Kerberos-密碼管理

Password management （密碼管理）

Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you—send email that comes from you, read, edit, or delete your files, or log into other hosts as you—and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see Granting access to your account). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is.

你的密鑰是Kerberos肯定你的身份的惟一方式。若是某一我的發現了你的密碼，那麼他能夠假裝成你——發送一個來自你的email，讀取、編輯或者刪除你的文件，或者以你的身份登入其它主機——並且，沒有人會察覺出問題。因爲這個緣由，選擇一個好的密碼是很是重要的，而且必定要妥善保管它。若是你須要將你的帳戶的使用權給別人，你能夠經過受權的方式。你應當毫不將本身的密碼告知任何其餘人，包括你的系統管理員，在任何緣由下都應該這樣。你應當時不時地特別地修改你的密碼，若是你察覺到他人可能已經悉知你的密碼的時候。

Changing your password （修改密碼）

To change your Kerberos password, use the kpasswd command. It will ask you for your old password (to prevent someone else from walking up to your computer when you’re not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user david would do the following:

爲了修改你的Kerberos密碼，你可使用kpasswd命令。它將會詢問你舊的密碼（這樣能夠阻止其餘人在溜達到你的電腦前趁你不在的時候修改你的密碼），而且會提示你兩次輸入新的密碼。（你須要輸入兩次密碼的緣由是爲了肯定你已經正確輸入了它）舉個例子吧，用戶david將會作下面這樣的事情：

shell% kpasswd
Password for david:    <- Type your old password.
Enter new password:    <- Type your new password.
Enter it again:  <- Type the new password again.
Password changed.
shell%

If david typed the incorrect old password, he would get the following message:

若是他敲錯了舊的密碼，他將會收到這樣的消息：

shell% kpasswd
Password for david:  <- Type the incorrect old password.
kpasswd: Password incorrect while getting initial ticket
shell%

If you make a mistake and don’t type the new password the same way twice, kpasswd will ask you to try again:

若是你一不當心，在從新輸入新的密碼時敲錯了，kpasswd將會請你再試一次：

shell% kpasswd
Password for david:  <- Type the old password.
Enter new password:  <- Type the new password.
Enter it again: <- Type a different new password.
kpasswd: Password mismatch while reading password
shell%

Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn’t work, try again using the old one.

一旦你修改了你的密碼，它就會須要一些時間去讓這個改變在系統中傳播。這取決於你怎樣設置你的系統，這個修改的傳播時間也許是幾分鐘也許是一個小時，也許是更長的時間。若是你但願在你修改了你的密碼以後，立刻就能獲取到新的Kerberos tickets，嘗試使用新的密碼來獲取，若是新的密碼並無生效，嘗試用舊的密碼再試一次。

Granting access to your account （受權訪問你的帳戶）

If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called .k5login in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:

若是你須要別人也能取得你的帳戶的登陸權限，你能夠在Kerberos找到實現的方式，並且不用將你的密碼告訴他。建立一個叫.k5login的文件在你的home目錄下。這個文件應當包含全部你但願的能夠訪問你Kerberos帳戶的全部人。每個負責人都必須佔一行。下面是一個例子：

jennifer@ATHENA.MIT.EDU
david@EXAMPLE.COM

This file would allow the users jennifer and david to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts.

這個文件將會容許jennifer 和 david 來使用你的user ID，假若他們已經得到了Kerberos tickets在他們各自的領域。若是你須要經過互聯網登陸其它主機，你應該想要將你本身的Kerberos負責人包含進你的.k5login之中，在每一個其它主機上都應如此。

Using a .k5login file is much safer than giving out your password, because: 使用.k5login文件是一種比給出你的密碼更加安全的方式，緣由以下：

• 你能夠在任意時間經過將這些負責人移除出你的文件的方式收回他們的權力。
• 即便這些用戶能夠在一個特定的主機（或者一系列在各個擁有 .k5login文件的主機上）擁有訪問你的帳戶的權力。那個用戶並無繼承你的網絡特權。
• Kerberos維持着一個都有誰得到了tickets的日誌，因此，如有必要，系統管理員能夠查出來在某一個特定的時間點下到底是誰有權力使用你的user ID進行活動。

One common application is to have a .k5login file in root’s home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network.

一個一般的應用模式是：將.k5login放在root用戶的home目錄下，給出root權限給負責人列表中列出的機器。這容許系統管理員容許普通用戶在本地成爲root用戶，或者以一個root用戶的身份遠端登陸，而不須要給出root的密碼給另外一我的，也沒有人在這個網絡上敲入了root密碼並在網絡節點間傳輸。