Changes between Initial Version and Version 1 of FAQ


Ignore:
Timestamp:
Jun 29, 2015, 8:07:43 AM (9 years ago)
Author:
Lewis Rosenthal
Comment:

Initial FAQ page - lewisr

Legend:

Unmodified
Added
Removed
Modified
  • FAQ

    v1 v1  
     1= Kerberos FAQ =
     2[[PageOutline]]
     3
     4This page is a collection of various issues regarding the setup and use of Kerberos for OS/2 (and eComStation).
     5----
     6== About ==
     7
     8=== What is Kerberos, anyway? ===
     9
     10Kerberos is an authentication mechanism. What makes Kerberos so special is that not only is it extremely secure using secret-key cryptography, but its use is widespread (it's been around since the 1980's), it is well-documented, and it is the de facto standard for connecting to various directory services, including Microsoft's Active Directory.
     11
     12=== What are the principles behind Kerberos? ===
     13
     14Kerberos mainly works from the premise that a password should never cross the network to the server. Instead, you know your password, and the Ticket Granting Server knows your password. You request a ticket from the Ticket Granting Server by sending your username in plain text. Upon verifying that your username exists in its database, the Server responds with an encrypted ticket, signed with your private key. If you have the password (you should), then you will be able to decrypt the ticket. The ticket grants you access to the resources to which you are allowed. In addition, once you have been able to decrypt your ticket, communications between you and the server are encrypted, securing the entire communications channel.
     15
     16== Installation and configuration ==
     17
     18=== Unpacking the distribution ===
     19
     20=== Path considerations ===
     21
     22=== Configuring the krb5.conf ===
     23
     24== Usage ==
     25
     26=== How do I request a ticket? ===
     27
     28Requesting a ticket is done via the kinit command. Assuming the krb5.conf has been configured with your desired KDC information, all that should be required is to issue:
     29
     30{{{
     31kinit <username>
     32}}}
     33
     34at the command line. You should then be prompted to enter your password. Note that this password is not sent to the server. It is only used to decrypt the ticket when received from the server. If the password is incorrect, the ticket cannot be decrypted, and the authentication fails (no ticket=no authentication).
     35
     36=== How do I view my tickets? ===
     37
     38The klist utility is used to list your tickets, both valid and expired. For MIT Kerberos, the command is simply:
     39
     40{{{
     41klist
     42}}}
     43
     44whereas for Heimdal, the syntax is:
     45
     46{{{
     47klist list
     48}}}
     49
     50This should return a listing of what tickets you currently hold, and their status.
     51
     52=== How do I log out (destroy my ticket)? ===
     53
     54The kdestroy utility can be used to destroy a specific ticket or all of the tickets you hold before its/their expiration:
     55
     56{{{
     57kdestroy -A
     58}}}
     59
     60will destroy all tickets (to select an individual ticket, use the -c command line option and specify the ticket cache).