Chapter 10. Kerberos


139


ticket


A temporary set of electronic credentials that verify the identity of a client for a particular service.


Ticket Granting Service (TGS)


A server that issues tickets for a desired service which are in turn given to users for access to the


service. The TGS usually runs on the same host as the KDC


Ticket Granting Ticket (TGT)


A special ticket that allows the client to obtain additional tickets without applying for them from


the KDC.


10.4. How Kerberos Works


Now that the Kerberos terminology has been defined, the following is an overview of how the Kerberos


authentication system works.


Rather than authentication occurring between each client machine and each server, Kerberos uses


symmetric encryption and a trusted third party   known as the Key Distribution Center or KDC  


to authenticate users on a network to a suite of services on a network. Once authenticated, Kerberos


stores a ticket specific to that session on the user's machine and any kerberized service will look for


this ticket rather than asking the user to authenticate using a password.


When a user on a kerberized network logs in to their workstation, their principal is sent to the Key


Distribution Center as a request for a Ticket Granting Ticket (TGT). This request can be sent by the


login program so that it is transparent to the user or can be sent by the


kinit


program after the user


logs in.


The KDC checks for the principal in its database. If the principal is found, the KDC creates a TGT,


encrypts it using the user's key and sends it back to the user.


The login program on the client machine or


kinit


decrypts the TGT using the user's key (which it


computes from the user's password). The TGT is set to expire after a certain period of time and stored


in the client machine's credentials cache. The expiration time is set so a compromised TGT can only


be used for a certain period of time (usually eight hours). This is safer than tradition password model


because the password is never passed over the network. Once the TGT is issued, the user will not have


to re enter their password to the KDC until the TGT expires or they logout and login again.


When the user needs access to a network service, the client uses the TGT to request a ticket for the


service from the Ticket Granting Service (TGS), which runs on the KDC. The TGS issues a ticket for


the desired service, which is then used to authenticate the user.


Warning


The Kerberos system can be compromised anytime any user on the network authenticates against a


non kerberized service by sending a password in plain text. Therefore use of non kerberized services


should be discouraged. Such services include telnet and ftp. Use of other secure protocols, such as


SSH or SSL secured services, however, is acceptable.


This, of course, is a broad overview of how Kerberos authentication on a network would typically


work. For a more in depth look at Kerberos authentication, refer to Section 10.8.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved