| 1 | = Kerberos FAQ = |
| 2 | [[PageOutline]] |
| 3 | |
| 4 | This page is a collection of various issues regarding the setup and use of Kerberos for OS/2 (and eComStation). |
| 5 | ---- |
| 6 | == About == |
| 7 | |
| 8 | === What is Kerberos, anyway? === |
| 9 | |
| 10 | Kerberos is an authentication mechanism. What makes Kerberos so special is that not only is it extremely secure using secret-key cryptography, but its use is widespread (it's been around since the 1980's), it is well-documented, and it is the de facto standard for connecting to various directory services, including Microsoft's Active Directory. |
| 11 | |
| 12 | === What are the principles behind Kerberos? === |
| 13 | |
| 14 | Kerberos mainly works from the premise that a password should never cross the network to the server. Instead, you know your password, and the Ticket Granting Server knows your password. You request a ticket from the Ticket Granting Server by sending your username in plain text. Upon verifying that your username exists in its database, the Server responds with an encrypted ticket, signed with your private key. If you have the password (you should), then you will be able to decrypt the ticket. The ticket grants you access to the resources to which you are allowed. In addition, once you have been able to decrypt your ticket, communications between you and the server are encrypted, securing the entire communications channel. |
| 15 | |
| 16 | == Installation and configuration == |
| 17 | |
| 18 | === Unpacking the distribution === |
| 19 | |
| 20 | === Path considerations === |
| 21 | |
| 22 | === Configuring the krb5.conf === |
| 23 | |
| 24 | == Usage == |
| 25 | |
| 26 | === How do I request a ticket? === |
| 27 | |
| 28 | Requesting a ticket is done via the kinit command. Assuming the krb5.conf has been configured with your desired KDC information, all that should be required is to issue: |
| 29 | |
| 30 | {{{ |
| 31 | kinit <username> |
| 32 | }}} |
| 33 | |
| 34 | at the command line. You should then be prompted to enter your password. Note that this password is not sent to the server. It is only used to decrypt the ticket when received from the server. If the password is incorrect, the ticket cannot be decrypted, and the authentication fails (no ticket=no authentication). |
| 35 | |
| 36 | === How do I view my tickets? === |
| 37 | |
| 38 | The klist utility is used to list your tickets, both valid and expired. For MIT Kerberos, the command is simply: |
| 39 | |
| 40 | {{{ |
| 41 | klist |
| 42 | }}} |
| 43 | |
| 44 | whereas for Heimdal, the syntax is: |
| 45 | |
| 46 | {{{ |
| 47 | klist list |
| 48 | }}} |
| 49 | |
| 50 | This should return a listing of what tickets you currently hold, and their status. |
| 51 | |
| 52 | === How do I log out (destroy my ticket)? === |
| 53 | |
| 54 | The kdestroy utility can be used to destroy a specific ticket or all of the tickets you hold before its/their expiration: |
| 55 | |
| 56 | {{{ |
| 57 | kdestroy -A |
| 58 | }}} |
| 59 | |
| 60 | will destroy all tickets (to select an individual ticket, use the -c command line option and specify the ticket cache). |