Node:Definitions, Previous:The User/Kerberos Interaction, Up:How Kerberos Works


Following are definitions of some of the Kerberos terminology.

an entity that can obtain a ticket. This entity is usually either a user or a host.
a computer that can be accessed over a network.
in Greek mythology, the three-headed dog that guards the entrance to the underworld. In the computing world, Kerberos is a network security package that was developed at MIT.
Key Distribution Center. A machine that issues Kerberos tickets.
a key table file containing one or more keys. A host or service uses a keytab file in much the same way as a user uses his/her password.
a string that names a specific entity to which a set of credentials may be assigned. It can have an arbitrary number of components, but generally has three:
the first part of a Kerberos principal. In the case of a user, it is the username. In the case of a service, it is the name of the service.
the second part of a Kerberos principal. It gives information that qualifies the primary. The instance may be null. In the case of a user, the instance is often used to describe the intended use of the corresponding credentials. In the case of a host, the instance is the fully qualified hostname.
the logical network served by a single Kerberos database and a set of Key Distribution Centers. By convention, realm names are generally all uppercase letters, to differentiate the realm from the internet domain.

The typical format of a typical Kerberos principal is primary/instance@REALM.

any program or computer you access over a network. Examples of services include "host" (a host, e.g., when you use telnet and rsh), "ftp" (FTP), "krbtgt" (authentication; cf. ticket-granting ticket), and "pop" (email).
a temporary set of electronic credentials that verify the identity of a client for a particular service.
Ticket-Granting Ticket. A special Kerberos ticket that permits the client to obtain additional Kerberos tickets within the same Kerberos realm.