jpayne@68: .\" Man page generated from reStructuredText. jpayne@68: . jpayne@68: .TH "KERBEROS" "7" " " "1.20.1" "MIT Kerberos" jpayne@68: .SH NAME jpayne@68: kerberos \- Overview of using Kerberos jpayne@68: . jpayne@68: .nr rst2man-indent-level 0 jpayne@68: . jpayne@68: .de1 rstReportMargin jpayne@68: \\$1 \\n[an-margin] jpayne@68: level \\n[rst2man-indent-level] jpayne@68: level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: - jpayne@68: \\n[rst2man-indent0] jpayne@68: \\n[rst2man-indent1] jpayne@68: \\n[rst2man-indent2] jpayne@68: .. jpayne@68: .de1 INDENT jpayne@68: .\" .rstReportMargin pre: jpayne@68: . RS \\$1 jpayne@68: . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] jpayne@68: . nr rst2man-indent-level +1 jpayne@68: .\" .rstReportMargin post: jpayne@68: .. jpayne@68: .de UNINDENT jpayne@68: . RE jpayne@68: .\" indent \\n[an-margin] jpayne@68: .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .nr rst2man-indent-level -1 jpayne@68: .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .in \\n[rst2man-indent\\n[rst2man-indent-level]]u jpayne@68: .. jpayne@68: .SH DESCRIPTION jpayne@68: .sp jpayne@68: The Kerberos system authenticates individual users in a network jpayne@68: environment. After authenticating yourself to Kerberos, you can use jpayne@68: Kerberos\-enabled programs without having to present passwords or jpayne@68: certificates to those programs. jpayne@68: .sp jpayne@68: If you receive the following response from kinit(1): jpayne@68: .sp jpayne@68: kinit: Client not found in Kerberos database while getting initial jpayne@68: credentials jpayne@68: .sp jpayne@68: you haven\(aqt been registered as a Kerberos user. See your system jpayne@68: administrator. jpayne@68: .sp jpayne@68: A Kerberos name usually contains three parts. The first is the jpayne@68: \fBprimary\fP, which is usually a user\(aqs or service\(aqs name. The second jpayne@68: is the \fBinstance\fP, which in the case of a user is usually null. jpayne@68: Some users may have privileged instances, however, such as \fBroot\fP or jpayne@68: \fBadmin\fP\&. In the case of a service, the instance is the fully jpayne@68: qualified name of the machine on which it runs; i.e. there can be an jpayne@68: ssh service running on the machine ABC (\fI\%ssh/ABC@REALM\fP), which is jpayne@68: different from the ssh service running on the machine XYZ jpayne@68: (\fI\%ssh/XYZ@REALM\fP). The third part of a Kerberos name is the \fBrealm\fP\&. jpayne@68: The realm corresponds to the Kerberos service providing authentication jpayne@68: for the principal. Realms are conventionally all\-uppercase, and often jpayne@68: match the end of hostnames in the realm (for instance, host01.example.com jpayne@68: might be in realm EXAMPLE.COM). jpayne@68: .sp jpayne@68: When writing a Kerberos name, the principal name is separated from the jpayne@68: instance (if not null) by a slash, and the realm (if not the local jpayne@68: realm) follows, preceded by an "@" sign. The following are examples jpayne@68: of valid Kerberos names: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: david jpayne@68: jennifer/admin jpayne@68: joeuser@BLEEP.COM jpayne@68: cbrown/root@FUBAR.ORG jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: When you authenticate yourself with Kerberos you get an initial jpayne@68: Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol jpayne@68: message that provides authentication.) Kerberos uses this ticket for jpayne@68: network utilities such as ssh. The ticket transactions are done jpayne@68: transparently, so you don\(aqt have to worry about their management. jpayne@68: .sp jpayne@68: Note, however, that tickets expire. Administrators may configure more jpayne@68: privileged tickets, such as those with service or instance of \fBroot\fP jpayne@68: or \fBadmin\fP, to expire in a few minutes, while tickets that carry jpayne@68: more ordinary privileges may be good for several hours or a day. If jpayne@68: your login session extends beyond the time limit, you will have to jpayne@68: re\-authenticate yourself to Kerberos to get new tickets using the jpayne@68: kinit(1) command. jpayne@68: .sp jpayne@68: Some tickets are \fBrenewable\fP beyond their initial lifetime. This jpayne@68: means that \fBkinit \-R\fP can extend their lifetime without requiring jpayne@68: you to re\-authenticate. jpayne@68: .sp jpayne@68: If you wish to delete your local tickets, use the kdestroy(1) jpayne@68: command. jpayne@68: .sp jpayne@68: Kerberos tickets can be forwarded. In order to forward tickets, you jpayne@68: must request \fBforwardable\fP tickets when you kinit. Once you have jpayne@68: forwardable tickets, most Kerberos programs have a command line option jpayne@68: to forward them to the remote host. This can be useful for, e.g., jpayne@68: running kinit on your local machine and then sshing into another to do jpayne@68: work. Note that this should not be done on untrusted machines since jpayne@68: they will then have your tickets. jpayne@68: .SH ENVIRONMENT VARIABLES jpayne@68: .sp jpayne@68: Several environment variables affect the operation of Kerberos\-enabled jpayne@68: programs. These include: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBKRB5CCNAME\fP jpayne@68: Default name for the credentials cache file, in the form jpayne@68: \fITYPE\fP:\fIresidual\fP\&. The type of the default cache may determine jpayne@68: the availability of a cache collection. \fBFILE\fP is not a jpayne@68: collection type; \fBKEYRING\fP, \fBDIR\fP, and \fBKCM\fP are. jpayne@68: .sp jpayne@68: If not set, the value of \fBdefault_ccache_name\fP from jpayne@68: configuration files (see \fBKRB5_CONFIG\fP) will be used. If that jpayne@68: is also not set, the default \fItype\fP is \fBFILE\fP, and the jpayne@68: \fIresidual\fP is the path /tmp/krb5cc_*uid*, where \fIuid\fP is the jpayne@68: decimal user ID of the user. jpayne@68: .TP jpayne@68: \fBKRB5_KTNAME\fP jpayne@68: Specifies the location of the default keytab file, in the form jpayne@68: \fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is jpayne@68: assumed and \fIresidual\fP is the pathname of the keytab file. If jpayne@68: unset, \fBFILE:/etc/krb5.keytab\fP will be used. jpayne@68: .TP jpayne@68: \fBKRB5_CONFIG\fP jpayne@68: Specifies the location of the Kerberos configuration file. The jpayne@68: default is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/etc\fP\fB/krb5.conf\fP\&. Multiple filenames can jpayne@68: be specified, separated by a colon; all files which are present jpayne@68: will be read. jpayne@68: .TP jpayne@68: \fBKRB5_KDC_PROFILE\fP jpayne@68: Specifies the location of the KDC configuration file, which jpayne@68: contains additional configuration directives for the Key jpayne@68: Distribution Center daemon and associated programs. The default jpayne@68: is \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/kdc.conf\fP\&. jpayne@68: .TP jpayne@68: \fBKRB5RCACHENAME\fP jpayne@68: (New in release 1.18) Specifies the location of the default replay jpayne@68: cache, in the form \fItype\fP:\fIresidual\fP\&. The \fBfile2\fP type with a jpayne@68: pathname residual specifies a replay cache file in the version\-2 jpayne@68: format in the specified location. The \fBnone\fP type (residual is jpayne@68: ignored) disables the replay cache. The \fBdfl\fP type (residual is jpayne@68: ignored) indicates the default, which uses a file2 replay cache in jpayne@68: a temporary directory. The default is \fBdfl:\fP\&. jpayne@68: .TP jpayne@68: \fBKRB5RCACHETYPE\fP jpayne@68: Specifies the type of the default replay cache, if jpayne@68: \fBKRB5RCACHENAME\fP is unspecified. No residual can be specified, jpayne@68: so \fBnone\fP and \fBdfl\fP are the only useful types. jpayne@68: .TP jpayne@68: \fBKRB5RCACHEDIR\fP jpayne@68: Specifies the directory used by the \fBdfl\fP replay cache type. jpayne@68: The default is the value of the \fBTMPDIR\fP environment variable, jpayne@68: or \fB/var/tmp\fP if \fBTMPDIR\fP is not set. jpayne@68: .TP jpayne@68: \fBKRB5_TRACE\fP jpayne@68: Specifies a filename to write trace log output to. Trace logs can jpayne@68: help illuminate decisions made internally by the Kerberos jpayne@68: libraries. For example, \fBenv KRB5_TRACE=/dev/stderr kinit\fP jpayne@68: would send tracing information for kinit(1) to jpayne@68: \fB/dev/stderr\fP\&. The default is not to write trace log output jpayne@68: anywhere. jpayne@68: .TP jpayne@68: \fBKRB5_CLIENT_KTNAME\fP jpayne@68: Default client keytab file name. If unset, \fBFILE:/opt/conda/var/krb5/user/%{euid}/client.keytab\fP will be jpayne@68: used). jpayne@68: .TP jpayne@68: \fBKPROP_PORT\fP jpayne@68: kprop(8) port to use. Defaults to 754. jpayne@68: .TP jpayne@68: \fBGSS_MECH_CONFIG\fP jpayne@68: Specifies a filename containing GSSAPI mechanism module jpayne@68: configuration. The default is to read \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/etc\fP\fB/gss/mech\fP jpayne@68: and files with a \fB\&.conf\fP suffix within the directory jpayne@68: \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/etc\fP\fB/gss/mech.d\fP\&. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Most environment variables are disabled for certain programs, such as jpayne@68: login system programs and setuid programs, which are designed to be jpayne@68: secure when run within an untrusted process environment. jpayne@68: .SH SEE ALSO jpayne@68: .sp jpayne@68: kdestroy(1), kinit(1), klist(1), jpayne@68: kswitch(1), kpasswd(1), ksu(1), jpayne@68: krb5.conf(5), kdc.conf(5), kadmin(1), jpayne@68: kadmind(8), kdb5_util(8), krb5kdc(8) jpayne@68: .SH BUGS jpayne@68: .SH AUTHORS jpayne@68: .nf jpayne@68: Steve Miller, MIT Project Athena/Digital Equipment Corporation jpayne@68: Clifford Neuman, MIT Project Athena jpayne@68: Greg Hudson, MIT Kerberos Consortium jpayne@68: Robbie Harwood, Red Hat, Inc. jpayne@68: .fi jpayne@68: .sp jpayne@68: .SH HISTORY jpayne@68: .sp jpayne@68: The MIT Kerberos 5 implementation was developed at MIT, with jpayne@68: contributions from many outside parties. It is currently maintained jpayne@68: by the MIT Kerberos Consortium. jpayne@68: .SH RESTRICTIONS jpayne@68: .sp jpayne@68: Copyright 1985, 1986, 1989\-1996, 2002, 2011, 2018 Masachusetts jpayne@68: Institute of Technology jpayne@68: .SH AUTHOR jpayne@68: MIT jpayne@68: .SH COPYRIGHT jpayne@68: 1985-2022, MIT jpayne@68: .\" Generated by docutils manpage writer. jpayne@68: .