2.8 Definitions

Following are definitions of some of the Kerberos terminology.

client

an entity that can obtain a ticket. This entity is usually either a user or a host.

host

a computer that can be accessed over a network.

Kerberos

in Greek mythology, the three-headed dog that guards the entrance to the underworld. In the computing world, Kerberos is a network security package that was developed at MIT.

KDC

Key Distribution Center. A machine that issues Kerberos tickets.

keytab

a key table file containing one or more keys. A host or service uses a keytab file in much the same way as a user uses his/her password.

principal

a string that names a specific entity to which a set of credentials may be assigned. It can have an arbitrary number of components, but generally has three:

primary

the first part of a Kerberos principal. In the case of a user, it is the username. In the case of a service, it is the name of the service.

instance

the second part of a Kerberos principal. It gives information that qualifies the primary. The instance may be null. In the case of a user, the instance is often used to describe the intended use of the corresponding credentials. In the case of a host, the instance is the fully qualified hostname.

realm

the logical network served by a single Kerberos database and a set of Key Distribution Centers. By convention, realm names are generally all uppercase letters, to differentiate the realm from the internet domain.

The typical format of a typical Kerberos principal is primary/instance@REALM.

service

any program or computer you access over a network. Examples of services include “host” (a host, e.g., when you use telnet and rsh), “ftp” (FTP), “krbtgt” (authentication; cf. ticket-granting ticket), and “pop” (email).

ticket

a temporary set of electronic credentials that verify the identity of a client for a particular service.

TGT

Ticket-Granting Ticket. A special Kerberos ticket that permits the client to obtain additional Kerberos tickets within the same Kerberos realm.