Administration
This page
Other pages
Account
Kerberos
Definition
An authentication system used to prove your identity to servers and systems.
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos protocols invented and popularized by MIT have become fundamental building blocks of major desktop and server operating systems, core networking infrastructure, global file systems, global messaging systems, and much more.
The Kerberos protocol is currently at version 5. There was a Kerberos version 4 that is now obsolete, but you might still find documentation references to it.
Kerberos account
Among MIT IT service providers, there is a local usage of the term "Kerberos account" to mean a Moira or Athena user account. Other people familiar with Kerberos would probably interpret "Kerberos account" to mean the more narrow concept of "Kerberos principal database entry". This ambiguity can lead to confusion.
Kerberos instance
For historical reasons, the second component of a Kerberos principal name is often called an "instance", e.g., username/root is a "root instance": a more-secure Kerberos principal associated with the user principal named username. (This terminology comes from the obsolete Kerberos version 4, where a principal name had exactly three components: name, instance and realm.) A Kerberos principal name having only one component is sometimes called a "null instance", for the same historical reasons.
Kerberos principal
A Kerberos principal is a named entity participating (as a service, a user, or some other kind of client) in the Kerberos protocol. In typical usage, "Kerberos principal" is either short for "Kerberos principal name" or "Kerberos principal database entry".
Kerberos principal database entry
A Kerberos principal database entry (often shortened to "Kerberos principal") is an object in the Kerberos principal database that represents a Kerberos principal. This includes its name, cryptographic keys (which for users are usually password-derived), and a small amount of metadata.
Kerberos principal name
A Kerberos principal name or identifier (often shortened to "Kerberos principal") is the name of a Kerberos principal. This name can have multiple components (typically one or two) separated by forward slash characters, e.g., username, username/root, host/contents-vnder-pressvre.mit.edu. Some documentation considers a Kerberos principal name to include a realm name; this appears after the principal name and is separated from it by an at-sign, e.g., username@ATHENA.MIT.EDU is the principal named username in the ATHENA.MIT.EDU Kerberos realm. Most programs that print Kerberos principal names include the realm name of the principal in their output.
Kerberos version 4 used a dot character to separate its principal name and instance components. You might find this syntax in some old documentation (or in current use in AFS access control).
Kerberos realm
A Kerberos realm is a named collection of Kerberos principals under the same centralized administrative control, e.g., the ATHENA.MIT.EDU realm is the primary Kerberos realm at MIT.
