AAA Client Configuration Documentation

AAA Client Configuration Documentation - Spring 2001

Glossary of Terms:

3-headed dog whistle
A proxy service, written at Penn, which allows you to use Kerberos credentials to receive email via a POP or IMAP server (used as a workaround when the email program you are using does not understand Kerberos).

AAA
Authentication, Authorization and Accounting; the University of Pennsylvania's initiative to eliminate the passing of clear text passwords across PennNet to be completed by September 1, 2002. This initiative will employ a variety of client to server authentication methods including Kerberos.

Authentication

Clear Text Passwords

Client
A Personal computer connecting to one or more hosts on PennNet.

Credentials

Domain Name Service (DNS)

Encryption

FTP

Host
Any computer which can be reached via PennNet.

Internet Message Access Protocol (IMAP)
a method of accessing electronic mail or bulletin board messages that are kept on a mail server. In other words, it permits a "client" email program to access remote messages as if they were local. For example, email stored on an IMAP server can be manipulated from a desktop computer at home, a workstation at the office, and a notebook computer while traveling, without the need to transfer messages or files back and forth between these computers.

Instance
The second part of a Kerberos principal. Techncially, it gives information which qualifies the primary. If the primary refers to a user, the instance is often left blank (and describes the user's credentials if not omitted). If the primary refers to a host, the instance is its complete hostname (such as "dolphin.upenn.edu").

Kerberos
In Greek mythology, the three-headed dog that guards the entrance to the underworld. In the computing world, Kerberos is a network security package that was developed at MIT.

Kerberos Server - Ticket Dispenser

Key Distribution Center (KDC)
A machine that issues Kerberos tickets.

Leash

MIT Kerberos V 5
(Pennified version)

Network Time Protocol (NTP)

PennNet
The University of Pennsylvania's Network; Penn's Networking Infrastructure.

PennNet ID

POP

Port Forwarding

Primary
The first part of a Kerberos principal. The identification of who (or what) owns the specified set of Kerberos credentials. Users, services, and hosts all have Kerberos credentials; the primary may be a username, the name of a service, or the name of a host.

Principal
Identifies an entity to which Kerberos credentials can be assigned. It is usually made up of a primary, an instance, and a realm. A principal is generally of the format primary/instance@REALM. Some sample principals are jorj@UPENN.EDU, jorj/admin@UPENN.EDU and host/ntp-server-1.upenn.edu@UPENN.EDU.

Proxy

Realm
the name (in all uppercase) of the logical network served by a single Kerberos database and a number of Key Distribution Centers. Kerberos domains are often similar to DNS domains (such as the Kerberos realm "UPENN.EDU" and the DNS domain "upenn.edu"), but they are not technically related to eachother.

Server

Single Sign On

SSH

Telnet

Ticket
A set of Kerberos credentials.

Ticket Granting Service

Ticket Manager

tn3270

Transport Layer Security (TLS)

AAA Client Documentation Home Page

Comments and Questions
Certifying authority: Vice Provost, ISC
URL: http://www.upenn.edu/computing/group/aaa/2001/client/deliver/glossary.html
Last modified: 11 April 2001

3-headed dog whistle		A proxy service, written at Penn, which allows you to use Kerberos credentials to receive email via a POP or IMAP server (used as a workaround when the email program you are using does not understand Kerberos).

AAA		Authentication, Authorization and Accounting; the University of Pennsylvania's initiative to eliminate the passing of clear text passwords across PennNet to be completed by September 1, 2002. This initiative will employ a variety of client to server authentication methods including Kerberos.

Authentication

Clear Text Passwords

Client		A Personal computer connecting to one or more hosts on PennNet.

Credentials

Domain Name Service (DNS)

Encryption

FTP

Host		Any computer which can be reached via PennNet.

Internet Message Access Protocol (IMAP)		a method of accessing electronic mail or bulletin board messages that are kept on a mail server. In other words, it permits a "client" email program to access remote messages as if they were local. For example, email stored on an IMAP server can be manipulated from a desktop computer at home, a workstation at the office, and a notebook computer while traveling, without the need to transfer messages or files back and forth between these computers.

Instance		The second part of a Kerberos principal. Techncially, it gives information which qualifies the primary. If the primary refers to a user, the instance is often left blank (and describes the user's credentials if not omitted). If the primary refers to a host, the instance is its complete hostname (such as "dolphin.upenn.edu").

Kerberos		In Greek mythology, the three-headed dog that guards the entrance to the underworld. In the computing world, Kerberos is a network security package that was developed at MIT.

Kerberos Server - Ticket Dispenser

Key Distribution Center (KDC)		A machine that issues Kerberos tickets.

Leash

MIT Kerberos V 5 (Pennified version)

Network Time Protocol (NTP)

PennNet		The University of Pennsylvania's Network; Penn's Networking Infrastructure.

PennNet ID

POP

Port Forwarding

Primary		The first part of a Kerberos principal. The identification of who (or what) owns the specified set of Kerberos credentials. Users, services, and hosts all have Kerberos credentials; the primary may be a username, the name of a service, or the name of a host.

Principal		Identifies an entity to which Kerberos credentials can be assigned. It is usually made up of a primary, an instance, and a realm. A principal is generally of the format primary/instance@REALM. Some sample principals are jorj@UPENN.EDU, jorj/admin@UPENN.EDU and host/ntp-server-1.upenn.edu@UPENN.EDU.

Proxy

Realm		the name (in all uppercase) of the logical network served by a single Kerberos database and a number of Key Distribution Centers. Kerberos domains are often similar to DNS domains (such as the Kerberos realm "UPENN.EDU" and the DNS domain "upenn.edu"), but they are not technically related to eachother.

Server

Single Sign On

SSH

Telnet

Ticket		A set of Kerberos credentials.

Ticket Granting Service

Ticket Manager

tn3270

Transport Layer Security (TLS)