What is Kerberos?
Kerberos is the authentication protocol utilized by the department. It allows nodes communicating over a network to prove their identity to one another in a secure manner. Whenever you log into Linux, or ssh to another department node, you're using Kerberos.
At the heart of Kerberos is the notion of the ticket. When you have a Kerberos ticket, you can prove your identity and access authenticated services. You obtain a Kerberos ticket by entering your Kerberos password, either through logging in or by running the /usr/bin/kinit command.
What can I do with a Kerberos ticket?
- ssh to departmental systems
- Change your LDAP password
When do I get a Kerberos ticket?
- When you log in locally to Linux
- When you run the
- When you unlock a locked screen in Linux
When do I not get a Kerberos ticket?
- When you ssh in from outside the department. This means you will need to run /usr/bin/kinit before you can ssh to other computers.
How can I tell if I have a Kerberos ticket?
To see your current Kerberos tickets, run the
/usr/bin/klist command. If you have a ticket, you will see output
that looks like this:
Ticket cache: FILE:/tmp/krb5cc_31754 Default principal: aleks@CS.BROWN.EDU Valid starting Expires Service principal 10/14/08 11:24:39 10/14/08 21:24:39 krbtgt/CS.BROWN.EDU@CS.BROWN.EDU 10/14/08 11:39:39 10/14/08 21:24:39 host/adminhost.cs.brown.edu@CS.BROWN.EDU 10/14/08 13:31:44 10/14/08 21:24:39 ldap/whopper.cs.brown.edu@CS.BROWN.EDU 10/14/08 13:31:51 10/14/08 21:24:39 ldap/starburst.cs.brown.edu@CS.BROWN.EDU Kerberos 4 ticket cache: /tmp/tkt31754 klist: You have no tickets cached
If not, the output will look more like this:
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_31754) Kerberos 4 ticket cache: /tmp/tkt31754 klist: You have no tickets cached
When do tickets expire?
Kerberos tickets expire after 8 hours, so if you last logged in (or ran /usr/bin/kinit) over 8 hours ago, you'll need to get a new ticket by running /usr/bin/kinit.
Stanford's Kerberos user guide has a lot of useful information, though some of it doesn't apply to our setup.