,
+where \fIuid\fP is the decimal user ID of the user.
+.TP
+\fBKRB5_KTNAME\fP
+Specifies the location of the keytab file, in the form
+\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is
+assumed and \fIresidual\fP is the pathname of the keytab file. The
+default keytab file is \fB/etc/krb5.keytab\fP\&.
+.TP
+\fBKRB5_CONFIG\fP
+Specifies the location of the Kerberos configuration file. The
+default is \fB/etc/krb5.conf\fP\&.
+.TP
+\fBKRB5_KDC_PROFILE\fP
+Specifies the location of the KDC configuration file, which
+contains additional configuration directives for the Key
+Distribution Center daemon and associated programs. The default
+is \fB/usr/local/var/krb5kdc/kdc.conf\fP\&.
+.TP
+\fBKRB5RCACHETYPE\fP
+Specifies the default type of replay cache to use for servers.
+Valid types include \fBdfl\fP for the normal file type and \fBnone\fP
+for no replay cache.
+.TP
+\fBKRB5RCACHEDIR\fP
+Specifies the default directory for replay caches used by servers.
+The default is the value of the \fBTMPDIR\fP environment variable,
+or \fB/var/tmp\fP if \fBTMPDIR\fP is not set.
+.TP
+\fBKRB5_TRACE\fP
+Specifies a filename to write trace log output to. Trace logs can
+help illuminate decisions made internally by the Kerberos
+libraries. The default is not to write trace log output anywhere.
+.UNINDENT
+.sp
+Most environment variables are disabled for certain programs, such as
+login system programs and setuid programs, which are designed to be
+secure when run within an untrusted process environment.
+.SH SEE ALSO
+.sp
+kdestroy(1), kinit(1), klist(1),
+kswitch(1), kpasswd(1), ksu(1),
+krb5.conf(5), kdc.conf(5), kadmin(1),
+kadmind(8), kdb5_util(8), krb5kdc(8)
+.SH BUGS
+.SH AUTHORS
+.nf
+Steve Miller, MIT Project Athena/Digital Equipment Corporation
+Clifford Neuman, MIT Project Athena
+Greg Hudson, MIT Kerberos Consortium
+.fi
+.sp
+.SH HISTORY
+.sp
+The MIT Kerberos 5 implementation was developed at MIT, with
+contributions from many outside parties. It is currently maintained
+by the MIT Kerberos Consortium.
+.SH RESTRICTIONS
+.sp
+Copyright 1985, 1986, 1989\-1996, 2002, 2011 Masachusetts Institute of
+Technology
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+1985-2018, MIT
+.\" Generated by docutils manpage writer.
+.
generated by cgit v1.1 at 2024-09-08 17:04:30 +0000