2.7 The User/Kerberos Interaction
Suppose that you walk up to a host intending to login to it, and then
rlogin to the machine laughter. Here's what happens:
- You login to the workstation and use the kinit command to get a
ticket-granting ticket. This command prompts you for your Kerberos
password. (On systems running the Kerberos V5 login program,
this may be done as part of the login process, not requiring the user to
run a separate program.)
- The kinit command sends your request to the Kerberos master
server machine. The server software looks for your principal name's
entry in the Kerberos database.
- If this entry exists, the Kerberos server creates and returns a
ticket-granting ticket and the key which allows you to use it, encrypted
by your password. If kinit can decrypt the Kerberos reply using
the password you provide, it stores this ticket in a credentials cache
on your local machine for later use. The name of the credentials cache
can be specified in the KRB5CCNAME environment variable. If this
variable is not set, the name of the file will be
/tmp/krb5cc_<uid>, where <uid> is your UNIX user-id, represented
in decimal format.
- Now you use the rlogin client to access the machine
host% rlogin laughter
- The rlogin client checks your ticket file to see if you have a
ticket for the host service for laughter. You don't, so
rlogin uses the credential cache's ticket-granting ticket to make
a request to the master server's ticket-granting service.
- This ticket-granting service receives the request for a ticket for
host/laughter.mit.edu, and looks in the master
database for an entry for host/laughter.mit.edu.
If the entry exists, the ticket-granting service issues you a ticket for
that service. That ticket is also cached in your credentials cache.
- The rlogin client now sends that ticket to the laughter
klogind service program. The service program checks the ticket
by using its own service key. If the ticket is valid, it now knows your
identity. If you are allowed to login to laughter (because your
username matches one in /etc/passwd, or your Kerberos principal is in
the appropriate .k5login file),
klogind will let you