Create the directory /usr/local/krb5 with permissions -rwxr-xr-x, move the Kerberos binary download file into it, and change to that directory:
mkdir /usr/local/krb5 chmod 755 /usr/local/krb5 mv krb5*.tar.gz /usr/local/krb5 cd /usr/local/krb5
Install the distribution file into the directory that you created:
% tar xvzpf krb5*.tar.gz
Now that the software is in place you should add it to your PATH and MANPATH environment variables. If you use tcsh or csh as your shell add the following lines to the end of the .cshrc in your home directory:
set path=(/usr/local/krb5/bin $path) setenv MANPATH "/usr/local/krb5/man:$MANPATH"
Your new path will be used the next time that you log into your workstation, or you can source your .cshrc file for an immediate change:
% source ~/.cshrc
NOTE: If you use sh, bash, ksh, or another shell the method to change your path may be different.
Now that Kerberos is installed you can connect to machines in the MALLORN.COM realm with a fully encrypted session.
To get your Kerberos ticket enter the command
where [login] is your Kerberos login name. For example,
% kinit bubba Password for bubba@MALLORN.COM:
If your Kerberos login is the same as the login name on your workstation you can just enter the command kinit without specifying a username. At the prompt enter your Kerberos password.
You can now use rsh to connect to a system in the MALLORN.COM Kerberos realm. For example,
% rsh -f -x -l bubba lorien.mallorn.com This rlogin session is using DES encryption for all data transmissions.
All traffic between your workstation and Mallorn is now encrypted for this rlogin session without ever having sent your password in cleartext mode.
You should change your password as soon as you've been able to establish reliable connectivity between your workstation and mallorn.com for the first time. To do this, run kpasswd:
% kpasswd kpasswd: Changing password for bubba@MALLORN.COM. Old password: New password: New password (again): Kerberos password changed.
The most common error seen after installation is
kinit: Clock skew too great in KDC reply while getting initial credentials
This happens because your system's clock deviates too much from the time on the authenticating KDC (you're allowed up to 5 minutes of clock skew). You will need to run some sort of clock service to keep your system synchronized with the world's atomic clock; running some sort of ntp time service is probably the best route. Always try to use a secondary time server instead of a primary for this. Visit
for a list.