Kerberos Commands

clear kerberos creds

kerberos clients mandatory

kerberos credentials forward

kerberos instance map

kerberos local-realm

kerberos preauth

kerberos realm

kerberos server

kerberos srvtab entry

kerberos srvtab remote

key config-key

show kerberos creds

Kerberos Commands

This chapter explains the function and syntax of the Kerberos commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.

clear kerberos creds

To delete the contents of the credentials cache, use the clear kerberos creds command in privileged EXEC mode.

clear kerberos creds

Syntax Description

This command has no arguments or keywords.

kerberos clients mandatory

To cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server, use the kerberos clients mandatory command in global configuration mode. Use the no form of this command to make Kerberos optional.

kerberos clients mandatory

no kerberos clients mandatory

Syntax Description

This command has no arguments or keywords.

kerberos credentials forward

To force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication, use the kerberos credentials forward command in global configuration mode. Use the no form of this command to turn off Kerberos credentials forwarding.

kerberos credentials forward

no kerberos credentials forward

Syntax Description

This command has no arguments or keywords.

kerberos instance map

To map Kerberos instances to Cisco IOS privilege levels, use the kerberos instance map command in global configuration mode. Use the no form of this command to remove a Kerberos instance map.

kerberos instance map instance privilege-level

no kerberos instance map instance

Syntax Description

instance

Name of a Kerberos instance.

privilege-level

The privilege level at which a user is set if the user's Kerberos principal contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges.

instance	Name of a Kerberos instance.
privilege-level	The privilege level at which a user is set if the user's Kerberos principal contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges.

kerberos local-realm

To specify the Kerberos realm in which the router is located, use the kerberos local-realm command in global configuration mode. Use the no form of this command to remove the specified Kerberos realm from this router.

kerberos local-realm kerberos-realm

no kerberos local-realm

Syntax Description

kerberos-realm

The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters.

kerberos-realm	The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters.

kerberos preauth

To specify a preauthentication method to use to communicate with the KDC, use the kerberos preauth command in global configuration mode. Use the no form of this command to disable Kerberos preauthentication.

kerberos preauth [encrypted-unix-timestamp | encrypted-kerberos-timestamp | none]

no kerberos preauth

Syntax Description

encrypted-unix-timestamp

(Optional) Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC.

encrypted-kerberos-timestamp

(Optional) Use the RFC1510 kerberos timestamp as a quick authentication method when communicating with the KDC.

none

(Optional) Do not use Kerberos preauthentication.

encrypted-unix-timestamp	(Optional) Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC.
encrypted-kerberos-timestamp	(Optional) Use the RFC1510 kerberos timestamp as a quick authentication method when communicating with the KDC.
none	(Optional) Do not use Kerberos preauthentication.

kerberos realm

To map a host name or Domain Name System (DNS) domain to a Kerberos realm, use the kerberos realm command in global configuration mode. Use the no form of this command to remove a Kerberos realm map.

kerberos realm {dns-domain | host} kerberos-realm

no kerberos realm {dns-domain | host} kerberos-realm

Syntax Description

dns-domain

Name of a DNS domain or host.

host

Name of a DNS host.

kerberos-realm

Name of the Kerberos realm to which the specified domain or host belongs.

dns-domain	Name of a DNS domain or host.
host	Name of a DNS host.
kerberos-realm	Name of the Kerberos realm to which the specified domain or host belongs.

kerberos server

To specify the location of the Kerberos server for a given Kerberos realm, use the kerberos server command in global configuration mode. Use the no form of this command to remove a Kerberos server for a specified Kerberos realm.

kerberos server kerberos-realm {hostname | ip-address} [port-number]

no kerberos server kerberos-realm {hostname | ip-address}

Syntax Description

kerberos-realm

Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.

hostname

Name of the host functioning as a Kerberos server for the specified Kerberos realm (translated into an IP address at the time of entry).

ip-address

IP address of the host functioning as a Kerberos server for the specified Kerberos realm.

port-number

(Optional) Port that the KDC/TGS monitors (defaults to 88).

kerberos-realm	Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.
hostname	Name of the host functioning as a Kerberos server for the specified Kerberos realm (translated into an IP address at the time of entry).
ip-address	IP address of the host functioning as a Kerberos server for the specified Kerberos realm.
port-number	(Optional) Port that the KDC/TGS monitors (defaults to 88).

kerberos srvtab entry

To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab entry command in global configuration mode. Use the no form of this command to remove a SRVTAB entry from the router's configuration.

kerberos srvtab entry kerberos-principal principal-type timestamp key-version number key-type key-length encrypted-keytab

no kerberos srvtab entry kerberos-principal principal-type

Syntax Description

kerberos-principal

A service on the router.

principal-type

Version of the Kerberos SRVTAB.

timestamp

Number representing the date and time the SRVTAB entry was created.

key-version number

Version of the encryption key format.

key-type

Type of encryption used.

key-length

Length, in bytes, of the encryption key.

encrypted-keytab

Secret key the router shares with the KDC. It is encrypted with the private Data Encryption Standard (DES) key (if available) when you write out your configuration.

kerberos-principal	A service on the router.
principal-type	Version of the Kerberos SRVTAB.
timestamp	Number representing the date and time the SRVTAB entry was created.
key-version number	Version of the encryption key format.
key-type	Type of encryption used.
key-length	Length, in bytes, of the encryption key.
encrypted-keytab	Secret key the router shares with the KDC. It is encrypted with the private Data Encryption Standard (DES) key (if available) when you write out your configuration.

kerberos srvtab remote

To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab remote command in global configuration mode.

kerberos srvtab remote {boot_device:URL}

Syntax Description

URL

Machine with the Kerberos SRVTAB file.

ip-address

IP address of the machine with the Kerberos SRVTAB file.

filename

Name of the SRVTAB file.

URL	Machine with the Kerberos SRVTAB file.
ip-address	IP address of the machine with the Kerberos SRVTAB file.
filename	Name of the SRVTAB file.

key config-key

To define a private DES key for the router, use the key config-key command in global configuration mode. Use the no form of this command to delete a private DES key for the router.

key config-key 1 string

no key config-key 1 string

Syntax Description

1

Key number. This number is always 1.

string

Private DES key (can be up to 8 alphanumeric characters).

1	Key number. This number is always 1.
string	Private DES key (can be up to 8 alphanumeric characters).

show kerberos creds

To display the contents of your credentials cache, use the show kerberos creds command in privileged EXEC mode.

show kerberos creds

Syntax Description

This command has no arguments or keywords.

Table of Contents

Kerberos Commands