ryerson logo
Ryerson Computer Science
Home > Current Students > Services
Kerberos 5 is a authentication and privacy package that provides a means of protecting passwords and other user data from third-party sniffing on a network between two hosts. It does this using "tickets" to provide a secure authentication mechanism and strong encryption of network traffic. Kerberos provides replacements for many of the standard Unix network utilities (e.g. telnet, ftp, rlogin, rsh) as well a library to allow adding Kerberos security to arbitrary programs.
Department Of Computer Science Specific Information

The Department of Computer Science had implemented Kerberos authentication from the day it moved to Windows XP in the labs, in an effort to move towards single-sign-on. The password being used on the Windows Domain is a kerberos password and it is the same password to use on any of the Linux servers, mail, web, gdm, and ....
How is this beneficial? For a starter it maintains accounts and password integrity by maintaining a single copy of user's information. Single-Sign-On is the other benefit for choosing kerberos authentication; one password for Linux/Windows/Mail and so on. As a user you should be able to type in you password ONCE and access any other resources without being asked to enter the same password again.
Kerberos enforces a set of rules governing passwords by using a Policy. Policies can dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of old passwords kept in the database. All student's passwords are enforced by this policy and students must keep the following rules in mind while changing/choosing their password:

  1. Minimum of eight characters long.
  2. Minimum of three different classes
    • Lower-case letters
    • Upper-case letters
    • Digits,
    • Punctuations, and
    • All other characters (e.g.control characters).
  3. Maximum life of passwords, six month
  4. History, last ten passwords will be kept in history and can not be re-used.
Starting Kinit
The first thing you need to do is get a Kerberos ticket. You will do this with the kinit program. When you run kinit you will be prompted for your Kerberos password, which you may also know as your Windows password. Please note that some client utilities will get your initial credentials as part of the login process. Your Kerberos ticket is an encrypted piece of data that is used to authenticate you to other hosts and services over the network. It allows you to login to other hosts without having to type your password again. It serves as your authentication. Using it you can log into any number of hosts as many times as you like and you will never be prompted for a password.
Ticket Expiration
All Kerberos tickets have a built in expiration time after which they are no longer valid. This is to help prevent a ticket from being used by someone it's not intended to. It does this in two ways. First if a ticket inadvertently gets left somewhere it will expire on it's own, reducing the chances of someone coming along and finding a good ticket. Second, if someone does manage to get a hold of a good ticket, it's only good for so long before it becomes worthless to them.
At The Department of Computer Science all tickets expire after 24 hours. If you try to use an expired ticket you'll get errors of the sort "ticket has expired". What this means is that you'll have to run kinit again to renew your credentials.
Check Ticket
The klist program shows your Kerberos ticket and when it expires. man klist will show more detailed information on klist
Change Password
The kpasswd program will allow you to change your Kerberos password provided you know the old one. man kpasswd will show more detailed information on kpasswd
Kerberos & Apache
Apache has a module "Mod_auth_kerb" to provide kerberos authentication to the Apache web server. This module is beneficial to users of Computer Science facilities as it eliminates the process of creating and maintaining an htpasswd for those directories that need protections. It is used by adding "AuthType KerberosV5" in .htaccess file. As for the user restriction, it's entirely up to your discretion to allow a single user or a group of user to access the secure directory.

Example of .htaccess file content:
AuthName "Kerberos Login"
AuthType KerberosV5
require valid-user

The previous example will authenticate valid Computer Science users, using their kerberos password. If successful, access granted.
Windows Specific
Q) How to change kerberos password?
A) Login to any Windows machine, then press CTRL-ALT-DEL and select change password

Linux Specific
Q) How to change kerberos password?
A) If password is NOT expired login to any Linux server, through ssh or gdm, and from command line type kpasswd.
If password is expired login to any Linux server, through ssh or gdm, and you will be asked to change it.