home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers


Kerberos Network Design Manual

Login and Authentication
The heart of Kerberos lies in its ticket-granting process. A common misconception is Kerberos grants a single electronic ticket, which in turn, grants access to servers throughout the network. In reality, this initial ticket grants only a user proof of identity to the Kerberos server itself. This initial TGT (Ticket-Granting Ticket) authorizes the Kerberos server to grant users service tickets. These service tickets are what actually authorize the user to access network resources.

The Kerberos protocol and its use of encryption are best illustrated by examining the login process:

1. User requests initial authentication (kinit)
2. Client contacts Kerberos server with user's requested principal name
3. Kerberos server returns TGT (Ticket-Granting-Ticket) encrypted in the user's key
4. Client attempts to decrypt TGT with user's key (derived from password). If successful, client saves user's TGT and enclosed session key in client's credential cache.
User is now "logged into Kerberos service."

When logging into a Kerberos realm, which also is known as requesting credentials, the user invokes kinit . This is sometimes integrated into system login utilities. This either prompts the user for a user ID, or obtains a known user ID from the workstation, finds the local realm name and Kerberos server in its configuration files, and requests a ticket-granting ticket.

Surprisingly, the Kerberos server freely transmits a TGT to any unauthorized request. However, every TGT is encrypted in a key derived from the user's password. Therefore, the user's password is then used to decrypt the TGT from the Kerberos server. If the decryption process results in a valid ticket with a valid time stamp, the user has valid Kerberos credentials. These credentials include a session key for establishing secure communications with the Kerberos server in the future, as well as the actual ticket-granting ticket, which is actually encrypted in the Kerberos server's own key. This second layer of encryption is unknown to the user, but it's what allows the Kerberos server to verify the authenticity of each TGT.

However, this TGT is only a license; it doesn't actually authenticate the user. When actually logging a Kerberized service, such as a klogin, or Kerberized rlogin service on a Unix machine, the klogin client presents the user's credentials to the Kerberos server and requests a service ticket. The KDC verifies the user's credentials by decrypting the TGT, which is encoded in the KDC's own key, and securely transmits the service key to the user's workstation. The service key is then added to the user's credential cache, and in turn, presented to the remote service, which in this case is the klogind.

1. User requests telnet connection to server. Telnet client c hecks for existing server credentials in client's credential cache.
2. Client requests service credentials from Kerberos KDC -- uses TGT and Session Key to authenticate to Kerberos KDC. [username@REALM]
3. Kerberos KDC verifies user's credentials and assembles service ticket for server.
4. Kerberos KDC transmits service ticket to client with new session key for service [host/server@REALM] (service ticket is encrypted using server's secret key).
5. Client stores service ticket for server in credential cache. Client transmits service ticket to server.
6. Server decrypts service ticket with its secret key. If successful, the user is valid and the session key is extracted.
Server and client then begin telnet session -- optionally encrypted using session key.

Recall that each server has a host principal (host/hostname.domain.com@REALM.COM), which is an entry in the Kerberos database with an associated encryption key. This key is known only to the host and the Kerberos KDC. In order to access the service, the user must present the host with a ticket encrypted in its own key. When the server accepts the user's service ticket and successfully decrypts the ticket using its own key, the user is authenticated and allowed in. As the service trusts the KDC, the user is considered valid. In the case of klogin on a Unix host, the user is logged into a Unix shell as specified in the /etc/passwd file. Note that Unix will not allow the user to start a shell if that user ID doesn't have an entry in /etc/passwd: a rudimentary form of access control useful in Unix-based Kerberos realms.








Print This Page


e-mail E-mail this URL






Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo JitterPlug Into The Cloud
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet EvolutionPyramid Research
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights