If is null, the cache file would bestored in the current directory that the program is running from. is the operating system's loginusername.

Chinese Simplified / 简体中文 To start over, enter kdestroy to empty your ticket cache. The ticket will expire like an ordinary ticket in 24 hours, but you can renew multiple times before its expiration, until the final expiration date (Dec 12 in the example above). Make sure the directory that will contain the credentials cache has been created. Spanish / Español

There are two basic types: One that authenticates you as an individual and one that authenticates HSI as a service. specify a pre-authentication attribute and value to be interpreted by pre-authentication modules. Principals are quite flexible and usually are administered according to site-adopted conventions. Typical ticket lifetimes are 24 hours, and renewable tickets can be renewed for up to 7 days.

(In other words, don't add ".stanford.edu" unless you type the host with principal. If you aren't authenticated, and you invoke HSI, it will execute a kinit for you, and the KDC will prompt you for your Kerberos principal and password. Please note that DISQUS operates this forum. If your local username is different than your SUNet ID, you will need to tell However, they still do DNS canonicalization which works around the rlogin and rsh bug mentioned above, so you may want t. To use HSI on some NCAR systems that are outside of the supercomputing environment, you will need to use Kerberos credentials as described here.

Romanian / Română The "UCAR.EDU" reference is the Kerberos realm you are in.

run: It will tell you which system the load-balanced name is currently an alias for, and you can then connect directly to it. Note: Stanford used to provide wrappers called klogin and Once you have Kerberos tickets, you can use Kerberos to log on to other UNIX systems if you have a Kerberos-aware ssh client and server. kinit your SUNet ID: klist shows you all of your tickets and tells you when they will expire. DESCRIPTION ¶ kinit obtains and caches an initial ticket-granting ticket for principal.

If it is not set by default on your system, create a file named

A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client’s realm. By default, on the Windows platform a cache file named\krb5cc_ will begenerated. Thai / ภาษาไทย lifetime.

Execute hsi as follows, making sure to include -c and the text that you see after FILE: in the first line of the previous output. Requesting a renewable ticket can make it easier for you to make unattended transfers.

The authentication process for an end user is as follows: you identify yourself to the KDC with your principal and a password.

There are many possible reason why you can't get a ticket. You can use klist to confirm that you have tickets and to see what tickets Kerberos has obtained while using other services.

Slovak / Slovenčina

Kerberos client libraries exist that need to be installed on your local machines that allow you (or a service) to have client/server interactions with the KDC that authenticates you. Once you have the renewable ticket, you can put the renewal in a script and cron it.

These tickets will be issued to you by HSI specific principals with names like: Note: The HSI service principals are named after FTP for historical reasons, but in the examples above the "ftp" refers to a service name (HSI). Many distributions enable this by default.

Requests a ticket with the lifetime This username could … (Note: Stanford historically made local modifications to This is a ticket granting ticket from the service principal named "krbtgt/[email protected]" and it means you have been authenticated and can use HSI. Two types of anonymous principals are supported. ~/.ssh/config and add: to that file.

Then hsiwill be invoked, which will cause HSI to issue its own service ticket, and the ticket cache is listed again, to show both types of tickets. To do this, add the -f flag to the rlogin or rsh command.

Kazakh / Қазақша

Note the similarities and differences with UCAR's DNS domain, ucar.edu. For these examples, assume a user "someuser" with uid (scientist number) 1234. KRB5CCNAME environment variable is set, its value is used to locate the default cache.

Once you have authenticated with Kerberos, you can invoke hsi and it won't ask you for anything further during your HSI session.

use cache_name as the Kerberos 5 credentials (ticket) cache location. Add a stanza like this to your Dutch / Nederlands The above will only use Kerberos to authenticate. If your local username is different than your SUNet ID, you will need to tell kinit your SUNet ID: DISQUS’ privacy policy. To run a command on the remote system, use: Similarly, you can use rcp -x to copy files (rcp just uses rsh under the hood). We hope to fix this bug in rlogin and rsh at some point in the future. However, The use must be registered as a principal with the Key Distribution Center(KDC) prior to running kinit. is the user identificationnumber of the user logged into the system. This (Kerberos) service is implemented on a separate server, with a set of functions and so on, just like any other service such as DNS, or a Web server or a mail service.

aklog after running kinit to obtain an AFS token and store it in the right place.

Note that starting and expiration times are associated with your listed ticket. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. For fully anonymous Kerberos, configure pkinit on the KDC and configure pkinit_anchors in the client’s krb5.conf.

Postdated tickets are issued with the invalid flag set, and need to be resubmitted to the KDC for validation before use. The output will include your numerical user ID (12345 in the following example). (GSSAPI is an authentication protocol that ssh uses to support Kerberos.)

Czech / Čeština

That means that if you want to use a service on that remote system, such as AFS, you won't be able to. You will be authenticated if your principal and password are valid. Stanford is moving away from maintaining local modifications to Kerberos and towards using stock Kerberos programs. There are differences in how this is handled. Polish / polski Defaults, output, and some syntax can differ between Kerberos clients, so refer to the man pages on the machine you are using to confirm the details.

If your account is older, you may have to create it and make sure that it is world-readable.

Hebrew / עברית

IBM Knowledge Center uses JavaScript. If you are using Korn shell, use the following command. Using kdestroy will clean them out (and require you to re-authenticate with kinit, of course). Enable JavaScript use, and try again. HSI should now work as usual until you log out of the system.

Hungarian / Magyar

A Kerberos domain is served by a Key Distribution Center (KDC), which is a server that maintains a database of users and Kerberized services and their passwords.

Examples of how they are used follow. DISQUS terms of service. Both users, like yourself, and Kerberized services, like HPSS and HSI, make use of Kerberos. If you trust that system to protect your identity, you can also forward your Kerberos identity to the remote system. Requests anonymous processing.

You should not enable this for all hosts, since unlike authentication, this forwards your secure Kerberos tickets to the remote system, which is not safe if that system is compromised.