Kerberos differs from username/password authentication methods because
instead of authenticating each user to each network service, it uses
symmetric encryption and a trusted third party, a KDC, to authenticate
users to a suite of network services. Once a user authenticates to the
KDC, it sends a ticket specific to that session back the user's machine
and any kerberized services look for the ticket on the user's machine
rather than asking the user to authenticate using a password.
When a user on a kerberized network logs in to their workstation, their
principal is sent to the KDC in a request for a TGT from AS. This
request can be sent by the login program so that it is transparent to
the user or can be sent by the kinit program after
the user logs in.
The KDC checks for the principal in its database. If the principal is
found, the KDC creates a TGT, which is encrypted using
the user's key and returned to that user.
The login or kinit program on the client machine then
decrypts the TGT using the user's key (which it computes from the user's
password). The user's key is used only on the client machine and is
not sent over the network.
The TGT is set to expire after a certain period of time (usually ten
hours) and stored in the client machine's credentials cache. An
expiration time is set so that a compromised TGT is of use to an
attacker for only a short period of time. Once the TGT is issued, the
user does not have to re-enter their password until the TGT expires or
they logout and login again.
Whenever the user needs access to a network service, the client software
uses the TGT to request a new ticket for that specific service from the
TGS. The service ticket is then used to authenticate the user to that
service transparently.
 | Warning |
|---|
| | The Kerberos system can be compromised any time any user on the
network authenticates against a non-kerberized service by sending a
password in plain text. Use of non-kerberized services is
discouraged. Such services include Telnet and FTP. Use of other
encrypted protocols, such as SSH or SSL secured services, however, is
acceptable, though not ideal.
|
This is only a broad overview of how Kerberos authentication works.
Those seeking a more in-depth look at Kerberos authentication should
refer to Section 19.7 Additional Resources.
 | Note |
|---|
| | Kerberos depends on certain network services to work correctly. First,
Kerberos requires approximate clock synchronization between the
machines on the network. Therefore, a clock synchronization program
should be set up for the network, such as ntpd. For
more about configuring ntpd, refer to
/usr/share/doc/ntp-<version-number>/index.htm
for details on setting up Network Time Protocol servers (replace
<version-number> with the version
number of the ntp package installed on the
system).
Also, since certain aspects of Kerberos rely on the Domain Name
Service (DNS), be sure that the DNS entries and hosts on the network
are all properly configured. Refer to the Kerberos V5
System Administrator's Guide, provided in PostScript and
HTML formats in
/usr/share/doc/krb5-server-<version-number>
for more information (replace
<version-number> with the version
number of the krb5-server package installed on
the system). |
