Kerberos-密码管理

Password management （密码管理）

Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you—send email that comes from you, read, edit, or delete your files, or log into other hosts as you—and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see Granting access to your account). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is.

你的密钥是Kerberos肯定你的身份的惟一方式。若是某一我的发现了你的密码，那么他能够假装成你——发送一个来自你的email，读取、编辑或者删除你的文件，或者以你的身份登入其它主机——并且，没有人会察觉出问题。因为这个缘由，选择一个好的密码是很是重要的，而且必定要妥善保管它。若是你须要将你的帐户的使用权给别人，你能够经过受权的方式。你应当毫不将本身的密码告知任何其余人，包括你的系统管理员，在任何缘由下都应该这样。你应当时不时地特别地修改你的密码，若是你察觉到他人可能已经悉知你的密码的时候。

Changing your password （修改密码）

To change your Kerberos password, use the kpasswd command. It will ask you for your old password (to prevent someone else from walking up to your computer when you’re not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user david would do the following:

为了修改你的Kerberos密码，你可使用kpasswd命令。它将会询问你旧的密码（这样能够阻止其余人在溜达到你的电脑前趁你不在的时候修改你的密码），而且会提示你两次输入新的密码。（你须要输入两次密码的缘由是为了肯定你已经正确输入了它）举个例子吧，用户david将会作下面这样的事情：

shell% kpasswd
Password for david:    <- Type your old password.
Enter new password:    <- Type your new password.
Enter it again:  <- Type the new password again.
Password changed.
shell%

If david typed the incorrect old password, he would get the following message:

若是他敲错了旧的密码，他将会收到这样的消息：

shell% kpasswd
Password for david:  <- Type the incorrect old password.
kpasswd: Password incorrect while getting initial ticket
shell%

If you make a mistake and don’t type the new password the same way twice, kpasswd will ask you to try again:

若是你一不当心，在从新输入新的密码时敲错了，kpasswd将会请你再试一次：

shell% kpasswd
Password for david:  <- Type the old password.
Enter new password:  <- Type the new password.
Enter it again: <- Type a different new password.
kpasswd: Password mismatch while reading password
shell%

Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn’t work, try again using the old one.

一旦你修改了你的密码，它就会须要一些时间去让这个改变在系统中传播。这取决于你怎样设置你的系统，这个修改的传播时间也许是几分钟也许是一个小时，也许是更长的时间。若是你但愿在你修改了你的密码以后，立刻就能获取到新的Kerberos tickets，尝试使用新的密码来获取，若是新的密码并无生效，尝试用旧的密码再试一次。

Granting access to your account （受权访问你的帐户）

If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called .k5login in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:

若是你须要别人也能取得你的帐户的登陆权限，你能够在Kerberos找到实现的方式，并且不用将你的密码告诉他。建立一个叫.k5login的文件在你的home目录下。这个文件应当包含全部你但愿的能够访问你Kerberos帐户的全部人。每个负责人都必须占一行。下面是一个例子：

jennifer@ATHENA.MIT.EDU
david@EXAMPLE.COM

This file would allow the users jennifer and david to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts.

这个文件将会容许jennifer 和 david 来使用你的user ID，假若他们已经得到了Kerberos tickets在他们各自的领域。若是你须要经过互联网登陆其它主机，你应该想要将你本身的Kerberos负责人包含进你的.k5login之中，在每一个其它主机上都应如此。

Using a .k5login file is much safer than giving out your password, because: 使用.k5login文件是一种比给出你的密码更加安全的方式，缘由以下：

• 你能够在任意时间经过将这些负责人移除出你的文件的方式收回他们的权力。
• 即便这些用户能够在一个特定的主机（或者一系列在各个拥有 .k5login文件的主机上）拥有访问你的帐户的权力。那个用户并无继承你的网络特权。
• Kerberos维持着一个都有谁得到了tickets的日志，因此，如有必要，系统管理员能够查出来在某一个特定的时间点下到底是谁有权力使用你的user ID进行活动。

One common application is to have a .k5login file in root’s home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network.

一个一般的应用模式是：将.k5login放在root用户的home目录下，给出root权限给负责人列表中列出的机器。这容许系统管理员容许普通用户在本地成为root用户，或者以一个root用户的身份远端登陆，而不须要给出root的密码给另外一我的，也没有人在这个网络上敲入了root密码并在网络节点间传输。