40.3 Users' View of Kerberos
Ideally, a user's one and only contact with
Kerberos happens during login at the workstation. The login process includes
obtaining a ticket-granting ticket. At logout, a user's Kerberos tickets are
automatically destroyed, which makes it difficult for anyone else to
impersonate this user. The automatic expiration of tickets can lead to a
somewhat awkward situation when a user's login session lasts longer than the
maximum lifespan given to the ticket-granting ticket (a reasonable setting
is 10 hours). However, the user can get a new ticket-granting ticket by
running kinit. Enter the password again and Kerberos
obtains access to desired services without additional authentication. To get
a list of all the tickets silently acquired for you by Kerberos, run
klist.
Here is a short list of some applications that use Kerberos
authentication. These applications can be found under
/usr/lib/mit/bin or
/usr/lib/mit/sbin. They all have the
full functionality of their common UNIX and Linux brothers plus the
additional bonus of transparent authentication managed by
Kerberos:
-
telnet, telnetd
-
rlogin
-
rsh, rcp, rshd
-
ftp, ftpd
-
ksu
You no longer have to enter your password for using these applications
because Kerberos has already proven your identity. ssh, if compiled with
Kerberos support, can even forward all the tickets acquired for one
workstation to another one. If you use ssh to log in to another
workstation, ssh makes sure that the encrypted contents of the tickets are
adjusted to the new situation. Simply copying tickets between
workstations is not sufficient because the ticket contains
workstation-specific information (the IP address). XDM, GDM, and KDM offer
Kerberos support, too. Read more about the Kerberos network applications
in Kerberos V5 UNIX User's Guide at https://web.mit.edu/kerberos