How Kerberos Works

Previous page
Table of content
Next page


Now that the Kerberos terminology has been defined, the following is an overview of how the Kerberos authentication system works. Rather than authentication occurring between each client machine and each server, Kerberos uses symmetric encryption and a trusted third party — known as the Key Distribution Center or KDC — to authenticate users on a network to a suite of services on a network. Once authenticated, Kerberos stores a ticket specific to that session on the user’s machine, and any kerberized service will look for this ticket rather than ask the user to authenticate using a password.

When users on a kerberized network log in to their workstation, their principal is sent to the Key Distribution Center as a request for a Ticket Granting Ticket (TGT). This request can be sent by the login program so that it is transparent to the user or can be sent by the kinit program after the user logs in. The KDC checks for the principal in its database. If the principal is found, the KDC creates a TGT, encrypts it using the user’s key and sends it back to the user.

The login program on the client machine or kinit decrypts the TGT using the user’s key (which it computes from the user’s password). The TGT is set to expire after a certain period of time and stored in the client machine’s credentials cache. The expiration time is set so a compromised TGT can be used for only a certain period of time (usually eight hours). This is safer than the traditional password model because the password is never passed over the network. Once the TGT is issued, users will not have to re-enter their passwords to the KDC until the TGT expires or they log out and log in again. When users need access to a network service, the client uses the TGT to request a ticket for the service from the Ticket Granting Service (TGS), which runs on the KDC. The TGS issues a ticket for the desired service, which is then used to authenticate the user.

Warning

The Kerberos system can be compromised any time any user on the network authenticates against a non-kerberized service by sending a password in plaintext. Therefore, use of non-kerberized services should be discouraged. Such services include telnet and ftp. Use of other secure protocols, such as SSH or SSL-secured services, however, is acceptable.

This, of course, is a broad overview of how Kerberos authentication on a network would typically work. For a more in-depth look at Kerberos authentication, refer to the sources listed in the “Additional Resources” section of this chapter.

Note

Kerberos depends on certain network services’ working correctly. First, Kerberos requires approximate clock synchronization between the machines on the network. Therefore, a clock synchronization program should be set up for the network, such as ntpd. Also, since certain aspects of Kerberos rely on the Domain Name Service (DNS), be sure that the DNS entries and hosts on the network are all properly configured. See the Kerberos V5 System Administrator’s Guide, provided in PostScript and HTML formats in /usr/share/doc/krb5-server-version-number (where version-number is the version installed on the system) for more information.



Previous page
Table of content
Next page
Official Red Hat Linux Administrator's Guide
Official Red Hat Linux Administrators Guide
ISBN: 0764516957
EAN: 2147483647
Year: 2002
Pages: 278
Authors: Red Hat Inc
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
Metrics and Models in Software Quality Engineering (2nd Edition)
Software Configuration Management
A Practitioners Guide to Software Test Design
Managing Enterprise Systems with the Windows Script Host
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy