Mercurial > repos > rliterman > csp2

comparison CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/share/man/man7/kerberos.7 @ 68:5028fdace37b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
planemo upload commit 2e9511a184a1ca667c7be0c6321a36dc4e3d116d
author jpayne
date Tue, 18 Mar 2025 16:23:26 -0400
parents
children
comparison
equal deleted inserted replaced
67:0e9998148a16 68:5028fdace37b
1 .\" Man page generated from reStructuredText.
2 .
3 .TH "KERBEROS" "7" " " "1.20.1" "MIT Kerberos"
4 .SH NAME
5 kerberos \- Overview of using Kerberos
6 .
7 .nr rst2man-indent-level 0
8 .
9 .de1 rstReportMargin
10 \\$1 \\n[an-margin]
11 level \\n[rst2man-indent-level]
12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
13 -
14 \\n[rst2man-indent0]
15 \\n[rst2man-indent1]
16 \\n[rst2man-indent2]
17 ..
18 .de1 INDENT
19 .\" .rstReportMargin pre:
20 . RS \\$1
21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
22 . nr rst2man-indent-level +1
23 .\" .rstReportMargin post:
24 ..
25 .de UNINDENT
26 . RE
27 .\" indent \\n[an-margin]
28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
29 .nr rst2man-indent-level -1
30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
32 ..
33 .SH DESCRIPTION
34 .sp
35 The Kerberos system authenticates individual users in a network
36 environment. After authenticating yourself to Kerberos, you can use
37 Kerberos\-enabled programs without having to present passwords or
38 certificates to those programs.
39 .sp
40 If you receive the following response from kinit(1):
41 .sp
42 kinit: Client not found in Kerberos database while getting initial
43 credentials
44 .sp
45 you haven\(aqt been registered as a Kerberos user. See your system
46 administrator.
47 .sp
48 A Kerberos name usually contains three parts. The first is the
49 \fBprimary\fP, which is usually a user\(aqs or service\(aqs name. The second
50 is the \fBinstance\fP, which in the case of a user is usually null.
51 Some users may have privileged instances, however, such as \fBroot\fP or
52 \fBadmin\fP\&. In the case of a service, the instance is the fully
53 qualified name of the machine on which it runs; i.e. there can be an
54 ssh service running on the machine ABC (\fI\%ssh/ABC@REALM\fP), which is
55 different from the ssh service running on the machine XYZ
56 (\fI\%ssh/XYZ@REALM\fP). The third part of a Kerberos name is the \fBrealm\fP\&.
57 The realm corresponds to the Kerberos service providing authentication
58 for the principal. Realms are conventionally all\-uppercase, and often
59 match the end of hostnames in the realm (for instance, host01.example.com
60 might be in realm EXAMPLE.COM).
61 .sp
62 When writing a Kerberos name, the principal name is separated from the
63 instance (if not null) by a slash, and the realm (if not the local
64 realm) follows, preceded by an "@" sign. The following are examples
65 of valid Kerberos names:
66 .INDENT 0.0
67 .INDENT 3.5
68 .sp
69 .nf
70 .ft C
71 david
72 jennifer/admin
73 joeuser@BLEEP.COM
74 cbrown/root@FUBAR.ORG
75 .ft P
76 .fi
77 .UNINDENT
78 .UNINDENT
79 .sp
80 When you authenticate yourself with Kerberos you get an initial
81 Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol
82 message that provides authentication.) Kerberos uses this ticket for
83 network utilities such as ssh. The ticket transactions are done
84 transparently, so you don\(aqt have to worry about their management.
85 .sp
86 Note, however, that tickets expire. Administrators may configure more
87 privileged tickets, such as those with service or instance of \fBroot\fP
88 or \fBadmin\fP, to expire in a few minutes, while tickets that carry
89 more ordinary privileges may be good for several hours or a day. If
90 your login session extends beyond the time limit, you will have to
91 re\-authenticate yourself to Kerberos to get new tickets using the
92 kinit(1) command.
93 .sp
94 Some tickets are \fBrenewable\fP beyond their initial lifetime. This
95 means that \fBkinit \-R\fP can extend their lifetime without requiring
96 you to re\-authenticate.
97 .sp
98 If you wish to delete your local tickets, use the kdestroy(1)
99 command.
100 .sp
101 Kerberos tickets can be forwarded. In order to forward tickets, you
102 must request \fBforwardable\fP tickets when you kinit. Once you have
103 forwardable tickets, most Kerberos programs have a command line option
104 to forward them to the remote host. This can be useful for, e.g.,
105 running kinit on your local machine and then sshing into another to do
106 work. Note that this should not be done on untrusted machines since
107 they will then have your tickets.
108 .SH ENVIRONMENT VARIABLES
109 .sp
110 Several environment variables affect the operation of Kerberos\-enabled
111 programs. These include:
112 .INDENT 0.0
113 .TP
114 \fBKRB5CCNAME\fP
115 Default name for the credentials cache file, in the form
116 \fITYPE\fP:\fIresidual\fP\&. The type of the default cache may determine
117 the availability of a cache collection. \fBFILE\fP is not a
118 collection type; \fBKEYRING\fP, \fBDIR\fP, and \fBKCM\fP are.
119 .sp
120 If not set, the value of \fBdefault_ccache_name\fP from
121 configuration files (see \fBKRB5_CONFIG\fP) will be used. If that
122 is also not set, the default \fItype\fP is \fBFILE\fP, and the
123 \fIresidual\fP is the path /tmp/krb5cc_*uid*, where \fIuid\fP is the
124 decimal user ID of the user.
125 .TP
126 \fBKRB5_KTNAME\fP
127 Specifies the location of the default keytab file, in the form
128 \fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is
129 assumed and \fIresidual\fP is the pathname of the keytab file. If
130 unset, \fBFILE:/etc/krb5.keytab\fP will be used.
131 .TP
132 \fBKRB5_CONFIG\fP
133 Specifies the location of the Kerberos configuration file. The
134 default is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/etc\fP\fB/krb5.conf\fP\&. Multiple filenames can
135 be specified, separated by a colon; all files which are present
136 will be read.
137 .TP
138 \fBKRB5_KDC_PROFILE\fP
139 Specifies the location of the KDC configuration file, which
140 contains additional configuration directives for the Key
141 Distribution Center daemon and associated programs. The default
142 is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/kdc.conf\fP\&.
143 .TP
144 \fBKRB5RCACHENAME\fP
145 (New in release 1.18) Specifies the location of the default replay
146 cache, in the form \fItype\fP:\fIresidual\fP\&. The \fBfile2\fP type with a
147 pathname residual specifies a replay cache file in the version\-2
148 format in the specified location. The \fBnone\fP type (residual is
149 ignored) disables the replay cache. The \fBdfl\fP type (residual is
150 ignored) indicates the default, which uses a file2 replay cache in
151 a temporary directory. The default is \fBdfl:\fP\&.
152 .TP
153 \fBKRB5RCACHETYPE\fP
154 Specifies the type of the default replay cache, if
155 \fBKRB5RCACHENAME\fP is unspecified. No residual can be specified,
156 so \fBnone\fP and \fBdfl\fP are the only useful types.
157 .TP
158 \fBKRB5RCACHEDIR\fP
159 Specifies the directory used by the \fBdfl\fP replay cache type.
160 The default is the value of the \fBTMPDIR\fP environment variable,
161 or \fB/var/tmp\fP if \fBTMPDIR\fP is not set.
162 .TP
163 \fBKRB5_TRACE\fP
164 Specifies a filename to write trace log output to. Trace logs can
165 help illuminate decisions made internally by the Kerberos
166 libraries. For example, \fBenv KRB5_TRACE=/dev/stderr kinit\fP
167 would send tracing information for kinit(1) to
168 \fB/dev/stderr\fP\&. The default is not to write trace log output
169 anywhere.
170 .TP
171 \fBKRB5_CLIENT_KTNAME\fP
172 Default client keytab file name. If unset, \fBFILE:/opt/conda/var/krb5/user/%{euid}/client.keytab\fP will be
173 used).
174 .TP
175 \fBKPROP_PORT\fP
176 kprop(8) port to use. Defaults to 754.
177 .TP
178 \fBGSS_MECH_CONFIG\fP
179 Specifies a filename containing GSSAPI mechanism module
180 configuration. The default is to read \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/etc\fP\fB/gss/mech\fP
181 and files with a \fB\&.conf\fP suffix within the directory
182 \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/etc\fP\fB/gss/mech.d\fP\&.
183 .UNINDENT
184 .sp
185 Most environment variables are disabled for certain programs, such as
186 login system programs and setuid programs, which are designed to be
187 secure when run within an untrusted process environment.
188 .SH SEE ALSO
189 .sp
190 kdestroy(1), kinit(1), klist(1),
191 kswitch(1), kpasswd(1), ksu(1),
192 krb5.conf(5), kdc.conf(5), kadmin(1),
193 kadmind(8), kdb5_util(8), krb5kdc(8)
194 .SH BUGS
195 .SH AUTHORS
196 .nf
197 Steve Miller, MIT Project Athena/Digital Equipment Corporation
198 Clifford Neuman, MIT Project Athena
199 Greg Hudson, MIT Kerberos Consortium
200 Robbie Harwood, Red Hat, Inc.
201 .fi
202 .sp
203 .SH HISTORY
204 .sp
205 The MIT Kerberos 5 implementation was developed at MIT, with
206 contributions from many outside parties. It is currently maintained
207 by the MIT Kerberos Consortium.
208 .SH RESTRICTIONS
209 .sp
210 Copyright 1985, 1986, 1989\-1996, 2002, 2011, 2018 Masachusetts
211 Institute of Technology
212 .SH AUTHOR
213 MIT
214 .SH COPYRIGHT
215 1985-2022, MIT
216 .\" Generated by docutils manpage writer.
217 .