Now that the Kerberos terminology has been defined, the following is an overview of how the Kerberos authentication system works.
Rather than authentication occurring between each client machine and each server, Kerberos uses symmetric encryption and a trusted third party — known as the Key Distribution Center or KDC — to authenticate users on a network to a suite of services on a network. Once authenticated, Kerberos stores a ticket specific to that session on the user's machine and any kerberized service will look for this ticket rather than asking the user to authenticate using a password.
When a user on a kerberized network logs in to their workstation, their principal is sent to the Key Distribution Center as a request for a Ticket Granting Ticket (TGT). This request can be sent by the login program so that it is transparent to the user or can be sent by the kinit program after the user logs in.
The KDC checks for the principal in its database. If the principal is found, the KDC creates a TGT, encrypts it using the user's key and sends it back to the user.
The login program on the client machine or kinit decrypts the TGT using the user's key (which it computes from the user's password). The TGT is set to expire after a certain period of time and stored in the client machine's credentials cache. The expiration time is set so a compromised TGT can only be used for a certain period of time (usually eight hours). This is safer than tradition password model because the password is never passed over the network. Once the TGT is issued, the user will not have to re-enter their password to the KDC until the TGT expires or they logout and login again.
When the user needs access to a network service, the client uses the TGT to request a ticket for the service from the Ticket Granting Service (TGS), which runs on the KDC. The TGS issues a ticket for the desired service, which is then used to authenticate the user.
Warning | |
---|---|
The Kerberos system can be compromised anytime any user on the network authenticates against a non-kerberized service by sending a password in plain text. Therefore use of non-kerberized services should be discouraged. Such services include telnet and ftp. Use of other secure protocols, such as SSH or SSL secured services, however, is acceptable. |
This, of course, is a broad overview of how Kerberos authentication on a network would typically work. For a more in-depth look at Kerberos authentication, refer to the Section called Additional Resources.
Note | |
---|---|
Kerberos depends on certain network services to work correctly. First, Kerberos requires approximate clock synchronization between the machines on the network. Therefore, a clock synchronization program should be set up for the network, such as ntpd. Also, since certain aspects of Kerberos rely on the Domain Name Service (DNS), be sure that the DNS entries and hosts on the network are all properly configured. See the Kerberos V5 System Administrator's Guide, provided in PostScript and HTML formats in /usr/share/doc/krb5-server-version-number, (where version-number is the version installed on the system) for more information. |