Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Property taxes ]

See reader questions & answers on this topic! - Help others by sharing your knowledge
Table of Contents:

   * 0. Introduction

   * 1. General information about Kerberos
        o 1.1. What is Kerberos?
        o 1.2. Where does the name "Kerberos" come from?
        o 1.3. Hey! I remember my Greek mythology, and I thought the dog
          that guarded the entrance was called Cerberus! What gives?
        o 1.4. Where can I find out more information about Kerberos?
        o 1.5. What is the latest version of Kerberos available from MIT?
        o 1.6. Are there any other free version of Kerberos available?
        o 1.7. What are the differences between Kerberos Version 4 and
          Version 5?
        o 1.8. What are the differences between AFS Kerberos and "normal"
        o 1.9. What is the format of principals?
        o 1.10. How are realms named? Do they really have to be uppercase?
        o 1.11. What is ASN.1?
        o 1.12. I see the acronyms TGT and TGS used a lot. What do they
        o 1.13. What is the export status of Kerberos?
        o 1.14. What is a "Kerberos client", "Kerberos server", and
          "application server"?
        o 1.15. I use software package <foo>, and it claims it supports
          Kerberos. What does that mean?
        o 1.16. What is cross-realm authentication?
        o 1.17. Are there security risks involved in cross-realm
        o 1.18. Are there any known weaknesses in Kerberos?
        o 1.19. What is preauthentication?
        o 1.20. Why do I need to synchronize my system clocks to run
        o 1.21. What computer vendors support Kerberos?
        o 1.22. Can I use Kerberos 4 clients with Kerberos 5? How about the
        o 1.23. What is a "key salt"? "kvno"?
        o 1.24. Does Kerberos support multi-homed machines?
        o 1.25. What is "user to user" authentication?
        o 1.26. What are forwardable tickets?
        o 1.27. What are renewable tickets?
        o 1.28. What are postdatable tickets?
        o 1.29. What are the advantages/disadvantages of Kerberos vs. SSL?
        o 1.30. What are proxiable tickets?
   * 2. Administration questions
        o 2.1. Okay, I'm the administrator of a site, and I'd like to run
          Kerberos. What do I need to do?
        o 2.2. What sort of resources do I need to dedicate to a KDC?
        o 2.3. What programs/files need to go on each application server?
        o 2.4. What programs/files need to go on each client?
        o 2.5. There's a lot of stuff in the krb5.conf and kdc.conf files.
          What does it all mean, and what do I really need?
        o 2.6. How do I change the master key?
        o 2.7. How do I set up slave servers?
        o 2.8. What do I need to do to make V4 clients work with my V5 KDC?
        o 2.9. I just added a host key to a machine with ktadd, and the kvno
          got incremented! What just happened?
        o 2.10. How do I run kadmin from a shell script unattended?
        o 2.11. I can't use kadmin to talk to the admin server of another
          realm. What am I doing wrong?
        o 2.12. We run AFS at our site currently. Is there a way we can run
          Kerberos along with AFS?
        o 2.13. Employee <X> just left the company, and he had root on our
          KDC. What should I do?
        o 2.14. How should I configure my DNS for Kerberos?
        o 2.15. What do I need to do to setup cross-realm authentication?
        o 2.16. Can I configure the admin server to reject bad passwords?
        o 2.17. Is there a hook I can use to do further password checking?
        o 2.18. How come the "Last xxx" fields in the Kerberos database
          don't seem to get updated?
        o 2.19. What does krb524d do? Do I need to run it?
        o 2.20. What is v5passwdd? Do I need to run it?
        o 2.21. How do a rename a principal?
        o 2.22. What is the difference between the "-a valid" and the "-a
          user" flags for telnetd?
        o 2.23. I already have a standard Unix password database for my user
          population. Can I convert this to a Kerberos password database?
        o 2.24. Can I have multiple realms on a single KDC?
        o 2.25. What is the kadm5.acl file?
   * 3. User and application questions
        o 3.1. What happens when my tickets expire?
        o 3.2. How do I run a cron job with Kerberos authentication?
        o 3.3. How do I use renewable tickets?
        o 3.4. What is the .k5login file, and how do I use it?
        o 3.5. I've hear Microsoft will support Kerberos in Windows 2000. Is
          that true?
        o 3.6. How can I be authenticated as two different principals at the
          same time?
        o 3.7. How come Kerberos rlogin works to a machine, but when I use
          Kerberos telnet I'm still asked for a password?
        o 3.8. How do I use Kerberos telnet/rlogin to connect to a system as
          a userid other than my current one?
        o 3.9. Is there any way to do Kerberos authentication across the
        o 3.10. Is there a way to use Kerberos to authenticate my X windows
          connections? I tried compiling the Kerberos support in X, but it
          didn't work.
        o 3.11. I need to use Kerberos through a firewall. What does my
          firewall administrator need to do?
   * 4. Error messages and other problems.
        o 4.1. "No such file or directory"
        o 4.2. "Decrypt integrity check failed"
        o 4.3. "Cannot find/read stored master key"
        o 4.4. "Incorrect net address"
        o 4.5. "Initial Ticket response appears to be Version 4 error"
        o 4.6. "Message stream modified"
        o 4.7. "Illegal cross-realm ticket"
        o 4.8. "Couldn't authenticate to server: Bad sendauth version was
        o 4.9. When I try using Kerberos ftp, it doesn't work, but it says,
          "No error".
        o 4.10. When I telnet from a Linux machine to a Solaris machine with
          Kerberos and hit Ctrl-C, the connection hangs.
   * 5. Programming with Kerberos.
        o 5.1. How do I start programming with Kerberos?
        o 5.2. What is GSSAPI?
        o 5.3. What is SASL?
        o 5.4. Is there a reference for the Kerberos API?

User Contributions:

Comment about this article, ask questions, or add new information about this topic:


Section Contents

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <>

Last Update March 27 2014 @ 02:11 PM