kerberos

Kerberos commands: kinit, klist, kdestroy, kpasswd

Kerberos is a network authentication protocol. Clients receive a time-limited Ticket-Granting Ticket (TGT) from a Key Distribution Center (KDC) after presenting credentials, then exchange the TGT for service tickets to access individual network services. All authentication exchanges are encrypted, and the user's password never traverses the network after the initial kinit.The user-facing CLI is built around four small commands: kinit (request a TGT), klist (inspect the credential cache), kdestroy (clear cached tickets), and kpasswd (change the password held by the KDC). Service tickets are obtained transparently by Kerberos-aware applications (SSH, NFSv4, HTTP via SPNEGO, LDAP, SMB).

kinit PRINCIPAL

Get Kerberos ticket.

List cached tickets.

Destroy tickets.

Change Kerberos password.

Get forwardable ticket.

Renew existing ticket.

Ticket lifetime.

/etc/krb5.conf

Client configuration: realms, KDC addresses, default principal, forwardable flag, encryption types.

Service-side keytab containing long-term keys for daemon principals.

Path or backend for the credentials cache (e.g. FILE:/tmp/krb5cc_$UID, KEYRING:persistent:$UID, KCM:).

Clocks between client, KDC, and target service must agree to within a few minutes (default skew: 5 minutes). DNS forward and reverse records must match the principal name; broken reverse DNS is the most common cause of `KRBAPERRBADINTEGRITY` and `Server not found in Kerberos database` errors.

Kerberos was developed at MIT as part of Project Athena in the late 1980s. Kerberos v5 (RFC 4120) is the current standard; v4 is obsolete and removed from modern Linux distributions. The two interoperable implementations in widespread use are MIT Kerberos and Heimdal.

kinit(1), smbclient(1), ldapsearch(1)