This chapter describes the user functions needed to get a ticket-granting ticket for Kerberos applications and maintaining the ticket file.
The default ticket file for the user is SYS$LOGIN:KERBV4.TICKET. If you define the TCPWARE_KERBV4_TKFILE logical, you can have the ticket file located somewhere else.
Here is an example of how you can define this logical to locate the ticket file in a specific directory:
$ DEFINE/PROCESS TCPWARE_KERBV4_TKFILE SYS$DISK:[MYDIR]TICKET.TXT
The user interface with Kerberos comprises the following commands:
|
GET TGT |
Gets the ticket-granting ticket (TGT) to authenticate yourself to Kerberos |
|
REMOVE TICKETS |
Removes the TGT and any service tickets you might have |
|
SET KERBEROS_PASSWORD username |
Changes your Kerberos password |
|
SHOW TICKETS |
Lists all tickets (TGT and service tickets) in the ticket file |
You can access these commands using the Network Control Utility (NETCU) by entering either:
• $ NETCU
NETCU>command
• $ NETCU command
Uppercase command parameters are converted to lowercase unless you enclose them in quotes.
A description of each Kerberos user command follows.
For Kerberos users. Gets the ticket-granting ticket (TGT) that allows you to get application service tickets. This process authenticates you to the Kerberos Server, which is considered to be a trusted, secure machine. TGTs are required to obtain an application service ticket from the Kerberos Server.
The name of the ticket file is determined by the TCPWARE_KERBV4_TKFILE logical, usually set to SYS$LOGIN:KERBV4.TICKET.
You must enter your Kerberos password with this command.
Your OpenVMS login name is used for the Kerberos username unless the /USERNAME qualifier specifies otherwise.
GET TGT is equivalent to the UNIX command kinit.
GET TGT
Password: password
password
User's Kerberos password that authenticates the user to the Kerberos Server. Converted to lowercase unless you enclose it in double quotes.
/INSTANCE=instance
Usually omitted for a general Kerberos user; admin for an administrative user. (See your Kerberos administrator to determine your Kerberos instance name.) Converted to lowercase unless you enclose it in double quotes.
/LIFETIME=minutes
Lifetime of the TGT in minutes ranging from 5 to 1275 minutes. The default lifetime is 480 minutes (8 hours).
/REALM=realm
Optional Kerberos realm to use instead of the one determined by the value of the logical TCPWARE_KERBV4_REALM. Converted to lowercase unless you enclose it in double quotes.
/USERNAME=login-name
Alternate login name. Converted to lowercase unless you enclose it in double quotes.
NETCU GET
TGT
Password:
Gets a ticket-granting ticket for the logged-in user. If the user logged in as SYSTEM, SYSTEM is used as the Kerberos username—if the user logged in as FRED, FRED is used as the Kerberos username.
For Kerberos users. Removes your ticket-granting ticket and application service tickets, if any.
See the SHOW TICKETS command to view the user's ticket-granting ticket and any application service tickets contained in the user's ticket file.
The name of the ticket file is determined by the value of the TCPWARE_KERBV4_TKFILE logical, usually set to SYS$LOGIN:KERBV4.TICKET.
REMOVE TICKETS is equivalent to the UNIX command kdestroy.
REMOVE TICKETS
/BELL
/NOBELL (default)
Specifies whether the terminal bell should sound when an error occurs when trying to remove tickets. The default is /NOBELL.
/STATUS
(default)
/NOSTATUS
Specifies whether to display a message when removing tickets. The default is /STATUS.
NETCU REMOVE TICKETS
Removes the ticket-granting ticket and application service tickets, if any.
%TCPWARE_NETCU-W-NTKTTODES, no tickets to destroy
Meaning: The ticket file does not exist.
Action: Use the GET TGT command to create a ticket file entry.
%TCPWARE_NETCU-I-TKTDESTR, tickets destroyed
Meaning: The ticket was successfully removed.
%TCPWARE_NETCU-E-TKTNODES, tickets NOT destroyed
Meaning: Some error occurred while trying to delete the ticket file. Possible reasons are that the ticket file does not grant delete access, or you are not its actual owner.
For Kerberos users. Changes your Kerberos password.
Note! If you change your Kerberos password, your ticket-granting ticket (TGT) is deleted from your ticket file. You need to create a new TGT using the GET TGT command.
SET KERBEROS_PASSWORD is equivalent to the UNIX command kpasswd.
SET KERBEROS_PASSWORD [username [instance]]
Old password for username: old-password
New password for username: new-password
Verifying, please re-enter: new-password
username
Kerberos username for which to change the Kerberos password. If omitted, the OpenVMS username under which the user logged in is used. Converted to lowercase unless you enclose it in double quotes.
instance
Usually omitted for a general Kerberos user but can be the name of the machine from which you can obtain ticket-granting tickets and service tickets. Specify admin for an administrative user. (See your Kerberos administrator to determine your Kerberos instance.) Converted to lowercase unless you enclose it in double quotes.
old-password
new-password
Old and new user passwords. Converted to lowercase unless you enclose them in double quotes.
NETCU SET
KERBEROS_PASSWORD PERSEPHONE
Old password for 'persephone':
New password for 'persephone':
Verifying, please re-enter:
Changes the Kerberos password for user persephone.
For Kerberos users. Displays your ticket-granting ticket (TGT) and any existing application service tickets.
The name of the ticket file is determined by the value of the TCPWARE_KERBV4_TKFILE logical, usually set to SYS$LOGIN:KERBV4.TICKET.
SHOW TICKETS is equivalent to the UNIX command klist.
See the GET TGT command for more information on getting ticket-granting tickets.
SHOW TICKETS
/BRIEF
/NOBRIEF (default)
/BRIEF lists only the acquired tickets and not the ticket files, principal names, issuance dates, or expiration dates.
/SRVTAB
Shows the contents of the TCPWARE:SRVTAB. file as a list of available Kerberos services. (See CREATE SRVTAB for more information on the TCPWARE:SRVTAB. file.)
/TGT_TEST
/NOTGT_TEST (default)
Checks whether the tickets are still valid and returns a success or failure exit status.
1 NETCU
SHOW TICKETS
Ticket file: SYS$LOGIN:KERBV4.TICKET
Principal: fred@daisy.com
Issued Expires Principal
----------------------------------------------
Jun 1 10:11:12 Jun 1 18:11:12 krbtgt.daisy.com@daisy.com
Displays the name of the ticket file; ticket owner's principal name, issue and expiration dates; and service principal name of each ticket.
2 NETCU
SHOW TICKETS /SRVTAB
Server key file: TCPWARE:SRVTAB.
Service Instance Realm Key Version
------------------------------------------------------------
changepw bart daisy.com 1
rcmd bart daisy.com 1
Lists the available Kerberos services on BART as listed in its TCPWARE:SRVTAB. file.