Kerberos is a standard protocol that provides a means of authenticating entities on a network and is based on a trusted third-party model. It involves shared secrets and uses symmetric key cryptography. Kerberos was developed at the Massachusetts Institute of Technology (MIT).
MIT created Kerberos as a solution to network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communication to assure privacy and data integrity.
Kerberos is a solution to your network security problems. Kerberos provides authentication over the network by using cryptography, and secures information systems across the entire enterprise.
This section introduces you to Kerberos and its concepts:
The following table lists the definitions of some commonly used Kerberos terminologies.
Table 1-1 Kerberos Terminologies
Kerberos uses the concept of a central server called the Key Distribution Center (KDC). The KDC contains the identities and keys of every principal in the network that must service within its realm. This principal information is stored in a local database within the KDC. In Novell Kerberos KDC, the principal and realm information is stored in Novell eDirectory™
A typical KDC provides the following basic services:
Authentication Server (AS): Issues authentication credentials known as Ticket Granting Tickets (TGT) to users while logging in.
Ticket Granting Server (TGS): Issues service tickets to the users in response to their requests accompanied by TGT so that they can access various services in the realm.
Kerberos provides the following additional services and utilities to manage KDC and Kerberos principals:
Kerberos Administration Server: Server component for maintaining Kerberos principals, policies, and service key tables (keytabs). This server responds to the requests from the kadmin utility.
Kerberos Administration Utilities: Client component (such as, kadmin, kadmin.local, and kdb5_ldap_util) for maintaining Kerberos realms, principals, policies, and service key tables.
Kerberos Password Server: Server component of the Kerberos Password utility for changing passwords of Kerberos principals.
Kerberos Client Utilities: Utilities such as kinit and kpasswd, which are used for various operations like login and changing passwords.
For more information on the Kerberos solution developed by the MIT, refer to the Kerberos System Administrator's Guide.