KerbNet includes software and documentation developed at the Massachusetts Institute of Technology, which includes this copyright information:
Copyright © 1995, 1997 by the Massachusetts Institute of Technology.
Export of software employing encryption from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
KerbNet includes software and documentation developed by OpenVision Technologies, Inc., which includes this copyright notice:
The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/server, lib/kadm, and portions of lib/rpc:
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.OpenVision retains all rights, title, and interest in the donated Source Code. With respect to OpenVision's copyrights in the donated Source Code, OpenVision also retains rights to derivative works of the Source Code whether created by OpenVision or a third party. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community.
KerbNet includes software and documentation developed at the University of California at Berkeley, which includes this copyright notice:
Copyright © 1983 Regents of the University of California.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
This product includes software developed by the University of California, Berkeley and its contributors.
Permission is granted to make and distribute verbatim copies of this manual provided the copyright notices and this permission notice are preserved on all copies.
Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided also that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions.
The KerbNet authentication system is an electronic security system that makes it easy for you to connect to other machines over the internet without giving other people a chance to steal your private information.
When you log into the KerbNet system, it issues you an electronic ticket that it can use to verify your identity. As you work on your computer, you may sometimes connect to other machines or applications over the internet. The KerbNet authentication system uses your ticket to make sure that no one else can listen on the network for your password or pretend to be you to another machine.
The KerbNet system handles your tickets for you automatically; it verifies your identity each time you connect to another machine, without your having to type your password again. This tutorial section shows you how to perform basic tasks using your KerbNet software.
To obtain Kerberos tickets:
A ticket icon appears in the KerbNet window.
The KerbNet authentication system has now verified your identity; you can start working as usual. Your Kerberos ticket is only valid for a certain amount of time, specified when you log in to the KerbNet system. If you are still working when the time runs out, you will need to get a new ticket. To do so, simply repeat the login procedure.
KTelnet is an application that allows you to log into a remote machine, with the communication protected by KerbNet security. In order to connect to remote machines using KTelnet for Windows, you must first obtain Kerberos tickets from the KerbNet system.
When you run KTelnet for Windows, the Open New Telnet Connection dialog appears.
The KTelnet window opens with your connection to the remote host. You can work as normal on the remote machine. When you log out of the remote session, the KTelnet window automatically closes.
To delete your Kerberos tickets
Note that this deletes only the tickets stored on the local machine (the ones shown in the KerbNet window). You should make sure to destroy any tickets you have stored on remote machines when you finish using them. For information about how to destroy remote tickets, see the KerbNet Unix User's Guide or contact your System Administrator.
To change your KerbNet password:
The Change Password dialog appears.
The KerbNet system updates your password. Use the new password next time you get tickets.
It is a good idea to change your password regularly. Your KerbNet password may have an expiration date, to make sure you change passwords once in a while. If your KerbNet password expires, the next time you type your password in the Password box of the KerbNet window, a dialog will open, prompting you to change your password.
There may be rules governing your choice of password (for example, the password may need to be longer than a certain number of characters). If you choose a password that does not meet the password generation restrictions, you password will not change. Instead, a dialog will open, warning you that your password has not changed and explaining what was wrong with your choice of password. You can then choose a new password that follows the restrictions.
To copy text from your telnet window to the clipboard:
Ctrl+Insert
.
To paste text from the clipboard into your telnet window:
* Select Paste from the Edit menu, or use the keyboard shortcut
Shift+Insert
.
You can choose whether KTelnet interprets your backspace key as "backspace" or "delete" by selecting the appropriate choice from the Configure menu. On many UNIX hosts, the Delete key functions the same way as the Backspace key does in Windows. If your Backspace key exhibits incorrect behavior in your telnet window, such as displaying "^H" or "^?", try switching it to the other mode.
To change fonts, select Font... from the Configure menu. You can select the font, style (e.g., bold, italic), and size.
You should now know everything you need for day-to-day use of the KerbNet and KTelnet applications. The rest of this manual goes into more detail about how the KerbNet and KTelnet applications work, and describe their more complicated options.
The KerbNet authentication system is based on the Kerberos V5 system developed at MIT. The KerbNet system negotiates authenticated, and optionally encrypted, communications between two points anywhere on the internet, providing a layer of security separate from any firewalls or other security measures a local network may have.
Authentication is the process of verifying one's identity by presenting electronic credentials (tickets). Under the KerbNet system, an authenticatable entity (usually a user, although services can sometimes have tickets of their own) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting-ticket (TGT) for the authenticatable entity, encrypts it using the authenticatable entity's password as the key, and sends the encrypted TGT back. The authenticatable entity then uses its password to dycrypt the TGT. If it successfully decrypts the TGT (by giving the correct password), it keeps the decrypted TGT. The TGT permits the authenticatable entity to obtain additional tickets, which give permission for specific services (applications that use Kerberos authentication). The authenticatable entity can prove its identity to remote machines and services by presenting them its tickets.
The KerbNet authentication system is a single-sign-on-system, which means that you only have to type your password once per login session, and the KerbNet system takes care of the authentication and encryption each time you use an application that uses KerbNet authentication or is part of the KerbNet system.
A Kerberos ticket is an encrypted protocol message that provides authentication. It serves as a set of electronic credentials that identifies its owner. The KerbNet system stores Kerberos tickets in a credentials cache, which may be a file, or may exist only in memory.
Forwardable tickets can be forwarded to a remote host. When the KerbNet system forwards your ticket-granting-ticket, the system puts a copy of the TGT in a new credentials cache on the remote host. The KerbNet system can then use that copy to authenticate you when you open a new connection from the remote host. If your tickets are not forwardable, the system does not copy your TGT when you connect to a remote host. You have no tickets on the remote machine, and therefore you cannot open new connections from there without first going through the proper procedure to obtain tickets on the remote host. Forwarding your tickets allows you to open connections to other services and machines, taking advantage of KerbNet's single-sign-on capabilities by letting KerbNet handle the authentications.
Tickets are only valid for a certain amount of time, after which they expire. If your login session extends beyond the time limit, you will have to reauthenticate yourself to the KerbNet system.
The name associated with an authenticatable entity in the KerbNet database is called a Kerberos principal. The Kerberos principal usually contains three parts.
The first part is the primary, which is the name of the user or service.
The second part is the instance, which in the case of a user is usually nonexistent (null). However, some users may have additional principals with special privileges, denoted by instances such as `root' or `admin'. Such users would use these principals only when doing work that requires the privileges assigned to these principals. The principal joeuser@BLEEP.COM is completely separate from the principal joeuser/root@BLEEP.COM, although the same person uses both principals.
The third part of a Kerberos principal is the realm. The realm indicates which Kerberos installation provided authentication for the principal. The realm is usually the domain name in UPPER CASE letters; the machine trillium.bleep.com would be in the realm BLEEP.COM.
The main KerbNet window and the Change Password window both have a Realm box; a default realm is listed in this box, but if you are using an account in a different realm, you can type in the new realm's name.
In a Kerberos principal, the primary is separated from the instance by a slash (if the instance is not null), and the realm follows, preceded by an @ sign. If the realm is the same as the default realm, it may be omitted. By convention, the realm is written in UPPER CASE. The following are examples of valid Kerberos principals:
foo
bar/admin
baz@BLEEP.COM
quux/root@BLEEP.COM
When the principal refers to a service, rather than a user, the primary describes the type of service (such as "host" or "pop"). The instance is the name of the machine on which it runs; the host service running on the machine trillium.bleep.com would have the Kerberos principal `host/trillium.bleep.com@BLEEP.COM', whereas the host service running on the machine daffodil.fubar.org would have the instance `host/daffodil.fubar.org@FUBAR.ORG'.
When you log into the KerbNet system, you type your primary and instance (separated by a slash) in the Name box in the KerbNet window. Usually, this will mean typing just your username, as in the tutorial instructions.
The KerbNet window shows you all the tickets in your credentials cache on the machine you are directly logged onto: your initial ticket (the TGT), including any tickets you obtain to open connections to services like Telnet. Tickets you forward to a remote machine or obtain once logged onto a remote machine do not appear in the KerbNet window, since they are stored in a cache on the remote machine and not in the cache on the local machine.
Only tickets for the realm listed in the Realm text box appear in the KerbNet window; if you switch realms, the list shows any tickets you have in the new realm.
For each ticket, the ticket list shows :
* "Start Time": The time the ticket was created.
* "End Time": The time the ticket is due to expire.
* "Ticket": The service to which the ticket grants you access.
* The status of your tickets. An F in parentheses beside the ticket, if the ticket is forwardable. An I appears in parenthesis beside your initial (TGT) ticket.
Tickets that are due to expire in more than an hour appear as green ticket icons in the KerbNet window. When a ticket has an hour left before it expires, its icon changes to a clock whose green border changes progressively to red as the time left runs out. Tickets that have expired appear in the KerbNet window as clocks with red lines through them.
When you iconify the KerbNet window, it appears as a ticket or clock icon (depending on how much time is left before the tickets expire). Text beside the icon displays the amount of time left.
The KerbNet window itself also displays the amount of time left before the tickets expire, updating the time whenever window is iconified and re-opened.
If your tickets expire, you can reauthenticate yourself by opening the KerbNet window and requesting a new ticket. Your login session and any remote connections you may have will continue even after your tickets have expired, since the KerbNet system authenticates only at the beginning of each connection. However, you will no longer be able to form any new connections or use applications that depend on the KerbNet system until you obtain new tickets.
When you attempt to obtain a new TGT, the system automatically deletes any existing tickets (valid or expired) and replaces them with the new one. The system does not replace tickets other than the TGT, but the system will replace them automatically if you reconnect to the corresponding services. You must replace tickets on remote machines individually, from those machines. Consult the UNIX User's Guid or your System Administrator for information on renewing tickets on remote machines.
The tutorial at the beginning of this document showed you how to use basic KerbNet and KTelnet functions. This section explains further details of using the KerbNet and KTelnet applications.
Selecting Options from the File menu opens the Options dialog box. You can set the following options:
* how long you want your tickets to last before they expire. The maximum time tickets can last is set by the System Administrator. The maximum time may be different for different types of Kerberos principals. If you request more than the maximum amount of time, your tickets will be valid for the maximum time; otherwise, they will be valid for the requested amount of time.
* how the KerbNet system warns you when your tickets are about to expire. If you select Alert, the KerbNet window will pop up in the foreground when the tickets have 4 minutes left before they expire. If you select Beep, the computer will beep when 4 minutes are left. You may select either option, both, or none. If you choose neither option, the KerbNet system will not warn you when your tickets are about to expire.
* whether you want your tickets to be forwardable. By default, the "Forwardable" option is on; in most situations, you should make your tickets forwardable.
The Configuration File and Credential options are greyed out. If you need to change the location of the configuration file or the credentials cache, contact your System Administrator.
If you are having trouble getting your KerbNet software to work, make sure that the following conditions are all met:
* The file libkrb5.dll must be in the KerbNet folder, or in the folder in which the System Administrator installed it. If you cannot find libkrb5.dll, contact your System Administrator.
* Your Kerberos Configuration file must be in the location specified in the Options dialog under the File menu.
* The directory that you specify for the KerbNet system to put your Credential (ticket file) in must exist.
* The value Time Zone variable, TZ, must reflect your time zone. If you set your clock without also setting the Time Zone variable, the KerbNet system cannot give you tickets. If you get the error message: "Clock skew too great in KDC reply while logging in", check that the Time Zone variable is set correctly and that your clock is set to the right time. Contact your System Administrator for help with resetting variables.
If the Key Distribution Center (KDC) is unreachable (perhaps because of network problems), you will be unable to get tickets. If the admin server is unreachable, you will be unable to change your password.
* By default, KTelnet for Windows assumes you are using the standard telnet port, 23. If you want to connect to a port other than the standard telnet port, you can include the port number after the host name you type in the Open New Telnet Connection window. Separate the port number from the host name with a space.
* If you check the Forward Credentials checkbox, the KerbNet system forwards your Kerberos tickets the remote host when you use KTelnet. If your original tickets are not forwardable, make sure that both the Forward Credentials and Forward Forwardable Credentials boxes in the Open New Telnet Connection window are unchecked. By default, the Forward Credentials option is selected.
* If you check the Forward Remote Credentials checkbox, the KerbNet system makes your forwarded tickets re-forwardable from the remote host. If you telnet from that host to a third host, the KerbNet system can then copy your tickets over to the third host. Note that in order to be able to forward Kerberos tickets, you must specify forwardable tickets when you obtain them. If you do not have forwardable tickets, bring up your KerbNet window, delete your current tickets, specify Forwardable in the Options dialog (under the File menu), and log in again.
If you have already opened a telnet connection and want to change the forwardability of your tickets, close the connection, get new tickets, and reopen the connection.
By default, the Forward Remote Credentials option is selected.
* Check the Enable Encryption checkbox if you want the KerbNet system to encrypt all communications you make to remote machines. Unless you are on a secure internal network and you are getting an especially slow response time in your Telnet window, you should use the encryption option.
* If you want to telnet using a user ID different from the one you used to get your KerbNet tickets (for example, if you are logging on as root, or if you are logging onto a system where you have a different username), type the new ID in the Userid box. If you leave the Userid box empty, the KerbNet system will try to log you into the new system using the userid for which your tickets were obtained (your KerbNet userid).
The typical format of a typical Kerberos principal is primary/instance@REALM.
telnet
and
rsh
), "ftp" (FTP), "krbtgt" (authentication;
cf. ticket-granting ticket), and "pop" (email).