Kerberos is a standard protocol that provides a means of authenticating entities on a network and is based on a trusted third-party model. It involves shared secrets and uses symmetric key cryptography. Kerberos was developed at the Massachusetts Institute of Technology (MIT).
MIT created Kerberos as a solution to network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communication to assure privacy and data integrity.
Kerberos is a solution to your network security problems. It provides the tools of authentication and strong cryptography over the network to help you secure your information systems across your entire enterprise.
This chapter introduces you to Kerberos and its concepts:
The following table lists the definitions of some commonly used Kerberos terminologies.
Table 1. Kerberos Terminologies
Kerberos uses the concept of a central server called the Key Distribution Center (KDC). The KDC contains the identities and keys of every principal in the network that must service within its realm. This principal information is stored in a local database within the KDC. In Novell® Kerberos KDC, the principal and realm information is stored in Novell eDirectoryTM
A typical KDC provides the following basic services:
Authentication Server (AS): Issues authentication credentials known as Ticket Granting Tickets (TGT) to users while logging in.
Ticket Granting Server (TGS): Issues service tickets to the users in response to their requests accompanied by TGT so that they can access various services in the realm.
Kerberos provides the following additional services and utilities to manage KDC and Kerberos principals:
Kerberos Administration Server: Server component for maintaining Kerberos principals, policies, and service key tables (keytabs). This server responds to the requests from the kadmin and kpasswd utilities.
Kerberos Administration Utilities: Client component (such as, kadmin, kadmin.local, and kdb5_util) for maintaining Kerberos realms, principals, policies, and service key tables.
Kerberos Password Server: Server component of the Kerberos Password utility for changing passwords of Kerberos principals.
Kerberos Client Utilities: Utilities such as kinit and kpasswd, which are used for various operations like login and changing passwords.
For more information on the Kerberos solution developed by the MIT, refer to the Kerberos System Administrator's Guide.