|
jpayne@68
|
1 .\" Man page generated from reStructuredText.
|
|
jpayne@68
|
2 .
|
|
jpayne@68
|
3 .TH "KERBEROS" "7" " " "1.20.1" "MIT Kerberos"
|
|
jpayne@68
|
4 .SH NAME
|
|
jpayne@68
|
5 kerberos \- Overview of using Kerberos
|
|
jpayne@68
|
6 .
|
|
jpayne@68
|
7 .nr rst2man-indent-level 0
|
|
jpayne@68
|
8 .
|
|
jpayne@68
|
9 .de1 rstReportMargin
|
|
jpayne@68
|
10 \\$1 \\n[an-margin]
|
|
jpayne@68
|
11 level \\n[rst2man-indent-level]
|
|
jpayne@68
|
12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
13 -
|
|
jpayne@68
|
14 \\n[rst2man-indent0]
|
|
jpayne@68
|
15 \\n[rst2man-indent1]
|
|
jpayne@68
|
16 \\n[rst2man-indent2]
|
|
jpayne@68
|
17 ..
|
|
jpayne@68
|
18 .de1 INDENT
|
|
jpayne@68
|
19 .\" .rstReportMargin pre:
|
|
jpayne@68
|
20 . RS \\$1
|
|
jpayne@68
|
21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
jpayne@68
|
22 . nr rst2man-indent-level +1
|
|
jpayne@68
|
23 .\" .rstReportMargin post:
|
|
jpayne@68
|
24 ..
|
|
jpayne@68
|
25 .de UNINDENT
|
|
jpayne@68
|
26 . RE
|
|
jpayne@68
|
27 .\" indent \\n[an-margin]
|
|
jpayne@68
|
28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
29 .nr rst2man-indent-level -1
|
|
jpayne@68
|
30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
jpayne@68
|
32 ..
|
|
jpayne@68
|
33 .SH DESCRIPTION
|
|
jpayne@68
|
34 .sp
|
|
jpayne@68
|
35 The Kerberos system authenticates individual users in a network
|
|
jpayne@68
|
36 environment. After authenticating yourself to Kerberos, you can use
|
|
jpayne@68
|
37 Kerberos\-enabled programs without having to present passwords or
|
|
jpayne@68
|
38 certificates to those programs.
|
|
jpayne@68
|
39 .sp
|
|
jpayne@68
|
40 If you receive the following response from kinit(1):
|
|
jpayne@68
|
41 .sp
|
|
jpayne@68
|
42 kinit: Client not found in Kerberos database while getting initial
|
|
jpayne@68
|
43 credentials
|
|
jpayne@68
|
44 .sp
|
|
jpayne@68
|
45 you haven\(aqt been registered as a Kerberos user. See your system
|
|
jpayne@68
|
46 administrator.
|
|
jpayne@68
|
47 .sp
|
|
jpayne@68
|
48 A Kerberos name usually contains three parts. The first is the
|
|
jpayne@68
|
49 \fBprimary\fP, which is usually a user\(aqs or service\(aqs name. The second
|
|
jpayne@68
|
50 is the \fBinstance\fP, which in the case of a user is usually null.
|
|
jpayne@68
|
51 Some users may have privileged instances, however, such as \fBroot\fP or
|
|
jpayne@68
|
52 \fBadmin\fP\&. In the case of a service, the instance is the fully
|
|
jpayne@68
|
53 qualified name of the machine on which it runs; i.e. there can be an
|
|
jpayne@68
|
54 ssh service running on the machine ABC (\fI\%ssh/ABC@REALM\fP), which is
|
|
jpayne@68
|
55 different from the ssh service running on the machine XYZ
|
|
jpayne@68
|
56 (\fI\%ssh/XYZ@REALM\fP). The third part of a Kerberos name is the \fBrealm\fP\&.
|
|
jpayne@68
|
57 The realm corresponds to the Kerberos service providing authentication
|
|
jpayne@68
|
58 for the principal. Realms are conventionally all\-uppercase, and often
|
|
jpayne@68
|
59 match the end of hostnames in the realm (for instance, host01.example.com
|
|
jpayne@68
|
60 might be in realm EXAMPLE.COM).
|
|
jpayne@68
|
61 .sp
|
|
jpayne@68
|
62 When writing a Kerberos name, the principal name is separated from the
|
|
jpayne@68
|
63 instance (if not null) by a slash, and the realm (if not the local
|
|
jpayne@68
|
64 realm) follows, preceded by an "@" sign. The following are examples
|
|
jpayne@68
|
65 of valid Kerberos names:
|
|
jpayne@68
|
66 .INDENT 0.0
|
|
jpayne@68
|
67 .INDENT 3.5
|
|
jpayne@68
|
68 .sp
|
|
jpayne@68
|
69 .nf
|
|
jpayne@68
|
70 .ft C
|
|
jpayne@68
|
71 david
|
|
jpayne@68
|
72 jennifer/admin
|
|
jpayne@68
|
73 joeuser@BLEEP.COM
|
|
jpayne@68
|
74 cbrown/root@FUBAR.ORG
|
|
jpayne@68
|
75 .ft P
|
|
jpayne@68
|
76 .fi
|
|
jpayne@68
|
77 .UNINDENT
|
|
jpayne@68
|
78 .UNINDENT
|
|
jpayne@68
|
79 .sp
|
|
jpayne@68
|
80 When you authenticate yourself with Kerberos you get an initial
|
|
jpayne@68
|
81 Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol
|
|
jpayne@68
|
82 message that provides authentication.) Kerberos uses this ticket for
|
|
jpayne@68
|
83 network utilities such as ssh. The ticket transactions are done
|
|
jpayne@68
|
84 transparently, so you don\(aqt have to worry about their management.
|
|
jpayne@68
|
85 .sp
|
|
jpayne@68
|
86 Note, however, that tickets expire. Administrators may configure more
|
|
jpayne@68
|
87 privileged tickets, such as those with service or instance of \fBroot\fP
|
|
jpayne@68
|
88 or \fBadmin\fP, to expire in a few minutes, while tickets that carry
|
|
jpayne@68
|
89 more ordinary privileges may be good for several hours or a day. If
|
|
jpayne@68
|
90 your login session extends beyond the time limit, you will have to
|
|
jpayne@68
|
91 re\-authenticate yourself to Kerberos to get new tickets using the
|
|
jpayne@68
|
92 kinit(1) command.
|
|
jpayne@68
|
93 .sp
|
|
jpayne@68
|
94 Some tickets are \fBrenewable\fP beyond their initial lifetime. This
|
|
jpayne@68
|
95 means that \fBkinit \-R\fP can extend their lifetime without requiring
|
|
jpayne@68
|
96 you to re\-authenticate.
|
|
jpayne@68
|
97 .sp
|
|
jpayne@68
|
98 If you wish to delete your local tickets, use the kdestroy(1)
|
|
jpayne@68
|
99 command.
|
|
jpayne@68
|
100 .sp
|
|
jpayne@68
|
101 Kerberos tickets can be forwarded. In order to forward tickets, you
|
|
jpayne@68
|
102 must request \fBforwardable\fP tickets when you kinit. Once you have
|
|
jpayne@68
|
103 forwardable tickets, most Kerberos programs have a command line option
|
|
jpayne@68
|
104 to forward them to the remote host. This can be useful for, e.g.,
|
|
jpayne@68
|
105 running kinit on your local machine and then sshing into another to do
|
|
jpayne@68
|
106 work. Note that this should not be done on untrusted machines since
|
|
jpayne@68
|
107 they will then have your tickets.
|
|
jpayne@68
|
108 .SH ENVIRONMENT VARIABLES
|
|
jpayne@68
|
109 .sp
|
|
jpayne@68
|
110 Several environment variables affect the operation of Kerberos\-enabled
|
|
jpayne@68
|
111 programs. These include:
|
|
jpayne@68
|
112 .INDENT 0.0
|
|
jpayne@68
|
113 .TP
|
|
jpayne@68
|
114 \fBKRB5CCNAME\fP
|
|
jpayne@68
|
115 Default name for the credentials cache file, in the form
|
|
jpayne@68
|
116 \fITYPE\fP:\fIresidual\fP\&. The type of the default cache may determine
|
|
jpayne@68
|
117 the availability of a cache collection. \fBFILE\fP is not a
|
|
jpayne@68
|
118 collection type; \fBKEYRING\fP, \fBDIR\fP, and \fBKCM\fP are.
|
|
jpayne@68
|
119 .sp
|
|
jpayne@68
|
120 If not set, the value of \fBdefault_ccache_name\fP from
|
|
jpayne@68
|
121 configuration files (see \fBKRB5_CONFIG\fP) will be used. If that
|
|
jpayne@68
|
122 is also not set, the default \fItype\fP is \fBFILE\fP, and the
|
|
jpayne@68
|
123 \fIresidual\fP is the path /tmp/krb5cc_*uid*, where \fIuid\fP is the
|
|
jpayne@68
|
124 decimal user ID of the user.
|
|
jpayne@68
|
125 .TP
|
|
jpayne@68
|
126 \fBKRB5_KTNAME\fP
|
|
jpayne@68
|
127 Specifies the location of the default keytab file, in the form
|
|
jpayne@68
|
128 \fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is
|
|
jpayne@68
|
129 assumed and \fIresidual\fP is the pathname of the keytab file. If
|
|
jpayne@68
|
130 unset, \fBFILE:/etc/krb5.keytab\fP will be used.
|
|
jpayne@68
|
131 .TP
|
|
jpayne@68
|
132 \fBKRB5_CONFIG\fP
|
|
jpayne@68
|
133 Specifies the location of the Kerberos configuration file. The
|
|
jpayne@68
|
134 default is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/etc\fP\fB/krb5.conf\fP\&. Multiple filenames can
|
|
jpayne@68
|
135 be specified, separated by a colon; all files which are present
|
|
jpayne@68
|
136 will be read.
|
|
jpayne@68
|
137 .TP
|
|
jpayne@68
|
138 \fBKRB5_KDC_PROFILE\fP
|
|
jpayne@68
|
139 Specifies the location of the KDC configuration file, which
|
|
jpayne@68
|
140 contains additional configuration directives for the Key
|
|
jpayne@68
|
141 Distribution Center daemon and associated programs. The default
|
|
jpayne@68
|
142 is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/kdc.conf\fP\&.
|
|
jpayne@68
|
143 .TP
|
|
jpayne@68
|
144 \fBKRB5RCACHENAME\fP
|
|
jpayne@68
|
145 (New in release 1.18) Specifies the location of the default replay
|
|
jpayne@68
|
146 cache, in the form \fItype\fP:\fIresidual\fP\&. The \fBfile2\fP type with a
|
|
jpayne@68
|
147 pathname residual specifies a replay cache file in the version\-2
|
|
jpayne@68
|
148 format in the specified location. The \fBnone\fP type (residual is
|
|
jpayne@68
|
149 ignored) disables the replay cache. The \fBdfl\fP type (residual is
|
|
jpayne@68
|
150 ignored) indicates the default, which uses a file2 replay cache in
|
|
jpayne@68
|
151 a temporary directory. The default is \fBdfl:\fP\&.
|
|
jpayne@68
|
152 .TP
|
|
jpayne@68
|
153 \fBKRB5RCACHETYPE\fP
|
|
jpayne@68
|
154 Specifies the type of the default replay cache, if
|
|
jpayne@68
|
155 \fBKRB5RCACHENAME\fP is unspecified. No residual can be specified,
|
|
jpayne@68
|
156 so \fBnone\fP and \fBdfl\fP are the only useful types.
|
|
jpayne@68
|
157 .TP
|
|
jpayne@68
|
158 \fBKRB5RCACHEDIR\fP
|
|
jpayne@68
|
159 Specifies the directory used by the \fBdfl\fP replay cache type.
|
|
jpayne@68
|
160 The default is the value of the \fBTMPDIR\fP environment variable,
|
|
jpayne@68
|
161 or \fB/var/tmp\fP if \fBTMPDIR\fP is not set.
|
|
jpayne@68
|
162 .TP
|
|
jpayne@68
|
163 \fBKRB5_TRACE\fP
|
|
jpayne@68
|
164 Specifies a filename to write trace log output to. Trace logs can
|
|
jpayne@68
|
165 help illuminate decisions made internally by the Kerberos
|
|
jpayne@68
|
166 libraries. For example, \fBenv KRB5_TRACE=/dev/stderr kinit\fP
|
|
jpayne@68
|
167 would send tracing information for kinit(1) to
|
|
jpayne@68
|
168 \fB/dev/stderr\fP\&. The default is not to write trace log output
|
|
jpayne@68
|
169 anywhere.
|
|
jpayne@68
|
170 .TP
|
|
jpayne@68
|
171 \fBKRB5_CLIENT_KTNAME\fP
|
|
jpayne@68
|
172 Default client keytab file name. If unset, \fBFILE:/opt/conda/var/krb5/user/%{euid}/client.keytab\fP will be
|
|
jpayne@68
|
173 used).
|
|
jpayne@68
|
174 .TP
|
|
jpayne@68
|
175 \fBKPROP_PORT\fP
|
|
jpayne@68
|
176 kprop(8) port to use. Defaults to 754.
|
|
jpayne@68
|
177 .TP
|
|
jpayne@68
|
178 \fBGSS_MECH_CONFIG\fP
|
|
jpayne@68
|
179 Specifies a filename containing GSSAPI mechanism module
|
|
jpayne@68
|
180 configuration. The default is to read \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/etc\fP\fB/gss/mech\fP
|
|
jpayne@68
|
181 and files with a \fB\&.conf\fP suffix within the directory
|
|
jpayne@68
|
182 \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/etc\fP\fB/gss/mech.d\fP\&.
|
|
jpayne@68
|
183 .UNINDENT
|
|
jpayne@68
|
184 .sp
|
|
jpayne@68
|
185 Most environment variables are disabled for certain programs, such as
|
|
jpayne@68
|
186 login system programs and setuid programs, which are designed to be
|
|
jpayne@68
|
187 secure when run within an untrusted process environment.
|
|
jpayne@68
|
188 .SH SEE ALSO
|
|
jpayne@68
|
189 .sp
|
|
jpayne@68
|
190 kdestroy(1), kinit(1), klist(1),
|
|
jpayne@68
|
191 kswitch(1), kpasswd(1), ksu(1),
|
|
jpayne@68
|
192 krb5.conf(5), kdc.conf(5), kadmin(1),
|
|
jpayne@68
|
193 kadmind(8), kdb5_util(8), krb5kdc(8)
|
|
jpayne@68
|
194 .SH BUGS
|
|
jpayne@68
|
195 .SH AUTHORS
|
|
jpayne@68
|
196 .nf
|
|
jpayne@68
|
197 Steve Miller, MIT Project Athena/Digital Equipment Corporation
|
|
jpayne@68
|
198 Clifford Neuman, MIT Project Athena
|
|
jpayne@68
|
199 Greg Hudson, MIT Kerberos Consortium
|
|
jpayne@68
|
200 Robbie Harwood, Red Hat, Inc.
|
|
jpayne@68
|
201 .fi
|
|
jpayne@68
|
202 .sp
|
|
jpayne@68
|
203 .SH HISTORY
|
|
jpayne@68
|
204 .sp
|
|
jpayne@68
|
205 The MIT Kerberos 5 implementation was developed at MIT, with
|
|
jpayne@68
|
206 contributions from many outside parties. It is currently maintained
|
|
jpayne@68
|
207 by the MIT Kerberos Consortium.
|
|
jpayne@68
|
208 .SH RESTRICTIONS
|
|
jpayne@68
|
209 .sp
|
|
jpayne@68
|
210 Copyright 1985, 1986, 1989\-1996, 2002, 2011, 2018 Masachusetts
|
|
jpayne@68
|
211 Institute of Technology
|
|
jpayne@68
|
212 .SH AUTHOR
|
|
jpayne@68
|
213 MIT
|
|
jpayne@68
|
214 .SH COPYRIGHT
|
|
jpayne@68
|
215 1985-2022, MIT
|
|
jpayne@68
|
216 .\" Generated by docutils manpage writer.
|
|
jpayne@68
|
217 .
|
