Password management (密码管理)
Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you—send email that comes from you, read, edit, or delete your files, or log into other hosts as you—and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see Granting access to your account). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is.
你的密钥是Kerberos确定你的身份的唯一方式。如果某一个人发现了你的密码,那么他可以伪装成你——发送一个来自你的email,读取、编辑或者删除你的文件,或者以你的身份登入其它主机——而且,没有人会察觉出问题。由于这个原因,选择一个好的密码是非常重要的,并且一定要妥善保管它。如果你需要将你的账户的使用权给别人,你可以通过授权的方式。你应当绝不将自己的密码告知任何其他人,包括你的系统管理员,在任何原因下都应该这样。你应当时不时地特别地修改你的密码,如果你察觉到他人可能已经悉知你的密码的时候。
Changing your password (修改密码)
To change your Kerberos password, use the kpasswd command. It will ask you for your old password (to prevent someone else from walking up to your computer when you’re not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user david would do the following:
为了修改你的Kerberos密码,你可以使用kpasswd命令。它将会询问你旧的密码(这样可以阻止其他人在溜达到你的电脑前趁你不在的时候修改你的密码),并且会提示你两次输入新的密码。(你需要输入两次密码的原因是为了确定你已经正确输入了它)举个例子吧,用户david将会做下面这样的事情:
shell% kpasswd
Password for david: <- Type your old password.
Enter new password: <- Type your new password.
Enter it again: <- Type the new password again.
Password changed.
shell%
If david typed the incorrect old password, he would get the following message:
如果他敲错了旧的密码,他将会收到这样的消息:
shell% kpasswd
Password for david: <- Type the incorrect old password.
kpasswd: Password incorrect while getting initial ticket
shell%
If you make a mistake and don’t type the new password the same way twice, kpasswd will ask you to try again:
如果你一不小心,在重新输入新的密码时敲错了,kpasswd将会请你再试一次:
shell% kpasswd
Password for david: <- Type the old password.
Enter new password: <- Type the new password.
Enter it again: <- Type a different new password.
kpasswd: Password mismatch while reading password
shell%
Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn’t work, try again using the old one.
一旦你修改了你的密码,它就会需要一些时间去让这个改变在系统中传播。这取决于你怎样设置你的系统,这个修改的传播时间也许是几分钟也许是一个小时,也许是更长的时间。如果你希望在你修改了你的密码之后,马上就能获取到新的Kerberos tickets,尝试使用新的密码来获取,如果新的密码并没有生效,尝试用旧的密码再试一次。
Granting access to your account (授权访问你的账户)
If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called .k5login in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:
扫描二维码关注公众号,回复: 74875 查看本文章
如果你需要别人也能取得你的账户的登录权限,你可以在Kerberos找到实现的方式,而且不用将你的密码告诉他。创建一个叫.k5login的文件在你的home目录下。这个文件应当包含所有你希望的可以访问你Kerberos账户的所有人。每一个负责人都必须占一行。下面是一个例子:
[email protected]
[email protected]
This file would allow the users jennifer and david to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts.
这个文件将会允许jennifer 和 david 来使用你的user ID,倘若他们已经获得了Kerberos tickets在他们各自的领域。如果你需要通过互联网登录其它主机,你应该想要将你自己的Kerberos负责人包含进你的.k5login之中,在每个其它主机上都应如此。
Using a .k5login file is much safer than giving out your password, because: 使用
.k5login文件是一种比给出你的密码更加安全的方式,原因如下:
- 你可以在任意时间通过将这些负责人移除出你的文件的方式收回他们的权力。
- 即使这些用户可以在一个特定的主机(或者一系列在各个拥有 .k5login文件的主机上)拥有访问你的账户的权力。那个用户并没有继承你的网络特权。
- Kerberos维持着一个都有谁获得了tickets的日志,所以,若有必要,系统管理员可以查出来在某一个特定的时间点下究竟是谁有权力使用你的
user ID进行活动。
One common application is to have a .k5login file in root’s home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network.
一个通常的应用模式是:将.k5login放在root用户的home目录下,给出root权限给负责人列表中列出的机器。这允许系统管理员允许普通用户在本地成为root用户,或者以一个root用户的身份远端登录,而不需要给出root的密码给另一个人,也没有人在这个网络上敲入了root密码并在网络节点间传输。