| |
|
Home
|
| Red Hat Linux 7.3: The Official Red Hat Linux Reference Guide |
|---|
| Prev | Chapter 11. Kerberos | Next |
Like any other system, Kerberos has its own terminology to define
various aspects of the service. Before learning how the service works,
it is important to learn the following terms.
- ciphertext
Encrypted data. - clear-text
Unencrypted, human-readable data. - client
An entity on the network (a user, a host, or an application)
that can get a ticket from Kerberos.
- credential cache or ticket file
A file which contains the keys for encrypting communications
between a user and various network services. Kerberos 5 supports a
framework for using other cache types, such as shared memory, but
files are more thoroughly supported.
- crypt hash
A one way hash used to authenticate users. While more secure
than clear text, it is fairly easy to decrypt for an experienced cracker. - key
Data used when encrypting or decrypting other data. Encrypted
data cannot be decrypted without the proper key or extremely good
guessing.
- Key Distribution Center (KDC)
A service that issues Kerberos tickets, usually run on the
same host as the Ticket Granting Server - key table or keytab
A file that includes an unencrypted list of principals and
their keys. Servers retrieve the keys they need from keytab files
instead of using kinit. The default keytab file
is /etc/krb5.keytab. The
/usr/kerberos/sbin/kadmind command is the only service that uses any
other file (it uses
/var/kerberos/krb5kdc/kadm5.keytab).
- principal
A user or service that can authenticate using Kerberos. A
principal's name is in the form
root[/instance]@REALM. For a
typical user, the root is the same as their login ID. The
instance is optional. If the
principal has an instance, it is separated from the root with a
forward slash ("/"). An empty string ("") is considered a valid
instance (which differs from the default
NULL instance), but using it can
be confusing. All principals in a realm have their own key, which
is derived from their password or randomly set for services.
- realm
A network that uses Kerberos, composed of one or more servers
called KDCs and a potentially large number of clients.
- service
A program accessed over the network. - ticket
A temporary set of electronic credentials that verify the
identity of a client for a particular service. - Ticket Granting Service (TGS)
A server that issues tickets for a desired service which are in
turn given to users for access to the service. The TGS usually runs
on the same host as the KDC - Ticket Granting Ticket (TGT)
A special ticket that allows the client to obtain additional
tickets without applying for them from the KDC.
|
|
|
|
|
|
|
|
Disclaimer: For authoritative source or latest update to this
documentation, please refer to http://www.redhat.com/docs/manuals/linux/ |
|
 |
|
|
|
Quotes: Where so many hours have been spent in convincing myself that I am right, is there not some reason to fear I may be wrong?It is change, continuing change, inevitable change, that is the dominant factor in society today. No sensible decision can be made any longer without taking into account not only the world as it is, but the world as it will be. This, in turn, means that our statesmen, our businessmen, our everyman must take on a science fictional way of thinking.
|
|
|
|
|
|
|
