diff options
Diffstat (limited to 'src/man/kerberos.man')
-rw-r--r-- | src/man/kerberos.man | 180 |
1 files changed, 180 insertions, 0 deletions
diff --git a/src/man/kerberos.man b/src/man/kerberos.man new file mode 100644 index 0000000..7b2b5d9 --- /dev/null +++ b/src/man/kerberos.man @@ -0,0 +1,180 @@ +.\" Man page generated from reStructuredText. +. +.TH "KERBEROS" "7" " " "1.17" "MIT Kerberos" +.SH NAME +kerberos \- Overview of using Kerberos +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH DESCRIPTION +.sp +The Kerberos system authenticates individual users in a network +environment. After authenticating yourself to Kerberos, you can use +Kerberos\-enabled programs without having to present passwords. +.sp +If you enter your username and kinit(1) responds with this +message: +.sp +kinit(v5): Client not found in Kerberos database while getting initial +credentials +.sp +you haven\(aqt been registered as a Kerberos user. See your system +administrator. +.sp +A Kerberos name usually contains three parts. The first is the +\fBprimary\fP, which is usually a user\(aqs or service\(aqs name. The second +is the \fBinstance\fP, which in the case of a user is usually null. +Some users may have privileged instances, however, such as \fBroot\fP or +\fBadmin\fP\&. In the case of a service, the instance is the fully +qualified name of the machine on which it runs; i.e. there can be an +rlogin service running on the machine ABC, which is different from the +rlogin service running on the machine XYZ. The third part of a +Kerberos name is the \fBrealm\fP\&. The realm corresponds to the Kerberos +service providing authentication for the principal. +.sp +When writing a Kerberos name, the principal name is separated from the +instance (if not null) by a slash, and the realm (if not the local +realm) follows, preceded by an "@" sign. The following are examples +of valid Kerberos names: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +david +jennifer/admin +joeuser@BLEEP.COM +cbrown/root@FUBAR.ORG +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +When you authenticate yourself with Kerberos you get an initial +Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol +message that provides authentication.) Kerberos uses this ticket for +network utilities such as rlogin and rcp. The ticket transactions are +done transparently, so you don\(aqt have to worry about their management. +.sp +Note, however, that tickets expire. Privileged tickets, such as those +with the instance \fBroot\fP, expire in a few minutes, while tickets +that carry more ordinary privileges may be good for several hours or a +day, depending on the installation\(aqs policy. If your login session +extends beyond the time limit, you will have to re\-authenticate +yourself to Kerberos to get new tickets. Use the kinit(1) +command to re\-authenticate yourself. +.sp +If you use the kinit command to get your tickets, make sure you use +the kdestroy command to destroy your tickets before you end your login +session. You should put the kdestroy command in your \fB\&.logout\fP file +so that your tickets will be destroyed automatically when you logout. +For more information about the kinit and kdestroy commands, see the +kinit(1) and kdestroy(1) manual pages. +.sp +Kerberos tickets can be forwarded. In order to forward tickets, you +must request \fBforwardable\fP tickets when you kinit. Once you have +forwardable tickets, most Kerberos programs have a command line option +to forward them to the remote host. +.SH ENVIRONMENT VARIABLES +.sp +Several environment variables affect the operation of Kerberos\-enabled +programs. These inclide: +.INDENT 0.0 +.TP +\fBKRB5CCNAME\fP +Specifies the location of the credential cache, in the form +\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP +type is assumed and \fIresidual\fP is the pathname of the cache file. +A collection of multiple caches may be used by specifying the +\fBdir\fP type and the pathname of a private directory (which must +already exist). The default cache file is /tmp/krb5cc_*uid*, +where \fIuid\fP is the decimal user ID of the user. +.TP +\fBKRB5_KTNAME\fP +Specifies the location of the keytab file, in the form +\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is +assumed and \fIresidual\fP is the pathname of the keytab file. The +default keytab file is \fB/etc/krb5.keytab\fP\&. +.TP +\fBKRB5_CONFIG\fP +Specifies the location of the Kerberos configuration file. The +default is \fB/etc/krb5.conf\fP\&. +.TP +\fBKRB5_KDC_PROFILE\fP +Specifies the location of the KDC configuration file, which +contains additional configuration directives for the Key +Distribution Center daemon and associated programs. The default +is \fB/usr/local/var/krb5kdc/kdc.conf\fP\&. +.TP +\fBKRB5RCACHETYPE\fP +Specifies the default type of replay cache to use for servers. +Valid types include \fBdfl\fP for the normal file type and \fBnone\fP +for no replay cache. +.TP +\fBKRB5RCACHEDIR\fP +Specifies the default directory for replay caches used by servers. +The default is the value of the \fBTMPDIR\fP environment variable, +or \fB/var/tmp\fP if \fBTMPDIR\fP is not set. +.TP +\fBKRB5_TRACE\fP +Specifies a filename to write trace log output to. Trace logs can +help illuminate decisions made internally by the Kerberos +libraries. The default is not to write trace log output anywhere. +.UNINDENT +.sp +Most environment variables are disabled for certain programs, such as +login system programs and setuid programs, which are designed to be +secure when run within an untrusted process environment. +.SH SEE ALSO +.sp +kdestroy(1), kinit(1), klist(1), +kswitch(1), kpasswd(1), ksu(1), +krb5.conf(5), kdc.conf(5), kadmin(1), +kadmind(8), kdb5_util(8), krb5kdc(8) +.SH BUGS +.SH AUTHORS +.nf +Steve Miller, MIT Project Athena/Digital Equipment Corporation +Clifford Neuman, MIT Project Athena +Greg Hudson, MIT Kerberos Consortium +.fi +.sp +.SH HISTORY +.sp +The MIT Kerberos 5 implementation was developed at MIT, with +contributions from many outside parties. It is currently maintained +by the MIT Kerberos Consortium. +.SH RESTRICTIONS +.sp +Copyright 1985, 1986, 1989\-1996, 2002, 2011 Masachusetts Institute of +Technology +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2018, MIT +.\" Generated by docutils manpage writer. +. |