Guided Tours: Kerberos5 (Heimdal)
What is Kerberos?
Kerberos is a protocol and a set of tools that provides rigorously
safe user authentication and access control. In this respect it has
several similarities to the wider spread SSH protocol and tools.
Differences between SSH and Kerberos are:
- No local identity files
- There are no local identity files
needed in Kerberos authorization
- Expiring tickets
- Unlike the
behaviour of SSH any authorization acquired using kerberos has a
limited time associated with it. The risk of loss of authorization
information to a third party is thus limited to that time span.
- Authorization revocation
- SSH has an authorization mode
based on registering authorization keys at a host. A user who is able
to match the registered public key with a private counterpart is
granted access. If the private key is lost, all systems where the
public key is registered as having access must be reached and that
particular key disabled. Using kerberos the revocation only needs to
be made to a kerberos server.
Differences between Kerberos4 and Kerberos
For users accustomed to Kerberos4 some important differences are listed
- The command
kinit is preferred over the previous
kauth. For backwards compatibility a
command is included with similar behaviour as the Kerberos4 command.
- The expiration time is by default in seconds in Kerberos5 while it
is minutes in Kerberos4. Thus
kauth/kinit -l 15 will get the
user a ticket valid for 15 seconds and not 15 minutes.
- You may use varying units when stating life-time of your ticket. Some valid examples are
kinit -l 10h
kinit -l 10d
kinit -l 1month
kinit -l 1y
- The syntax of the principal is slightly different. In Kerberos5 there is
a "/" between the service name and the service host, some services have had
their names changed as well:
- There are optional capabilities to an authentication ticket. They can be forwardable and renewable to mention two important properties.
- The "remote" ticket acquisition of Kerberos4
kauth -h remotehost is not available in Kerberos5. An alternative, similar, effect can be accomplished using forwardable tickets and a Kerberos5 compatible
Example Kerberos5 session
If you are using a Kerberos5 version of a travel kit. This could be an
example of a session where you login to a PDC resource.
The following would get you a forwardable ticket valid for 8 hours allowing
you to log in to the Strindberg computer at PDC :
> kinit -f -l 8h your-username-at-pdc@NADA.KTH.SE
You can see which tickets you currently have and when they will expire using the 'klist' command.
For instance :
> klist -f
Credentials cache: FILE:/tmp/krb5cc_22557
Issued Expires Flags Principal
Aug 15 11:55:28 Aug 15 19:55:28 FI krbtgt/NADA.KTH.SE@NADA.KTH.SE
Aug 15 11:55:28 Aug 15 19:55:28 afs/pdc.kth.se@NADA.KTH.SE
Aug 15 11:55:28 Aug 15 19:55:28 afs@NADA.KTH.SE
The first ticket is a 'ticket granting ticket' (krbtgt), ie a ticket used
to get other tickets.
Then comes two tickets allowing this user to access files in the
AFS file system at PDC.
When you first get kerberos tickets on your local computer klist will normally
only show a ticket granting ticket. The flags I and F are short for initial (master)
and forwardable (can be moved to another computer).
The rxtelnet command starts a xterm window with a kerberized telnet to the given host. From this
window other X-programs can be started securely. The following command opens a secure telnet
connection to the Strindberg computer :
> rxtelnet -l your-username-at-pdc -t -F loginnodename.pdc.kth.se
Observe that this is the proper way to start X-applications remotely. You should NOT use the xhost command
to enable running X-applications on the computers at PDC since this is a big security hole.
The option -t passes its argument to the
telnet command. Thus
rxtelnet will invoke a telnet session with the option
-F. This instructs the telnet client to forward any forwardable tickets to the remote host
and make these tickets forwardable again.
When you log out it is good practice to destroy your tickets with the 'kdestroy' command.
Kerberized ftp works as normal ftp with the exception that it forwards your AFS tickets to be
able to access your files. You have to use a kerberos-aware ftp program to do this. If in doubt
ftp -help and if the output contains
GSS-API it is modern enough.
> ftp ftp.pdc.kth.se
Connected to realname.pdc.kth.se.
220 realname.pdc.kth.se FTP server (Version 6.00+Heimdal 0.7.1) ready.
Name (ftp.pdc.kth.se:default): your-username
S:232-Kickstart-installed Bambi RedHat Linux at PDC Thu Nov 3 14:02:33 CET 2005
S:232 User your-username logged in.
S:230 Password not necessary
Remote system type is UNIX.
Using binary mode to transfer files.
GSSAPI (see message above) should forward your kerberos tickets to the ftp machine
in a way so that you can read your personal files without extra
kinit. If you don't
have read/write permissions from the ftp prompt, did your tickets really have the
forwardable property? (you can check than with
klist -f or
More detailed information about Kerberos can be found at
back to guided tours