See reader questions & answers on this topic! - Help others by sharing your knowledge
Table of Contents: * 0. Introduction * 1. General information about Kerberos o 1.1. What is Kerberos? o 1.2. Where does the name "Kerberos" come from? o 1.3. Hey! I remember my Greek mythology, and I thought the dog that guarded the entrance was called Cerberus! What gives? o 1.4. Where can I find out more information about Kerberos? o 1.5. What is the latest version of Kerberos available from MIT? o 1.6. Are there any other free version of Kerberos available? o 1.7. What are the differences between Kerberos Version 4 and Version 5? o 1.8. What are the differences between AFS Kerberos and "normal" Kerberos? o 1.9. What is the format of principals? o 1.10. How are realms named? Do they really have to be uppercase? o 1.11. What is ASN.1? o 1.12. I see the acronyms TGT and TGS used a lot. What do they mean? o 1.13. What is the export status of Kerberos? o 1.14. What is a "Kerberos client", "Kerberos server", and "application server"? o 1.15. I use software package <foo>, and it claims it supports Kerberos. What does that mean? o 1.16. What is cross-realm authentication? o 1.17. Are there security risks involved in cross-realm authentication? o 1.18. Are there any known weaknesses in Kerberos? o 1.19. What is preauthentication? o 1.20. Why do I need to synchronize my system clocks to run Kerberos? o 1.21. What computer vendors support Kerberos? o 1.22. Can I use Kerberos 4 clients with Kerberos 5? How about the reverse? o 1.23. What is a "key salt"? "kvno"? o 1.24. Does Kerberos support multi-homed machines? o 1.25. What is "user to user" authentication? o 1.26. What are forwardable tickets? o 1.27. What are renewable tickets? o 1.28. What are postdatable tickets? o 1.29. What are the advantages/disadvantages of Kerberos vs. SSL? o 1.30. What are proxiable tickets? * 2. Administration questions o 2.1. Okay, I'm the administrator of a site, and I'd like to run Kerberos. What do I need to do? o 2.2. What sort of resources do I need to dedicate to a KDC? o 2.3. What programs/files need to go on each application server? o 2.4. What programs/files need to go on each client? o 2.5. There's a lot of stuff in the krb5.conf and kdc.conf files. What does it all mean, and what do I really need? o 2.6. How do I change the master key? o 2.7. How do I set up slave servers? o 2.8. What do I need to do to make V4 clients work with my V5 KDC? o 2.9. I just added a host key to a machine with ktadd, and the kvno got incremented! What just happened? o 2.10. How do I run kadmin from a shell script unattended? o 2.11. I can't use kadmin to talk to the admin server of another realm. What am I doing wrong? o 2.12. We run AFS at our site currently. Is there a way we can run Kerberos along with AFS? o 2.13. Employee <X> just left the company, and he had root on our KDC. What should I do? o 2.14. How should I configure my DNS for Kerberos? o 2.15. What do I need to do to setup cross-realm authentication? o 2.16. Can I configure the admin server to reject bad passwords? o 2.17. Is there a hook I can use to do further password checking? o 2.18. How come the "Last xxx" fields in the Kerberos database don't seem to get updated? o 2.19. What does krb524d do? Do I need to run it? o 2.20. What is v5passwdd? Do I need to run it? o 2.21. How do a rename a principal? o 2.22. What is the difference between the "-a valid" and the "-a user" flags for telnetd? o 2.23. I already have a standard Unix password database for my user population. Can I convert this to a Kerberos password database? o 2.24. Can I have multiple realms on a single KDC? o 2.25. What is the kadm5.acl file? * 3. User and application questions o 3.1. What happens when my tickets expire? o 3.2. How do I run a cron job with Kerberos authentication? o 3.3. How do I use renewable tickets? o 3.4. What is the .k5login file, and how do I use it? o 3.5. I've hear Microsoft will support Kerberos in Windows 2000. Is that true? o 3.6. How can I be authenticated as two different principals at the same time? o 3.7. How come Kerberos rlogin works to a machine, but when I use Kerberos telnet I'm still asked for a password? o 3.8. How do I use Kerberos telnet/rlogin to connect to a system as a userid other than my current one? o 3.9. Is there any way to do Kerberos authentication across the WWW? o 3.10. Is there a way to use Kerberos to authenticate my X windows connections? I tried compiling the Kerberos support in X, but it didn't work. o 3.11. I need to use Kerberos through a firewall. What does my firewall administrator need to do? * 4. Error messages and other problems. o 4.1. "No such file or directory" o 4.2. "Decrypt integrity check failed" o 4.3. "Cannot find/read stored master key" o 4.4. "Incorrect net address" o 4.5. "Initial Ticket response appears to be Version 4 error" o 4.6. "Message stream modified" o 4.7. "Illegal cross-realm ticket" o 4.8. "Couldn't authenticate to server: Bad sendauth version was sent" o 4.9. When I try using Kerberos ftp, it doesn't work, but it says, "No error". o 4.10. When I telnet from a Linux machine to a Solaris machine with Kerberos and hit Ctrl-C, the connection hangs. * 5. Programming with Kerberos. o 5.1. How do I start programming with Kerberos? o 5.2. What is GSSAPI? o 5.3. What is SASL? o 5.4. Is there a reference for the Kerberos API?