HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 1 Introduction to Kerberos

Kerberos Terminology

  Table of Contents



The following are commonly used Kerberos terms and their definitions.

Key Distribution Center (KDC)

The Ticket-Granting Service (TGS) and the Authentication Server are usually collectively known as the Key Distribution Center.

Principal Name

A principal is a unique identity to which Kerberos can assign tickets. It is analogous to an OpenVMS user. The Kerberos database, which performs a function similar to the UAF file on OpenVMS, stores information about principals.

By convention, a principal name is divided into three parts:

  • A primary - For a user, a user name. For a system, the word host.

  • The instance - An optional string that qualifies the primary.

  • The realm - Generally, the DNS domain name in uppercase letters.


The administrative domain that encompasses Kerberos clients and servers is called a realm. Each Kerberos realm has at least one Kerberos server, zero or more Kerberos slave servers, and any number of clients. The master Kerberos database for that site or administrative domain is stored on the Kerberos server. Slave servers have read-only copies of the database that are periodically propagated from the master server.

Secret vs. Private

Secret and private are often used interchangeably. In this manual, it takes two (or more) to share a secret, therefore a shared DES key is a secret key. A key is private only when no one but its owner knows it. Therefore, in public key cryptosystems, one has a public and a private key.


Kerberos tickets, also known as credentials, are a set of electronic information used to verify your identity. Kerberos tickets can be stored in a file, or they may exist only in memory.

The first ticket you obtain is a generic Ticket-Granting Ticket (TGT), which is granted upon your initial login to the Kerberos realm. The TGT allows you to obtain additional tickets that give you permission for specific services.