Novell Doc: Novell Kerberos KDC 1.5 Administration Guide

1.1 Overview of Kerberos

Kerberos is a standard protocol that provides a means of authenticating entities on a network and is based on a trusted third-party model. It involves shared secrets and uses symmetric key cryptography. Kerberos was developed at the Massachusetts Institute of Technology (MIT).

MIT created Kerberos as a solution to network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communication to assure privacy and data integrity.

Kerberos is a solution to your network security problems. Kerberos provides authentication over the network by using cryptography, and secures information systems across the entire enterprise.

This section introduces you to Kerberos and its concepts:

1.1.1 Kerberos Terminology

The following table lists the definitions of some commonly used Kerberos terminologies.

Table 1-1 Kerberos Terminologies

Terminology	Definition
Key (also referred to as Secret Key)	Encryption key shared by a principal and the KDC, distributed outside the system, with a long lifetime. In the case of a user’s principal, the key is derived from a password.
Principal	Entity in the network. Each entity corresponds to a principal.
Realm	Logical grouping of principals.
Service	Resource provided to network clients, such as mail server.
Session key	Temporary encryption key used between two principals, with a lifetime limited to the duration of a single login “session”.
Service ticket	Required to access services in the network.
Ticket	Record that helps a client authenticate itself to a server. It contains information such as client’s identity, a session key, a time stamp, and other information—all sealed using the server’s secret key.
Ticket Granting Ticket (TGT)	Initial ticket obtained after a successful login. This ticket is used to get the service ticket to access a service.

1.1.2 How Does Kerberos Work

Kerberos uses the concept of a central server called the Key Distribution Center (KDC). The KDC contains the identities and keys of every principal in the network that must service within its realm. This principal information is stored in a local database within the KDC. In Novell Kerberos KDC, the principal and realm information is stored in Novell eDirectory™

A typical KDC provides the following basic services:

Authentication Server (AS): Issues authentication credentials known as Ticket Granting Tickets (TGT) to users while logging in.
Ticket Granting Server (TGS): Issues service tickets to the users in response to their requests accompanied by TGT so that they can access various services in the realm.

Kerberos provides the following additional services and utilities to manage KDC and Kerberos principals:

Kerberos Administration Server: Server component for maintaining Kerberos principals, policies, and service key tables (keytabs). This server responds to the requests from the kadmin utility.
Kerberos Administration Utilities: Client component (such as, kadmin, kadmin.local, and kdb5_ldap_util) for maintaining Kerberos realms, principals, policies, and service key tables.
Kerberos Password Server: Server component of the Kerberos Password utility for changing passwords of Kerberos principals.
Kerberos Client Utilities: Utilities such as kinit and kpasswd, which are used for various operations like login and changing passwords.

For more information on the Kerberos solution developed by the MIT, refer to the Kerberos System Administrator's Guide.