Suppose that you walk up to a host intending to login to it, and then
rlogin to the machine
laughter. Here's what happens:
kinitcommand to get a ticket-granting ticket. This command prompts you for your Kerberos password. (On systems running the Kerberos V5
loginprogram, this may be done as part of the login process, not requiring the user to run a separate program.)
kinitcommand sends your request to the Kerberos master server machine. The server software looks for your principal name's entry in the Kerberos database.
kinitcan decrypt the Kerberos reply using the password you provide, it stores this ticket in a credentials cache on your local machine for later use. The name of the credentials cache can be specified in the
KRB5CCNAMEenvironment variable. If this variable is not set, the name of the file will be
/tmp/krb5cc_<uid>, where <uid> is your UNIX user-id, represented in decimal format.
rloginclient to access the machine
host% rlogin laughter
rloginclient checks your ticket file to see if you have a ticket for the
laughter. You don't, so
rloginuses the credential cache's ticket-granting ticket to make a request to the master server's ticket-granting service.
host/laughter.mit.edu, and looks in the master database for an entry for
host/laughter.mit.edu. If the entry exists, the ticket-granting service issues you a ticket for that service. That ticket is also cached in your credentials cache.
rloginclient now sends that ticket to the
klogindservice program. The service program checks the ticket by using its own service key. If the ticket is valid, it now knows your identity. If you are allowed to login to
laughter(because your username matches one in /etc/passwd, or your Kerberos principal is in the appropriate
klogindwill let you login.