Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Kerberos Print E-mail
User Rating:      How can I rate this item?
Source: Dave Wreski - Posted by Dave Wreski   
Learn tips and tricks Kerberos is an authentication system developed by the Athena Project at MIT Kerberos is an authentication system developed by the Athena Project at MIT. When a user logs in, Kerberos authenticates that user (using a password), and provides the user with a way to prove her identity to other servers and hosts scattered around the network.

This authentication is then used by programs such as rlogin to allow the user to login to other hosts without a password (in place of the .rhosts file). This authentication method can also used by the mail system in order to guarantee that mail is delivered to the correct person, as well as to guarantee that the sender is who he claims to be.

The overall effect of installing Kerberos and the numerous other programs that go with it is to virtually eliminate the ability of users to "spoof" the system into believing they are someone else. Unfortunately, installing Kerberos is very intrusive, requiring the modification or replacement of numerous standard programs.

How Does Kerberos Actually Work?

Kerberos uses secret-key cryptography to distribute tickets used for authentication of users to network services. The ticket is generated using a password that the user supplies, unequivocally linking it to the user. The services available for use with Kerberos also have tickets, but are not generated using a password. The user presents his ticket given to him by the Kerberos authentication server. The ticket is stored on the authentication server, which is configured to permit the user to access a particular service on a particular server on the network. The server uses this to verify the user's identity, and grants or denies access to a particular network service.

Once the user has requested of the AS the use of a particular service, a session key (a random string of bits) is generated which is used to encrypt future communications between the client and AS. This key and the service name requested are encrypted together using the user's ticket.

Another copy of the random session key generated by the AS and the username are encrypted together using the service's key.

Both keys are then returned to the user. The user decrypts the first message using his ticket and reveals the server name from which he was requesting service and the session key generated by the AS.

The second message passed to the user cannot be decrypted because it was encrypted using the service key, which the user does not have.

The user then uses that session key to encrypt a message containing the current time. This message, and the second message still encrypted, are both passed to the service for which the user requests access.

The service opens the first message (the one the client could not open) using its own key, extracting the session key and the user name requesting the use of the service.

The service then opens the second message using the session key from the previous message to extract the message with the timestamp on it. This then serves to authenticate the user. This message may also contain an encryption key that is used to provide privacy in future communications between the user and the service.

Implementing Kerberos

Implementing Kerberos on the client isn't too difficult, however, it's a different story implementing a server. The document The Moron's Guide to Kerberos does a good job of explaining Kerberos in more detail, as well as guiding users and administrators through the process of creating and using the server.

Most distributions include support for Kerberos. Distributions that use PAM are much easier to configure. Applications normally require recompiling to support using Kerberos as the authentication mechanism, but PAM resolves those issues by allowing you to 'plug-in' a Kerberos authentication module.

Kerberos isn't for everyone. Install the client support for your distribution if you require it to connect to a Kerberos server on your network. Install the Kerberos server if you have to support a large number of distributed clients and require the extra authentication.

Generally, using the Secure Shell is a fine alternative for authenticating users before logging into remote machines or transferring files.

More Information

You can find general information on kerberos at The Information Sciences Institute.

The Kerberos FAQ is also a great reference.

HOW TO SETUP KERBEROS?Written by kerberos remote login on 2007-02-05 22:03:13
is there a package that i need to download for kerberos to work? 
is there a documentation that provides the installation procedures for kerberos remote login to work for pls. help!!! 
send in your answers at my email

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
MongoDB Patches Remote Denial-of-Service Vulnerability
DDoS Attack Against GitHub Continues After More Than Four Days
5 keys to hiring security talent
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.