Authentication
|
A process by which a user or service identifies itself to another service. For example, a client can authenticate to a switch
or a switch can authenticate to another switch.
|
Authorization
|
A means by which the switch identifies what privileges the user has in a network or on the switch and what actions the user
can perform.
|
Credential
|
A general term that refers to authentication tickets, such as TGTs1 and service credentials. Kerberos credentials verify the identity of a user or service. If a network service decides to trust
the Kerberos server that issued a ticket, it can be used in place of re-entering a username and password. Credentials have
a default life span of eight hours.
|
Instance
|
An authorization level label for Kerberos principals. Most Kerberos principals are of the form user@REALM (for example, smith@EXAMPLE.COM). A Kerberos principal with a Kerberos instance has the form user/instance@REALM (for example, smith/admin@EXAMPLE.COM). The Kerberos instance can be used to specify the authorization level for the user
if authentication is successful. The server of each network service might implement and enforce the authorization mappings
of Kerberos instances but is not required to do so.
Note
|
The Kerberos principal and instance names must be in all lowercase characters.
|
Note
|
The Kerberos realm name must be in all uppercase characters.
|
|
KDC2
|
Key distribution center that consists of a Kerberos server and database program that is running on a network host.
|
Kerberized
|
A term that describes applications and services that have been modified to support the Kerberos credential infrastructure.
|
Kerberos realm
|
A domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is
trusted to verify the identity of a user or network service to another user or network service.
Note
|
The Kerberos realm name must be in all uppercase characters.
|
|
Kerberos server
|
A daemon that is running on a network host. Users and network services register their identity with the Kerberos server. Network
services query the Kerberos server to authenticate to other network services.
|
KEYTAB3
|
A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates
an encrypted service credential by using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is
referred to as SRVTAB4.
|
Principal
|
Also known as a Kerberos identity, this is who you are or what a service is according to the Kerberos server.
Note
|
The Kerberos principal name must be in all lowercase characters.
|
|
Service credential
|
A credential for a network service. When issued from the KDC, this credential is encrypted with the password shared by the
network service and the KDC. The password is also shared with the user TGT.
|
SRVTAB
|
A password that a network service shares with the KDC. In Kerberos 5 or later Kerberos versions, SRVTAB is referred to as
KEYTAB.
|
TGT
|
Ticket granting ticket that is a credential that the KDC issues to authenticated users. When users receive a TGT, they can
authenticate to network services within the Kerberos realm represented by the KDC.
|