Kerberos - Password Management

Others 2022-04-22 11:33:23 views: 0

Password management

Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you—send email that comes from you, read, edit, or delete your files, or log into other hosts as you—and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see Granting access to your account). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is.

Your key is the only way Kerberos can determine your identity. If someone finds out your password, he can pretend to be you - send an email from you, read, edit or delete your files, or log into another host as you - and no one will detect a problem. For this reason, it is very important to choose a good password and be sure to keep it safe. If you need to give others the right to use your account, you can authorize it. You should never share your password with anyone else, including your system administrator, for any reason. You should specifically change your password from time to time if you become aware that someone else may already know your password.

Changing your password

To change your Kerberos password, use the kpasswd command. It will ask you for your old password (to prevent someone else from walking up to your computer when you’re not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user david would do the following:

In order to change your Kerberospassword, you can use the kpasswdcommand. It will ask you for your old password (this prevents someone else from sneaking up to your computer to change your password while you are away) and will prompt you twice for the new password. (The reason you need to enter your password twice is to make sure you've entered it correctly.) For example, user david would do something like this:

shell% kpasswd
Password for david:    <- Type your old password.
Enter new password:    <- Type your new password.
Enter it again:  <- Type the new password again.
Password changed.
shell%

If david typed the incorrect old password, he would get the following message:

If he misses the old password, he will get this message:

shell% kpasswd
Password for david:  <- Type the incorrect old password.
kpasswd: Password incorrect while getting initial ticket
shell%

If you make a mistake and don’t type the new password the same way twice, kpasswd will ask you to try again:

If you accidentally type the wrong password when re-entering the new password, kpasswdyou will be asked to try again:

shell% kpasswd
Password for david:  <- Type the old password.
Enter new password:  <- Type the new password.
Enter it again: <- Type a different new password.
kpasswd: Password mismatch while reading password
shell%

Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn’t work, try again using the old one.

Once you change your password, it will take some time for the change to propagate through the system. Depending on how you set up your system, the propagation time of this change may be a few minutes, an hour, or even longer. If you want to get the new password immediately after you change your password Kerberos tickets, try to get it with the new password. If the new password doesn't work, try again with the old password.

Granting access to your account

If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called .k5login in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:

If you need someone else to be able to log in to your account, you can find a way to do it in Kerberos without having to tell him your password. Create a .k5loginfile called in your homedirectory. This file should contain everyone you want to have access to your Kerberosaccount. Each responsible person must have a line. Below is an example:

[email protected]
[email protected]

This file would allow the users jennifer and david to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts.

This file will allow jennifer and david to use yours user ID, provided they have access to Kerberos ticketstheir respective domains. If you need to log into other hosts over the Internet, you should want to include your own Kerberosprincipals in yours .k5login, on every other host.

Using a .k5login file is much safer than giving out your password, because: Using a file is much safer than giving out your password, because .k5login:

  • You can take back their powers at any time by removing them from your file.
  • Even those users can have access to your account on a specific host (or a range of hosts on each with a .k5login file). That user does not inherit your network privileges.
  • Kerberos maintains a log of who gets tickets, so, if necessary, system administrators can find out who has the right to use your user IDactivity at a particular point in time.

One common application is to have a .k5login file in root’s home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network.

A common application pattern is to .k5loginput it in the rootuser's homedirectory and give root privileges to the machines listed in the responsible list. This allows system administrators to allow ordinary users to become root locally, or to log in remotely as a root user, without having to give the root password to another person, and no one on the network has typed the root password. and transmitted between network nodes.

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324982710&siteId=291194637
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com