Table of Contents
Advertisement
• The newly-generated session key
The new ticket is assigned a lifetime, which is the lesser of the remaining lifetime of
the ticket-granting ticket and the default for the service. The client receives this ticket
and the session key, which are sent by the ticket-granting service, but this time the answer
is encrypted with the session key that came with the original ticket-granting ticket. The
client can decrypt the response without requiring the user's password when a new service
is contacted. Kerberos can thus acquire ticket after ticket for the client without bothering
the user more than once at login time.
45.2.5 Compatibility to Windows 2000
Windows 2000 contains a Microsoft implementation of Kerberos 5. Because SUSE
Linux Enterprise® uses the MIT implementation of Kerberos 5, find useful information
and guidance in the MIT documentation. See
(page 839).
45.3 Users' View of Kerberos
Ideally, a user's one and only contact with Kerberos happens during login at the work-
station. The login process includes obtaining a ticket-granting ticket. At logout, a user's
Kerberos tickets are automatically destroyed, which makes it difficult for anyone else
to impersonate this user. The automatic expiration of tickets can lead to a somewhat
awkward situation when a user's login session lasts longer than the maximum lifespan
given to the ticket-granting ticket (a reasonable setting is 10 hours). However, the user
can get a new ticket-granting ticket by running kinit. Enter the password again and
Kerberos obtains access to desired services without additional authentication. To get a
list of all the tickets silently acquired for you by Kerberos, run klist.
Here is a short list of some applications that use Kerberos authentication. These appli-
cations can be found under /usr/lib/mit/bin or /usr/lib/mit/sbin. They
all have the full functionality of their common UNIX and Linux brothers plus the addi-
tional bonus of transparent authentication managed by Kerberos:
• telnet, telnetd
• rlogin
838
Installation and Administration
Section 45.4, "For More Information"
Advertisement
Table of Contents
Troubleshooting
