The following are commonly used Kerberos terms and their definitions.
Key Distribution Center (KDC)
The Ticket-Granting Service (TGS) and the Authentication Server
are usually collectively known as the Key Distribution Center.
A principal is a unique identity to which Kerberos can assign
tickets. It is analogous to an OpenVMS user. The Kerberos database,
which performs a function similar to the UAF file on OpenVMS, stores
information about principals.
By convention, a principal name is divided into three parts:
A primary - For
a user, a user name. For a system, the word host.
The instance - An
optional string that qualifies the primary.
The realm - Generally,
the DNS domain name in uppercase letters.
The administrative domain that encompasses Kerberos clients
and servers is called a realm. Each Kerberos realm has at least
one Kerberos server, zero or more Kerberos slave servers, and any
number of clients. The master Kerberos database for that site or
administrative domain is stored on the Kerberos server. Slave servers
have read-only copies of the database that are periodically propagated
from the master server.
Secret vs. Private
Secret and private are often used interchangeably. In this
manual, it takes two (or more) to share a secret, therefore a shared
DES key is a secret key. A key is private only when no one but its
owner knows it. Therefore, in public key cryptosystems, one has
a public and a private key.
Kerberos tickets, also known as credentials, are a set of
electronic information used to verify your identity. Kerberos tickets
can be stored in a file, or they may exist only in memory.
The first ticket you obtain is a generic Ticket-Granting Ticket
(TGT), which is granted upon your initial login to the Kerberos
realm. The TGT allows you to obtain additional tickets that give
you permission for specific services.