Kerberos: Difference between revisions
(22 intermediate revisions by 3 users not shown) | |||
Line 5: | Line 5: | ||
===Working with Kerberos=== | ===Working with Kerberos=== | ||
When you successfully log into any of our | When you successfully log into any of our Kerberos authenticated systems, you will be granted a set of credentials which will identify you to other network resources. Most users can take advantage of Kerberos without any detailed knowledge about the system. | ||
The only significant complication for some users is that credentials expire after one week at UMIACS. In some environments, the lack of credentials can cause the user environment to behave erratically as network resources become unavailable. | The only significant complication for some users is that credentials expire after one week at UMIACS. In some environments, the lack of credentials can cause the user environment to behave erratically as network resources become unavailable. | ||
Whenever possible, we strongly suggest that users log out of their environments nightly. | Whenever possible, we strongly suggest that users log out of their environments nightly. | ||
===Listing your credentials=== | ===Listing your credentials=== | ||
It is often useful to examine your current credentials. Using | It is often useful to examine your current credentials. Using <tt>klist</tt>, you can verify that your login is correct, | ||
-bash-4.2$ klist | |||
Ticket cache: FILE:/tmp/krb5cc_2174_dcDWCg | |||
Default principal: username@AD.UMIACS.UMD.EDU | |||
Valid starting Expires Service principal | |||
05/28/18 11:39:36 05/28/18 18:19:36 krbtgt/AD.UMIACS.UMD.EDU@AD.UMIACS.UMD.EDU | |||
'Default principal' indicates the | 'Default principal' indicates the Kerberos identity of the current process. In this case, the Kerberos principal, 'username@AD.UMIACS.UMD.EDU' indicates that we are authenticated as the user 'username' to the realm 'AD.UMIACS.UMD.EDU'. | ||
If your credentials have not been set up correctly, klist will report: | |||
-bash-4.2$ klist | |||
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2174_dcDWCg) | |||
klist: No credentials cache | |||
===Single Sign On Services=== | ===Single Sign On Services=== | ||
Kerberos authenticated | Kerberos authenticated IMAP and SMTP provide secure and convenient methods for sending and reading mail. Unlike traditional IMAP and SMTP services, your password is never sent over the network as cleartext and your password is not cached on a client. | ||
===Password Security=== | ===Password Security=== | ||
Kerberos security depends on the security of your password. Although Kerberos can make secure access to services convenient, it is still your responsibility to secure your password. Please try to choose a strong password and use secure protocols. | Kerberos security depends on the security of your password. Although Kerberos can make secure access to services convenient, it is still your responsibility to secure your password. Please try to choose a strong password and use secure protocols. |
Latest revision as of 22:42, 22 April 2022
Introduction to Kerberos
Kerberos provides a toolkit for reducing the risks associated with insecure networks. It provides a unified password space in which we can manage strong passwords easily and it can prevent your password from being sent across the network as cleartext.
Working with Kerberos
When you successfully log into any of our Kerberos authenticated systems, you will be granted a set of credentials which will identify you to other network resources. Most users can take advantage of Kerberos without any detailed knowledge about the system.
The only significant complication for some users is that credentials expire after one week at UMIACS. In some environments, the lack of credentials can cause the user environment to behave erratically as network resources become unavailable.
Whenever possible, we strongly suggest that users log out of their environments nightly.
Listing your credentials
It is often useful to examine your current credentials. Using klist, you can verify that your login is correct,
-bash-4.2$ klist Ticket cache: FILE:/tmp/krb5cc_2174_dcDWCg Default principal: username@AD.UMIACS.UMD.EDU Valid starting Expires Service principal 05/28/18 11:39:36 05/28/18 18:19:36 krbtgt/AD.UMIACS.UMD.EDU@AD.UMIACS.UMD.EDU
'Default principal' indicates the Kerberos identity of the current process. In this case, the Kerberos principal, 'username@AD.UMIACS.UMD.EDU' indicates that we are authenticated as the user 'username' to the realm 'AD.UMIACS.UMD.EDU'.
If your credentials have not been set up correctly, klist will report:
-bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_2174_dcDWCg)
Single Sign On Services
Kerberos authenticated IMAP and SMTP provide secure and convenient methods for sending and reading mail. Unlike traditional IMAP and SMTP services, your password is never sent over the network as cleartext and your password is not cached on a client.
Password Security
Kerberos security depends on the security of your password. Although Kerberos can make secure access to services convenient, it is still your responsibility to secure your password. Please try to choose a strong password and use secure protocols.