What is Kerberos?


Kerberos is the authentication protocol utilized by the department. It allows nodes communicating over a network to prove their identity to one another in a secure manner. Whenever you log into Linux, or ssh to another department node, you're using Kerberos.

At the heart of Kerberos is the notion of the ticket. When you have a Kerberos ticket, you can prove your identity and access authenticated services. You obtain a Kerberos ticket by entering your Kerberos password, either through logging in or by running the /usr/bin/kinit command.

What can I do with a Kerberos ticket?

When do I get a Kerberos ticket?

When do I not get a Kerberos ticket?

How can I tell if I have a Kerberos ticket?

To see your current Kerberos tickets, run the /usr/bin/klist command. If you have a ticket, you will see output that looks like this:

Ticket cache: FILE:/tmp/krb5cc_31754
Default principal: aleks@CS.BROWN.EDU

Valid starting     Expires            Service principal
10/14/08 11:24:39  10/14/08 21:24:39  krbtgt/CS.BROWN.EDU@CS.BROWN.EDU
10/14/08 11:39:39  10/14/08 21:24:39  host/
10/14/08 13:31:44  10/14/08 21:24:39  ldap/
10/14/08 13:31:51  10/14/08 21:24:39  ldap/

Kerberos 4 ticket cache: /tmp/tkt31754
klist: You have no tickets cached

If not, the output will look more like this:

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_31754)

Kerberos 4 ticket cache: /tmp/tkt31754
klist: You have no tickets cached

When do tickets expire?

Kerberos tickets expire after 8 hours, so if you last logged in (or ran /usr/bin/kinit) over 8 hours ago, you'll need to get a new ticket by running /usr/bin/kinit.

More Information

Stanford's Kerberos user guide has a lot of useful information, though some of it doesn't apply to our setup.