2.7 The User/Kerberos Interaction
Suppose that you walk up to a host intending to login to it, and then
`rlogin' to the machine `laughter'. Here's what happens:
- You login to the workstation and use the `kinit' command to get a
ticket-granting ticket. This command prompts you for your Kerberos
password. (On systems running the Kerberos V5 `login' program,
this may be done as part of the login process, not requiring the user to
run a separate program.)
- The `kinit' command sends your request to the Kerberos master
server machine. The server software looks for your principal name's
entry in the Kerberos database.
- If this entry exists, the Kerberos server creates and returns a
ticket-granting ticket and the key which allows you to use it, encrypted
by your password. If `kinit' can decrypt the Kerberos reply using
the password you provide, it stores this ticket in a credentials cache
on your local machine for later use. The name of the credentials cache
can be specified in the `KRB5CCNAME' environment variable. If this
variable is not set, the name of the file will be
/tmp/krb5cc_<uid>, where <uid> is your UNIX user-id, represented
in decimal format.
- Now you use the `rlogin' client to access the machine
`laughter'.
host% rlogin laughter
- The `rlogin' client checks your ticket file to see if you have a
ticket for the `host' service for `laughter'. You don't, so
`rlogin' uses the credential cache's ticket-granting ticket to make
a request to the master server's ticket-granting service.
- This ticket-granting service receives the request for a ticket for
`host/laughter.mit.edu', and looks in the master
database for an entry for `host/laughter.mit.edu'.
If the entry exists, the ticket-granting service issues you a ticket for
that service. That ticket is also cached in your credentials cache.
- The `rlogin' client now sends that ticket to the `laughter'
`klogind' service program. The service program checks the ticket
by using its own service key. If the ticket is valid, it now knows your
identity. If you are allowed to login to `laughter' (because your
username matches one in /etc/passwd, or your Kerberos principal is in
the appropriate .k5login file),
klogind
will let you
login.