Next: , Previous: Network Services and the Master Database, Up: How Kerberos Works


2.7 The User/Kerberos Interaction

Suppose that you walk up to a host intending to login to it, and then rlogin to the machine laughter. Here's what happens:

  1. You login to the workstation and use the kinit command to get a ticket-granting ticket. This command prompts you for your Kerberos password. (On systems running the Kerberos V5 login program, this may be done as part of the login process, not requiring the user to run a separate program.)
    1. The kinit command sends your request to the Kerberos master server machine. The server software looks for your principal name's entry in the Kerberos database.
    2. If this entry exists, the Kerberos server creates and returns a ticket-granting ticket and the key which allows you to use it, encrypted by your password. If kinit can decrypt the Kerberos reply using the password you provide, it stores this ticket in a credentials cache on your local machine for later use. The name of the credentials cache can be specified in the KRB5CCNAME environment variable. If this variable is not set, the name of the file will be /tmp/krb5cc_<uid>, where <uid> is your UNIX user-id, represented in decimal format.
  2. Now you use the rlogin client to access the machine laughter. 
              host% rlogin laughter
    1. The rlogin client checks your ticket file to see if you have a ticket for the host service for laughter. You don't, so rlogin uses the credential cache's ticket-granting ticket to make a request to the master server's ticket-granting service.
    2. This ticket-granting service receives the request for a ticket for host/laughter.mit.edu, and looks in the master database for an entry for host/laughter.mit.edu. If the entry exists, the ticket-granting service issues you a ticket for that service. That ticket is also cached in your credentials cache.
    3. The rlogin client now sends that ticket to the laughter klogind service program. The service program checks the ticket by using its own service key. If the ticket is valid, it now knows your identity. If you are allowed to login to laughter (because your username matches one in /etc/passwd, or your Kerberos principal is in the appropriate .k5login file), klogind will let you login.