credentialsA temporary set of electronic credentials that verify the identity of a client for a particularservice. Also called a ticket.credential cache or ticket fileA file which contains the keys for encrypting communications between a user and variousnetwork services. Kerberos 5 supports a framework for using other cache types, such asshared memory, but files are more thoroughly supported.crypt hashA one way hash used to authenticate users. While more secure than unencrypted data, it isfairly easy to decrypt for an experienced cracker.GSS-APIThe Generic Security Service Application Program Interface (defined in RFC-2743published by The Internet Engineering Task Force) is a set of functions which providesecurity services. This API is used by clients and services to authenticate to each otherwithout either program having specific knowledge of the underlying mechanism. If a networkservice (such as cyrus-IMAP) uses GSS-API, it can authenticate using Kerberos.hashA text generated number used to ensure that transmitted data has not been tampered with.keyData used when encrypting or decrypting other data. Encrypted data cannot be decryptedwithout the proper key or extremely good guessing.key distribution center (KDC)A service that issues Kerberos tickets, usually run on the same host as the ticket-grantingserver (TGS).keytab (or key table)A file that includes an unencrypted list of principals and their keys. Servers retrieve the keysthey need from keytab files instead of using kinit. The default keytab file is/etc/krb5.keytab. The KDC administration server, /usr/kerberos/sbin/kadmind, is theonly service that uses any other file (it uses /var/kerberos/krb5kdc/kadm5.keytab).kinitThe kinit command allows a principal who has already logged in to obtain and cache theinitial ticket-granting ticket (TGT). For more information about using the kinit command,refer to its man page.principal (or principal name)The principal is the unique name of a user or service allowed to authenticate usingKerberos. A principal follows the form root[/instance]@REALM. For a typical user, the rootis the same as their login ID. The instance is optional. If the principal has an instance, it isseparated from the root with a forward slash ("/"). An empty string ("") is considered a validinstance (which differs from the default NULL instance), but using it can be confusing. Allprincipals in a realm have their own key, which for users is derived from a password or isKerberos Terminology345
