Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 662 — #688
i
i
i
i
i
i
i
i
encrypted with the session key that came with the original ticket-
granting ticket. The client can decrypt the response without requir-
ing the user’s password when a new service is contacted. Kerberos
can thus acquire ticket after ticket for the client without bothering the
user more than once at login time.
Compatibility to Windows 2000 Windows 2000 contains a Microsoft im-
plementation of Kerberos 5. As SUSE LINUX makes use of the Heim-
dal implementation of Kerberos 5, find useful information and guid-
ance in the Heimdal documentation. See Section 26.5.4 on the facing
page.
26.5.3 Users’ View of Kerberos
Ideally, a user’s one and only contact with Kerberos happens during login
at the workstation. The login process includes obtaining a ticket-granting
ticket. At logout, a user’s Kerberos tickets are automatically destroyed,
which hinders anyone else from impersonating this user when not logged
in. The automatic destruction of tickets can lead to a somewhat awkward
situation when a user’s login session lasts longer than the maximum life-
span given to the ticket-granting ticket (a reasonable setting is ten hours).
However, the user can get a new ticket-granting ticket by running kinit.
Enter the password again and Kerberos obtains access to desired services
without additional authentication. Those interested in a list of all the tickets
silently acquired for them by Kerberos should run klist.
Here is a short list of some applications that use Kerberos authentication.
These applications can be found under /usr/lib/heimdal/bin. They
all have the full functionality of their common UNIX and Linux brothers
plus the additional bonus of transparent authentication managed by Ker-
beros:
telnet, telnetd
rlogin
rsh, rcp, rshd
popper, push
ftp, ftpd
su
662 26.5. Network Authentication — Kerberos