Now that the Kerberos terminology has been defined, the following is
an overview of how a Kerberos authentication system works.
On a non-kerberized network, when a user requests a network service that
requires authentication, the user is prompted to type in their
password. The password is then transmitted in clear-text or as a crypt hash
over the network to allow access to the service. Unfortunately, this
means that anyone intercepting packets on the network can potentially
find out the username and password of users on the network.
Kerberos deal with this threat by using symmetric encryption and a trusted
third party — known as the Key Distribution Center or KDC —
to authenticate users on a network to services on a network. Once
authenticated, Kerberos stores a ticket specific to that session on the
user's machine and any kerberized service will look for this ticket
rather than asking the user to authenticate using a password.
When a user on a kerberized network logs in to their workstation, their
principal is sent to the Key Distribution Center as a request for a
Ticket Granting Ticket (TGT). This request can be sent by the login
program so that it is transparent to the user or can be sent by the
kinit program after the user logs
in.
The KDC checks for the principal in its database. If the principal is
found, the KDC creates a TGT, encrypts it using the user's key and
sends it back to the user.
The login program or kinit decrypts the TGT using the
user's key (which it computes from the user's password). The TGT is set
to expire after a certain period of time and stored in the client
machine's credentials cache. The expiration time is set so a compromised
TGT can only be used for a certain period of time (usually eight hours).
This is safer than tradition password model because a compromised
password can be used until it is changed. Once the TGT is issued, the
user will not have to re-enter their password to the KDC until the TGT
expires or they logout and login again.
When the user needs access to a network service, the client uses the TGT
to request a ticket for the service from the Ticket Granting Service
(TGS), which runs on the KDC. The TGS issues a ticket for the desired
service, which is then used to authenticate the user.
 | Warning |
|---|
| | The Kerberos system can be compromised anytime any user on the network
authenticates against a non-kerberized service by sending a password
in clear text. therefore use of non-kerberized versions of services
should be discouraged. Such services include telnet and ftp. Use of
other secure protocols, such as OpenSSH or SSL secured services,
however, is acceptable.
|
This, of course, is a broad overview of how Kerberos authentication on a
network would typically work. For a more in-depth look at
Kerberos authentication, refer to the Section called Additional Resources.
 | Note |
|---|
| | Kerberos depends on certain network services to work correctly. First,
Kerberos requires approximate clock synchronization between the
machines on the network. A clock syncing program should be set up for
the network. Since certain aspects of Kerberos rely on the Domain Name
Service (DNS), be sure that the DNS entries and hosts on the network
are all properly configured. See the Kerberos V5 System
Administrator's Guide, provided in PostScript and HTML formats in
/usr/share/doc/krb5-server-version-number,
(where version-number is the version
installed on the system) for more information. |
