\section{{\em Kerberos}: Athena's Watchdog} \indent {\em Kerberos;} also spelled {\em Cerberus. "n. The watch dog of Hades, whose duty it was to guard the entrance--against whom or what does not clearly appear;...is known to have had three heads..."} \newline -Ambrose Bierce, {\em The Enlarged Devil's Dictionary} {\em Kerberos} is the system designed by MIT to provide security on the Athena network. This document will not provide you with a complete description of the mechanisms and the math used by {\em Kerberos}; it will explain the necessity for {\em Kerberos}, and will quickly summarize what {\em Kerberos} does. For more information, you can look at the Kerberos section of the Athena Technical Plan, the PostScript file {\em /mit/kerberos/doc/techplan/techplan.PS.} \paragraph{Why {\em Kerberos} is needed.} {\em Kerberos} has two purposes: security and authentication. On most computer systems, a password is used to prove a user's identity; on a distributed network system, like Athena, this password must be transmitted over the network, from the workstation being used, to any other machines containing files or programs the user wants access to. Because this password is the one secret piece of information that identifies a user, anyone knowing a user's password can effectively {\em be} that user on Athena, reading their files, sending mail as that user, etc. {\bf Please note that THE ELECTRONIC COMMUNICATION PRIVACY ACT of 1988 does make this a Federal crime} punishable by all kinds of nasty stuff you don't want to be punished by. No kidding. Obviously, it is therefore necessary to prevent anyone from intercepting or eavesdropping on the transmitted password. In addition, it is necessary to provide a means of {\em authenticating} users: any time a user requests a {\em service,} such as mail, they must prove their identity. This is done with {\em Kerberos}, and this is why you get your mail and no one else's. {\em A Few Handy Definitions - } We have now used two pieces of jargon in one paragraph, and at this point you will probably want to learn the meanings of a few terms that will be used in this section. \begin{description} \item{user:} A person using a computer system. A user, through her workstation, may make a series of requests to several servers. This user, we assume, would like to avoid retyping her password every time she makes such a request. \item{service:} Very simply, a service is a program or set of programs, running on a computer which is accessible over the network. A user will request a service for the workstation which she is using; the service will want to be sure that the service is really being used by that user. \item{principal:} A principal is some entity which can prove its own identity and verify the identity of other principals. Each {\bf user} and each {\bf service} registered with {\em Kerberos} is a principal, since {\em Kerberos} provides the authentication services required. \item{ticket:} Once a user has proved her identity to {\em Kerberos} with her password, {\em Kerberos} sends a block of encoded data, called a ticket, to the user. It is this ticket that is used to prove a user's identity to a service. Tickets are stored in the {\em /tmp/} directory and are erased upon logout. Tickets will expire after 10 hours by default, though they can be set to live longer than that. \item{authenticator:} When a user tries to use a {\em service}, her workstation sends an block of data called an {\em authenticator}, built from the {\em Kerberos} ticket and containing a timestamp and the name of the workstation, to that service. The service decodes it, verifies that the user is who she says she is, and then lets that user, at that workstation, use the service. \end{description} This is the basics of how {\em Kerberos} works -- for the most part, you'll see none of it, which is a nice feature. For a longer and more technical explantion, you can look in: {\tt /mit/kerberos/doc/techplan} Once registered with {\em Kerberos}, tickets are obtained by the login program every time you log into a workstation. You can also manually obtain new tickets (which you usually do only if your old ones have expired, 10 hours after you log in) by running the program {\tt renew}. You can also use {\tt kinit}, which prompts for a username, requests an initial ticket from {\em Kerberos}, and then asks for your password. If you are not registered with {\em Kerberos}, it will print {\tt Principal unknown (Kerberos)}. Unless you mistype your username, this should not happen. To correct this, or any other errors, contact a Consultant or the Athena Accounts Administrator by using {\tt olc}.