Kerberos implementation
Kerberos is mature, architecturally sound and meets the requirements of modern distributed systems.
Concepts
The Kerberos protocol name is based on the three-headed dog figure from Greek mythology known as Kerberos. The three heads of the Kerberos protocol comprise:
-
the Key Distribution Center (KDC)
-
the client user
-
the server with the desired service to access.
Key Distribution Center (KDC): A KDC is installed on the network to manage Kerberos security. It performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS).
Authentication Service (AS): An AS is a network-accessible service which runs in the KDC, and which is used to authenticate callers.
Ticket Granting Service (TGS): A TGS grants access to specific services.
Workflow
The following diagram illustrates the workflow to establish a secure session between the server and client.
-
The user issues a kinit command from the client to explicitly obtain the Kerberos tickets.
-
Once successfully authenticated, the user is granted a Ticket to Get Tickets (TGT), which is valid for the local domain (realm). The TGT has an expiration period and may be renewed throughout the user logon session without re-entering the password. The AS sends the encrypted TGT with a key that only the KDC can decrypt and a session key encrypted with user’s password hash. The user then presents the TGT to the TGS portion of the KDC, to request access to the service server. The TGS on the KDC authenticates the user's TGT and creates a ticket and session key for both the client and the remote server.
-
Once the client user has the client/server service ticket, the user can establish the session with the server service. The server can decrypt the information coming indirectly from the TGS using its own long-term key with the KDC.
-
The service ticket is then used to authenticate the client user and establish a service session between the server and client. After the ticket's lifetime is exceeded, the service ticket must be renewed to use the service.