Cover V10, I12

Article
Sidebar

dec2001.tar

Kerberos

Kerberos is a third-party authentication protocol that acts as an arbitrator. This protocol allows for users to authenticate and securely access services on the network. Kerberos tries to eliminate the dangers of sending clear-text passwords over the network. It also provides a mechanism for a client to verify that it really is the client and not some imposter.

The first step is for the client to send its principle to the Kerberos authentication server (a.k.a. KDC). The principle is a user or service that is able to authenticate using Kerberos. For a user, the principle is the login ID and the name of the TGS (Ticket Granting Server). The KDC makes sure the user is in the database and generates a session key to be used between the client and the TGS. This session key is also called the TGT (Ticket Granting Ticket). The TGT is encrypted by the KDC with the user's secret key (the user's password) and sent back to the client from which the user requested the TGT. The TGT cannot be decrypted without the user's password because the password is the secret key.

If the client wants access to a network service, the client must have the TGT to obtain a ticket from the TGS. If the user does not authenticate successfully with the process described previously, then he or she cannot gain access to network services that require Kerberos authentication. If the user has obtained the TGT, then it can be used to obtain a ticket from the TGS. This ticket that the client receives from the TGS is then used to authenticate the user. Now the user has access to that network service using a secure authentication method.