Chapter 10. Kerberos
139
ticket
A temporary set of electronic credentials that verify the identity of a client for a particular service.
Ticket Granting Service (TGS)
A server that issues tickets for a desired service which are in turn given to users for access to the
service. The TGS usually runs on the same host as the KDC
Ticket Granting Ticket (TGT)
A special ticket that allows the client to obtain additional tickets without applying for them from
the KDC.
10.4. How Kerberos Works
Now that the Kerberos terminology has been defined, the following is an overview of how the Kerberos
authentication system works.
Rather than authentication occurring between each client machine and each server, Kerberos uses
symmetric encryption and a trusted third party   known as the Key Distribution Center or KDC  
to authenticate users on a network to a suite of services on a network. Once authenticated, Kerberos
stores a ticket specific to that session on the user's machine and any kerberized service will look for
this ticket rather than asking the user to authenticate using a password.
When a user on a kerberized network logs in to their workstation, their principal is sent to the Key
Distribution Center as a request for a Ticket Granting Ticket (TGT). This request can be sent by the
login program so that it is transparent to the user or can be sent by the
kinit
program after the user
logs in.
The KDC checks for the principal in its database. If the principal is found, the KDC creates a TGT,
encrypts it using the user's key and sends it back to the user.
The login program on the client machine or
kinit
decrypts the TGT using the user's key (which it
computes from the user's password). The TGT is set to expire after a certain period of time and stored
in the client machine's credentials cache. The expiration time is set so a compromised TGT can only
be used for a certain period of time (usually eight hours). This is safer than tradition password model
because the password is never passed over the network. Once the TGT is issued, the user will not have
to re enter their password to the KDC until the TGT expires or they logout and login again.
When the user needs access to a network service, the client uses the TGT to request a ticket for the
service from the Ticket Granting Service (TGS), which runs on the KDC. The TGS issues a ticket for
the desired service, which is then used to authenticate the user.
Warning
The Kerberos system can be compromised anytime any user on the network authenticates against a
non kerberized service by sending a password in plain text. Therefore use of non kerberized services
should be discouraged. Such services include telnet and ftp. Use of other secure protocols, such as
SSH or SSL secured services, however, is acceptable.
This, of course, is a broad overview of how Kerberos authentication on a network would typically
work. For a more in depth look at Kerberos authentication, refer to Section 10.8.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

tomcat hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved