You are here: Home Resources Software Security Kerberos Kerberos commands

Kerberos commands

The commands you need to know in order to login on PDC's computers.

Kerberos

What is Kerberos?

Kerberos is a protocol and a set of tools that provides rigorously safe user authentication and access control. In this respect it has several similarities to the wider spread SSH protocol and tools.

Differences between SSH and Kerberos are:

No local identity files
There are no local identity files needed in Kerberos authorization
Expiring tickets
Unlike the behaviour of SSH any authorization acquired using Kerberos has a limited time associated with it. The risk of loss of authorization information to a third party is thus limited to that time span.
Authorization revocation
SSH has an authorization mode based on registering authorization keys at a host. A user who is able to match the registered public key with a private counterpart is granted access. If the private key is lost, all systems where the public key is registered as having access must be reached and that particular key disabled. Using Kerberos the revocation only needs to be made to a Kerberos server.

Differences between Kerberos4 and Kerberos (Kerberos5)

For users accustomed to Kerberos4 some important differences are listed here.

  • The command kinit is preferred over the previous kauth. For backwards compatibility a kauth command is included with similar behaviour as the Kerberos4 command.
  • The expiration time is by default in seconds in Kerberos5 while it is minutes in Kerberos4. Thus kauth/kinit -l 15 will get the user a ticket valid for 15 seconds and not 15 minutes.
  • You may use varying units when stating life-time of your ticket. Some valid examples are
    • kinit -l 10h
    • kinit -l 10d
    • kinit -l 1month
    • kinit -l 1y
  • The syntax of the principal is slightly different. In Kerberos5 there is a "/" between the service name and the service host, some services have had their names changed as well:
    • Kerberos5: 
      host/nf01n01.pdc.kth.se@NADA.KTH.SE
    • Kerberos4: 
      rcmd.nf01n01@NADA.KTH.SE
  • There are optional capabilities to an authentication ticket. They can be forwardable and renewable to mention two important properties.
  • The "remote" ticket acquisition of Kerberos4 kauth -h remotehost is not available in Kerberos5. An alternative, similar, effect can be accomplished using forwardable tickets and a Kerberos5 compatible ssh client.

Interpreting a Kerberos ticket

> klist -f
Credentials cache: FILE:/tmp/krb5cc_22557
        Principal: smeds@NADA.KTH.SE

  Issued           Expires        Flags    Principal
Aug 15 11:55:28  Aug 15 19:55:28  FI     krbtgt/NADA.KTH.SE@NADA.KTH.SE
Aug 15 11:55:28  Aug 15 19:55:28         afs/pdc.kth.se@NADA.KTH.SE
Aug 15 11:55:28  Aug 15 19:55:28         afs@NADA.KTH.SE

The first ticket is a 'ticket granting ticket' (krbtgt), ie a ticket used to get other tickets. Then comes two tickets allowing this user to access files in AFS.

file system at PDC. When you first get kerberos tickets on your local computer klist will normally only show a ticket granting ticket. The flags I and F are short for initial (master) and forwardable (can be moved to another computer).

When you log out it is good practice to destroy your tickets with the kdestroy command.

How do you install and use Kerberos?

Please look at this page to find instructions on how to setup your local computer to use Kerberos tickets and login to PDC.