Red Hat ENTERPRISE LINUX 3 Reference Manual

Also see for ENTERPRISE LINUX 3 - SECURITY GUIDE: Tuning guide Installation guide Installation guide Installation guide Manual

Contents

Chapter 18. Kerberos 267GSS-APIThe Generic Security Service Application Program Interface (defined in RFC-2743 publishedby The Internet Engineering Task Force) is a set of functions which provide security services.This API is used by clients and services to authenticate to each other without either programhaving specific knowledge of the underlying mechanism. If a network service (such as IMAP)uses GSS-API, it can authenticate using Kerberos.hashA number generated from text and used to ensure that transmitted data has not been tamperedwith.keyData used when encrypting or decrypting other data. Encrypted data cannot be decrypted withoutthe proper key or extremely good guessing.Key Distribution Center (KDC)A service that issues Kerberos tickets, usually run on the same host as the Ticket-granting Server(TGS).key table or keytabA file that includes an unencrypted list of principals and their keys. Servers retrieve the keys theyneed from keytab files instead of using kinit. The default keytab file is /etc/krb5.keytab.The KDC administration server, /usr/kerberos/sbin/kadmind, is the only service that usesany other file (it uses /var/kerberos/krb5kdc/kadm5.keytab).kinitThe kinit command allows a principal who has already logged in to obtain and cache the initialTicket-granting Ticket (TGT). For more information about using the kinit command, refer toits man page.principalThe principal name or principal is the unique name of a user or service allowed to authenticateusing Kerberos. A principal name follows the form root[/instance]@REALM. For a typicaluser, the root is the same as their login ID. The instance is optional. If the principal has aninstance, it is separated from the root with a forward slash ("/"). An empty string ("") is considereda valid instance (which differs from the default NULL instance), but using it can be confusing.All principals in a realm have their own key, which for users is derived from a password or israndomly set for services.realmA network that uses Kerberos, composed of one or more servers called KDCs and a potentiallylarge number of clients.serviceA program accessed over the network.ticketA temporary set of electronic credentials that verify the identity of a client for a particular service.Also called credentials.