Kerberos has two
purposes: security and authentication. On most computer systems, a
password is used to prove a user's identity; on a distributed network
system, like Athena, this password must be transmitted over the network,
from the workstation being used, to any other machines containing files
or programs the user wants access to. Because this password is the one
secret piece of information that identifies a user, anyone knowing a
user's password can effectively be that user on Athena, reading
their files, sending mail as that user, etc. Please note that THE
ELECTRONIC COMMUNICATION PRIVACY ACT of 1988 does make this a Federal
crime punishable by all kinds of nasty stuff you don't want to be
punished by. No kidding.
Obviously, it is therefore necessary to prevent anyone from intercepting
or eavesdropping on the transmitted password. In addition, it is
necessary to provide a means of authenticating users: any time a
user requests a service, such as mail, they must prove their
identity. This is done with Kerberos, and this is why you get your
mail and no one else's.
A Few Handy Definitions - We have now used two pieces of jargon in
one paragraph, and at this point you will probably want to learn the
meanings of a few terms that will be used in this section.
- user: A person using a computer system. A user, through her
workstation, may make a series of requests to several servers. This
user, we assume, would like to avoid retyping her password every time
she makes such a request.
- service: Very simply, a service is a program or set of programs,
running on a computer which is accessible over the network. A user will
request a service for the workstation which she is using; the service
will want to be sure that the service is really being used by that user.
- principal: A principal is some entity which can prove its own
identity and verify the identity of other principals. Each user
and each service registered with Kerberos is a principal,
since Kerberos provides the authentication services required.
- ticket: Once a user has proved her identity to Kerberos with her
password, Kerberos sends a block of encoded data, called a ticket,
to the user. It is this ticket that is used to prove a user's identity
to a service. Tickets are stored in the /tmp/ directory and are
erased upon logout. Tickets will expire after 10 hours
by default, though they can be set to live longer than that.
- authenticator: When a user tries to use a service, her
workstation sends an block of data called an authenticator, built
from the Kerberos ticket and containing a timestamp and the name
of the workstation, to that service. The service decodes it, verifies
that the user is who she says she is, and then lets that user, at that
workstation, use the service.
This is the basics of how Kerberos works - for the most part,
you'll see none of it, which is a nice feature. For a longer and more
technical explantion, you can look in:
Once registered with Kerberos, tickets are obtained by the login
program every time you log into a workstation. You can also manually
obtain new tickets (which you usually do only if your old ones have
expired, 10 hours after you log in) by running the program renew.
You can also use kinit, which prompts for a username, requests an
initial ticket from Kerberos, and then asks for your password. If
you are not registered with Kerberos, it will print Principal
unknown (Kerberos). Unless you mistype your username, this should not
happen. To correct this, or any other errors, contact a Consultant or
the Athena Accounts Administrator by using olc.