Node:The User/Kerberos Interaction, Next:Definitions, Previous:Network Services and the Master Database, Up:How Kerberos Works
Suppose that you walk up to a host intending to login to it, and then
rlogin to the machine laughter. Here's what happens:
kinit command to get a
ticket-granting ticket. This command prompts you for your Kerberos
password. (On systems running the Kerberos V5 login program,
this may be done as part of the login process, not requiring the user to
run a separate program.)
kinit command sends your request to the Kerberos master
server machine. The server software looks for your principal name's
entry in the Kerberos database.
kinit can decrypt the Kerberos reply using
the password you provide, it stores this ticket in a credentials cache
on your local machine for later use. The name of the credentials cache
can be specified in the KRB5CCNAME environment variable. If this
variable is not set, the name of the file will be
/tmp/krb5cc_<uid>, where <uid> is your UNIX user-id, represented
in decimal format.
rlogin client to access the machine
laughter.
host% rlogin laughter
rlogin client checks your ticket file to see if you have a
ticket for the host service for laughter. You don't, so
rlogin uses the credential cache's ticket-granting ticket to make
a request to the master server's ticket-granting service.
host/laughter.mit.edu, and looks in the master
database for an entry for host/laughter.mit.edu.
If the entry exists, the ticket-granting service issues you a ticket for
that service. That ticket is also cached in your credentials cache.
rlogin client now sends that ticket to the laughter
klogind service program. The service program checks the ticket
by using its own service key. If the ticket is valid, it now knows your
identity. If you are allowed to login to laughter (because your
username matches one in /etc/passwd, or your Kerberos principal is in
the appropriate .k5login file), klogind will let you
login.