| Red Hat Linux 7.0: The Official Red Hat Linux Reference Guide | ||
|---|---|---|
| Prev | Chapter 8. Using Kerberos 5 on Red Hat Linux | Next |
Like any other system, Kerberos has its own terminology. Before we talk about how it works, here is a list of terms that you'll need to be familiar with:
ciphertext — encrypted data
client — an entity on the network (a user, a host or an application) that can get a ticket from Kerberos
credential cache or ticket file — a file which contains the keys for encrypting communications between a user and various network services. Kerberos 5 provides a framework for using other cache types (such as shared memory), but files are more well-supported
key — a chunk of data, used when encrypting or decrypting data. Encrypted data can't be decrypted without the proper key or really good guessing
Key Distribution Center (KDC) — a machine that issues Kerberos tickets (sometimes called a Ticket Granting Server or TGS)
keytab — short for key table, a file that includes an unencrypted list of principals and their keys. Servers retrieve the keys they need from keytab files instead of using kinit. The default keytab file is /etc/krb5.keytab, with kadmind the only known service that uses any other file (it uses /var/kerberos/krb5kdc/kadm5.keytab)
plaintext — unencrypted data
principal — a user or service that can authenticate using Kerberos. A principal's name is in the form "root[/instance]@REALM". For a typical user, the root is the same as their login ID. The instance is optional. If the principal has an instance, it is separated from the root with a forward slash ("/"). The empty string ("") is actually a valid instance (which differs from the default, NULL instance), but using it can be confusing. All principals in a realm have their own key, which is derived from their password (for users) or randomly set (for services)
realm — a network that uses Kerberos, composed of one or a few servers (also known as KDCs) and a (potentially very large) number of clients
service — a program or computer accessed over the network
ticket — a temporary set of electronic credentials that verify the identity of a client for a particular service
Ticket Granting Ticket (TGT) — a special ticket which allows the client to obtain additional tickets without applying for them from the KDC