Kerberos is a single sign-on environment, which means that you type your password only once when using network applications. Kerberos authentication and encryption is built into each of a suite of existing, familiar network applications. The Kerberos V5 applications are versions of existing UNIX network applications with Kerberos features added.
The administrator configures Kerberos to handle user passwords and tickets.
In Oracle Solaris, Kerberos is built into the login command.
If the administrator configures the PAM service for the applicable login services, users can obtain tickets automatically. For more information, see the pam_krb5(7) man page.
If the administrator configures the ssh command to forward copies of user tickets to the other hosts, then users do not have to explicitly ask for tickets to get access to those hosts.
For security reasons, the administrator might prevent ticket forwarding. For more information, see the discussion about agent forwarding in the ssh(1) man page.
Typically, Kerberos creates a ticket for you when you log in, so you need not do anything special to obtain a ticket.
User responsibilities for Kerberos tickets include the following:
Create a ticket if your ticket expires.
The kinit command prompts you for a password, then creates the ticket.
Create a ticket for a different principal.
When you use a different principal besides your default principal, you might need to create a ticket. For example, you might use the ssh -l command to log in to a host as another user.
Create a ticket for a new host when your tickets are not forwarded.
If the administrator configures the ssh command to forward copies of your tickets to the other hosts, then you do not have to explicitly ask for tickets to get access to those hosts. For security reasons, the administrator might prevent ticket forwarding. For more information, see the discussion about agent forwarding in the ssh(1) man page.
Not all tickets are alike. For example, one ticket might be forwardable, another ticket might be postdated, and a third ticket might be both forwardable and postdated. You can list the properties of your tickets with the klist -f command.
The kdestroy command destroys your credential cache, which destroys all your credentials and tickets. While this destruction is not usually necessary, running kdestroy reduces the chance of the credential cache being compromised during times that you are not logged in.
If you are going to be away from your system, you should either use the kdestroy command or lock the screen with a screen saver.
For more information, see the MIT Kerberos User Commands Documentation (http://web.mit.edu/kerberos/krb5-1.14/doc/user/user_commands/index.html).
In a Kerberos environment, you have two passwords: the regular Oracle Solaris UNIX password and a Kerberos password. You can make both passwords the same, or they can be different.
If PAM is properly configured, you can change your Kerberos password in two ways.
Use the passwd command. With the Kerberos service configured, the passwd command also automatically prompts for a new Kerberos password.
By using the passwd command, you can set both your UNIX and Kerberos passwords at the same time. You can also change only one password and leave the other password untouched.
Use the kpasswd command. kpasswd changes only Kerberos passwords. You must use passwd if you want to change your UNIX password.
A primary use for kpasswd is to change a password for a Kerberos principal that is not a valid UNIX user. For example, jdoe/admin is a Kerberos principal but not an actual UNIX user, so you must use kpasswd to change the password.
For more information, see the MIT Kerberos User Commands Documentation.
After you change your password, the password must propagate through the network. The size of the Kerberos network affects the time that is required for the propagation.