Cisco WS-X6066-SLB-APC - Content Switching Module Software Manual page 415

Chapter 21 Configuring Switch Access Using AAA
Table 21-1
Table 21-1 Kerberos Terminology
Term
Kerberized
Kerberos credential
Kerberos identity
Kerberos principal
Kerberos realm
Kerberos server
Key distribution center
(KDC)
Service credential
SRVTAB
Ticket granting ticket
(TGT)
In the Catalyst 6000 family switches, Telnet clients and servers through both the console and in-band
management port can be Kerberized.
Kerberos authentication does not work if TACACS+ is used as the authentication mechanism.
Note
If you are logged in to the console through a modem or a terminal server, you cannot use a Kerberized
Note
login procedure.
78-13315-02
defines the terms used in Kerberos.
Definition
Applications and services that have been modified to support the
Kerberos credential infrastructure.
General term referring to authentication tickets, such as ticket granting
tickets (TGTs) and service credentials. Kerberos credentials verify the
ticket of a user or service. If a network service decides to trust the
Kerberos server that issued the ticket, the Kerberos credential can be
used in place of retyping in a username and password. Credentials have
a default life span of eight hours.
(See Kerberos principal.)
The Kerberos principal is who you are or what a service is according to
the Kerberos server. (Also known as a Kerberos identity.)
A domain consisting of users, hosts, and network services that are
registered to a Kerberos server. The Kerberos server is trusted to verify
the identity of a user or network service to another user or network
service. Kerberos realms must always be in uppercase characters.
A daemon running on a network host. Users and network services
register their identity with the Kerberos server. Network services query
the Kerberos server to authenticate to other network services.
A Kerberos server and database program running on a network host that
allocates the Kerberos credentials to different users or network services.
A credential for a network service. When issued from the KDC, this
credential is encrypted with the password shared by the network service
and the KDC and with the user's TGT.
A password that a network service shares with the KDC. The network
service authenticates an encrypted service credential by using the
SRVTAB (also known as a KEYTAB) to decrypt it.
A credential that the KDC issues to authenticated users. When users
receive a TGT, they can authenticate to network services within the
Kerberos realm represented by the KDC.
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
Understanding How Authentication Works
21-5