Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   31170 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

KERBEROS(1)							   KERBEROS(1)

NAME
       kerberos - introduction to the Kerberos system

DESCRIPTION
       The  Kerberos  system authenticates individual users in a network envi‐
       ronment.	 After authenticating yourself to Kerberos, you can  use  Ker‐
       beros-enabled programs without having to present passwords.

       If you enter your username and kinit responds with this message:

       kinit(v5):  Client not found in Kerberos database while getting initial
       credentials

       you haven't been registered as a Kerberos user.	See your system admin‐
       istrator.

       A  Kerberos  name  usually contains three parts.	 The first is the pri‐
       mary, which is usually a user's or service's name.  The second  is  the
       instance,  which in the case of a user is usually null.	Some users may
       have privileged instances, however, such as ``root'' or ``admin''.   In
       the  case of a service, the instance is the fully qualified name of the
       machine on which it runs; i.e. there can be an rlogin  service  running
       on  the machine ABC, which is different from the rlogin service running
       on the machine XYZ.  The third part of a Kerberos name  is  the	realm.
       The  realm corresponds to the Kerberos service providing authentication
       for the principal.

       When writing a Kerberos name, the principal name is separated from  the
       instance	 (if  not  null)  by  a slash, and the realm (if not the local
       realm) follows, preceded by an ``@'' sign.  The following are  examples
       of valid Kerberos names:

	       david
	       jennifer/admin
	       joeuser@BLEEP.COM
	       cbrown/root@FUBAR.ORG

       When  you  authenticate	yourself with Kerberos you get an initial Ker‐
       beros ticket.  (A Kerberos ticket is an encrypted protocol message that
       provides authentication.)  Kerberos uses this ticket for network utili‐
       ties such as rlogin and rcp.  The ticket transactions are  done	trans‐
       parently, so you don't have to worry about their management.

       Note,  however, that tickets expire.  Privileged tickets, such as those
       with the instance ``root'', expire in a few minutes, while tickets that
       carry  more ordinary privileges may be good for several hours or a day,
       depending on the installation's policy.	If your login session  extends
       beyond  the  time  limit,  you will have to re-authenticate yourself to
       Kerberos to get new tickets.  Use the kinit command to  re-authenticate
       yourself.

       If you use the kinit command to get your tickets, make sure you use the
       kdestroy command to destroy your tickets before you end your login ses‐
       sion.  You should put the kdestroy command in your .logout file so that
       your tickets will be destroyed automatically when you logout.  For more
       information about the kinit and kdestroy commands, see the kinit(1) and
       kdestroy(1) manual pages.

       Kerberos tickets can be forwarded.  In order to	forward	 tickets,  you
       must  request  forwardable  tickets when you kinit.  Once you have for‐
       wardable tickets, most Kerberos programs have a command line option  to
       forward them to the remote host.

ENVIRONMENT VARIABLES
       Several	environment variables affect the operation of Kerberos-enabled
       programs.  These include:

       KRB5CCNAME
	      Specifies the location of the  credential	 cache,	 in  the  form
	      TYPE:residual.   If  no type prefix is present, the FILE type is
	      assumed and residual is the pathname of the cache file.  A  col‐
	      lection  of  multiple  caches  may be used by specifying the DIR
	      type and the pathname of a private directory (which must already
	      exist).	The default cache file is /tmp/krb5cc_uid where uid is
	      the decimal user ID of the user.

       KRB5_KTNAME
	      Specifies	 the  location	of  the	 keytab	 file,	in  the	  form
	      TYPE:residual.   If no type is present, the FILE type is assumed
	      and residual is the pathname of the keytab  file.	  The  default
	      keytab file is /etc/krb5.keytab.

       KRB5_CONFIG
	      Specifies	 the location of the Kerberos configuration file.  The
	      default is /etc/krb5.conf.

       KRB5_KDC_PROFILE
	      Specifies the location of the KDC configuration file, which con‐
	      tains  additional configuration directives for the Key Distribu‐
	      tion Center daemon and  associated  programs.   The  default  is
	      /var/kerberos/krb5kdc/kdc.conf.

       KRB5RCACHETYPE
	      Specifies	 the  default type of replay cache to use for servers.
	      Valid types include "dfl" for the normal file  type  and	"none"
	      for no replay cache.  KRB5RCACHEDIR Specifies the default direc‐
	      tory for replay caches used by  servers.	 The  default  is  the
	      value  of the TMPDIR environment variable, or /var/tmp if TMPDIR
	      is not set.

       KRB5_TRACE
	      Specifies a filename to write trace log output to.   Trace  logs
	      can  help	 illuminate  decisions made internally by the Kerberos
	      libraries.  The default is not to write trace  log  output  any‐
	      where.

       Most  environment  variables are disabled for certain programs, such as
       login system programs and setuid programs, which	 are  designed	to  be
       secure when run within an untrusted process environment.

SEE ALSO
       kdestroy(1),   kinit(1),	  klist(1),  kswitch(1),  kpasswd(1),  ksu(1),
       krb5.conf(5),   kdc.conf(5),   kadmin(1),   kadmind(8),	 kdb5_util(8),
       krb5kdc(8)

BUGS
AUTHORS
       Steve Miller, MIT Project Athena/Digital Equipment Corporation
       Clifford Neuman, MIT Project Athena
       Greg Hudson, MIT Kerberos Consortium

HISTORY
       The  MIT Kerberos 5 implementation was developed at MIT, with contribu‐
       tions from many outside parties.	 It is currently maintained by the MIT
       Kerberos Consortium.

RESTRICTIONS
       Copyright   1985,1986,1989-1996,2002,2011  Massachusetts	 Institute  of
       Technology

								   KERBEROS(1)

Vote for polarhome