lib/krb5/kerberos.8

*d3273b5bSchristos.\"	$NetBSD: kerberos.8,v 1.2 2017/01/28 21:31:49 christos Exp $
ca1c9b0cSelric.\"
ca1c9b0cSelric.\" Copyright (c) 2000 Kungliga Tekniska Högskolan
ca1c9b0cSelric.\" (Royal Institute of Technology, Stockholm, Sweden).
ca1c9b0cSelric.\" All rights reserved.
ca1c9b0cSelric.\"
ca1c9b0cSelric.\" Redistribution and use in source and binary forms, with or without
ca1c9b0cSelric.\" modification, are permitted provided that the following conditions
ca1c9b0cSelric.\" are met:
ca1c9b0cSelric.\"
ca1c9b0cSelric.\" 1. Redistributions of source code must retain the above copyright
ca1c9b0cSelric.\"    notice, this list of conditions and the following disclaimer.
ca1c9b0cSelric.\"
ca1c9b0cSelric.\" 2. Redistributions in binary form must reproduce the above copyright
ca1c9b0cSelric.\"    notice, this list of conditions and the following disclaimer in the
ca1c9b0cSelric.\"    documentation and/or other materials provided with the distribution.
ca1c9b0cSelric.\"
ca1c9b0cSelric.\" 3. Neither the name of the Institute nor the names of its contributors
ca1c9b0cSelric.\"    may be used to endorse or promote products derived from this software
ca1c9b0cSelric.\"    without specific prior written permission.
ca1c9b0cSelric.\"
ca1c9b0cSelric.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
ca1c9b0cSelric.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
ca1c9b0cSelric.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ca1c9b0cSelric.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
ca1c9b0cSelric.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
ca1c9b0cSelric.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
ca1c9b0cSelric.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
ca1c9b0cSelric.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
ca1c9b0cSelric.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
ca1c9b0cSelric.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
ca1c9b0cSelric.\" SUCH DAMAGE.
ca1c9b0cSelric.\"
b40995a4Selric.\" Id
ca1c9b0cSelric.\"
b9d004c6Schristos.Dd Jun 27, 2013
ca1c9b0cSelric.Dt KERBEROS 8
ca1c9b0cSelric.Os
ca1c9b0cSelric.Sh NAME
ca1c9b0cSelric.Nm kerberos
ca1c9b0cSelric.Nd introduction to the Kerberos system
ca1c9b0cSelric.Sh DESCRIPTION
ca1c9b0cSelricKerberos is a network authentication system. Its purpose is to
ca1c9b0cSelricsecurely authenticate users and services in an insecure network
ca1c9b0cSelricenvironment.
ca1c9b0cSelric.Pp
ca1c9b0cSelricThis is done with a Kerberos server acting as a trusted third party,
ca1c9b0cSelrickeeping a database with secret keys for all users and services
ca1c9b0cSelric(collectively called
ca1c9b0cSelric.Em principals ) .
ca1c9b0cSelric.Pp
ca1c9b0cSelricEach principal belongs to exactly one
ca1c9b0cSelric.Em realm ,
ca1c9b0cSelricwhich is the administrative domain in Kerberos. A realm usually
ca1c9b0cSelriccorresponds to an organisation, and the realm should normally be
ca1c9b0cSelricderived from that organisation's domain name. A realm is served by one
ca1c9b0cSelricor more Kerberos servers.
ca1c9b0cSelric.Pp
ca1c9b0cSelricThe authentication process involves exchange of
ca1c9b0cSelric.Sq tickets
ca1c9b0cSelricand
ca1c9b0cSelric.Sq authenticators
ca1c9b0cSelricwhich together prove the principal's identity.
ca1c9b0cSelric.Pp
ca1c9b0cSelricWhen you login to the Kerberos system, either through the normal
ca1c9b0cSelricsystem login or with the
ca1c9b0cSelric.Xr kinit 1
ca1c9b0cSelricprogram, you acquire a
ca1c9b0cSelric.Em ticket granting ticket
ca1c9b0cSelricwhich allows you to get new tickets for other services, such as
ca1c9b0cSelric.Ic telnet
ca1c9b0cSelricor
ca1c9b0cSelric.Ic ftp ,
ca1c9b0cSelricwithout giving your password.
ca1c9b0cSelric.Pp
ca1c9b0cSelricFor more information on how Kerberos works, and other general Kerberos
ca1c9b0cSelricquestions see the Kerberos FAQ at
b9d004c6Schristos.Lk http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html .
ca1c9b0cSelric.Pp
ca1c9b0cSelricFor setup instructions see the Heimdal Texinfo manual.
ca1c9b0cSelric.Sh SEE ALSO
ca1c9b0cSelric.Xr ftp 1 ,
ca1c9b0cSelric.Xr kdestroy 1 ,
ca1c9b0cSelric.Xr kinit 1 ,
ca1c9b0cSelric.Xr klist 1 ,
ca1c9b0cSelric.Xr kpasswd 1 ,
b9d004c6Schristos.Xr telnet 1 ,
b9d004c6Schristos.Xr krb5 3 ,
b9d004c6Schristos.Xr krb5.conf 5 ,
b9d004c6Schristos.Xr kadmin 1 ,
b9d004c6Schristos.Xr kdc 8 ,
b9d004c6Schristos.Xr ktutil 1
ca1c9b0cSelric.Sh HISTORY
ca1c9b0cSelricThe Kerberos authentication system was developed in the late 1980's as
ca1c9b0cSelricpart of the Athena Project at the Massachusetts Institute of
ca1c9b0cSelricTechnology. Versions one through three never reached outside MIT, but
ca1c9b0cSelricversion 4 was (and still is) quite popular, especially in the academic
ca1c9b0cSelriccommunity, but is also used in commercial products like the AFS
ca1c9b0cSelricfilesystem.
ca1c9b0cSelric.Pp
ca1c9b0cSelricThe problems with version 4 are that it has many limitations, the code
ca1c9b0cSelricwas not too well written (since it had been developed over a long
ca1c9b0cSelrictime), and it has a number of known security problems. To resolve many
ca1c9b0cSelricof these issues work on version five started, and resulted in IETF RFC
ca1c9b0cSelric1510 in 1993. IETF RFC 1510 was obsoleted in 2005 with IETF RFC 4120,
ca1c9b0cSelricalso known as Kerberos clarifications. With the arrival of IETF RFC
ca1c9b0cSelric4120, the work on adding extensibility and internationalization have
ca1c9b0cSelricstarted (Kerberos extensions), and a new RFC will hopefully appear
ca1c9b0cSelricsoon.
ca1c9b0cSelric.Pp
ca1c9b0cSelricThis manual page is part of the
ca1c9b0cSelric.Nm Heimdal
ca1c9b0cSelricKerberos 5 distribution, which has been in development at the Royal
ca1c9b0cSelricInstitute of Technology in Stockholm, Sweden, since about 1997.