|
|
This chapter describes the function and displays the syntax for Kerberos commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
To delete the contents of the credentials cache, use the clear kerberos creds EXEC command.
clear kerberos credsTo log in to a host that supports Telnet, rlogin, or LAT, use the connect EXEC command.
connect host [port] [keyword]| host | A host name or an IP address. |
| port | (Optional) A decimal TCP port number; the default is the Telnet router port (decimal 23) on the host. |
| keyword | (Optional) Connection option. |
To cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server, use the kerberos clients mandatory global configuration command. Use the no form of this command to disable this option.
kerberos clients mandatoryTo force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication, use the kerberos credentials forward global configuration command. Use the no form of this command to turn off Kerberos credentials forwarding.
kerberos credentials forwardTo map Kerberos instances to Cisco IOS privilege levels, use the kerberos instance map global configuration command. Use the no form of this command to remove a Kerberos instance map.
kerberos instance map instance privilege-level| instance | Name of a Kerberos instance. |
| privilege-level | The privilege level at which a user is set if the user's Kerberos principal contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. |
To specify the Kerberos realm in which the router is located, use the kerberos local-realm global configuration command. Use the no form of this command to remove the specified Kerberos realm from this router.
kerberos local-realm kerberos-realm| kerberos-realm | The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters. |
To specify a preauthentication method to use to communicate with the KDC, use the kerberos preauth global configuration command. Use the no form of this command to disable Kerberos preauthentication.
kerberos preauth [encrypted-unix-timestamp | none]| encrypted-unix-timestamp | Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC. |
| none | Do not use Kerberos preauthentication. |
To map a host name or Domain Naming System (DNS) domain to a Kerberos realm, use the kerberos realm global configuration command. Use the no form of this command to remove a Kerberos realm map.
kerberos realm {dns-domain | host} kerberos-realm| dns-domain | Name of a DNS domain or host. |
| host | Name of a DNS host. |
| kerberos-realm | Name of the Kerberos realm to which the specified domain or host belongs. |
To specify the location of the Kerberos server for a given Kerberos realm, use the kerberos server global configuration command. Use the no form of this command to remove a Kerberos server for a specified Kerberos realm.
kerberos server kerberos-realm {hostname | ip-address} [port-number]| kerberos-realm | Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters. |
| hostname | Name of the host functioning as a Kerberos server for the specified Kerberos realm (translated into an IP address at the time of entry). |
| ip-address | IP address of the host functioning as a Kerberos server for the specified Kerberos realm. |
| port-number | (Optional) Port that the KDC/TGS monitors (defaults to 88). |
To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab remote global configuration command (not kerberos srvtab entry). (The Kerberos SRVTAB entry is the router's locally stored SRVTAB.) Use the no form of this command to remove a SRVTAB entry from the router's configuration.
kerberos srvtab entry kerberos-principal principal-type timestamp key-version number| kerberos-principal | A service on the router. |
| principal-type | Version of the Kerberos SRVTAB. |
| timestamp | Number representing the date and time the SRVTAB entry was created. |
| key-version number | Version of the encryption key format. |
| key-type | Type of encryption used. |
| key-length | Length, in bytes, of the encryption key. |
| encrypted-keytab | Secret key the router shares with the KDC. It is encrypted with the private Data Encryption Standard (DES) key (if available) when you write out your configuration. |
To retrieve a krb5 SRVTAB file from the specified host, use the kerberos srvtab remote global configuration command.
kerberos srvtab remote {hostname | ip-address} filename| hostname | Machine with the Kerberos SRVTAB file. |
| ip-address | IP address of the machine with the Kerberos SRVTAB file. |
| filename | Name of the SRVTAB file. |
To define a private DES key for the router, use the key config-key global configuration command. Use the no form of this command to delete a private DES key for the router.
key config-key 1 string| string | Private DES key (can be up to eight alphanumeric characters). |
To display the contents of your credentials cache, use the show kerberos creds EXEC command.
show kerberos credsTo log in to a host that supports Telnet, use the telnet EXEC command.
telnet host [port] [keyword]
| host | A host name or an IP address. |
| port | (Optional) A decimal TCP port number; the default is the Telnet router port (decimal 23) on the host. |
| keyword | (Optional) Telnet connection option. |
|
|