Kerberos
2 - 4 min read
Aug 07, 2000
This authentication is then used by programs such as rlogin to allow the user to login to other hosts without a password (in place of the .rhosts file). This authentication method can also used by the mail system in order to guarantee that mail is delivered to the correct person, as well as to guarantee that the sender is who he claims to be.
The overall effect of installing Kerberos and the numerous other programs that go with it is to virtually eliminate the ability of users to "spoof" the system into believing they are someone else. Unfortunately, installing Kerberos is very intrusive, requiring the modification or replacement of numerous standard programs.
How Does Kerberos Actually Work?
Kerberos uses secret-key cryptography to distribute tickets used for authentication of users to network services. The ticket is generated using a password that the user supplies, unequivocally linking it to the user. The services available for use with Kerberos also have tickets, but are not generated using a password. The user presents his ticket given to him by the Kerberos authentication server. The ticket is stored on the authentication server, which is configured to permit the user to access a particular service on a particular server on the network. The server uses this to verify the user's identity, and grants or denies access to a particular network service.Once the user has requested of the AS the use of a particular service, a session key (a random string of bits) is generated which is used to encrypt future communications between the client and AS. This key and the service name requested are encrypted together using the user's ticket.
Another copy of the random session key generated by the AS and the username are encrypted together using the service's key.
Both keys are then returned to the user. The user decrypts the first message using his ticket and reveals the server name from which he was requesting service and the session key generated by the AS.
The second message passed to the user cannot be decrypted because it was encrypted using the service key, which the user does not have.
The user then uses that session key to encrypt a message containing the current time. This message, and the second message still encrypted, are both passed to the service for which the user requests access.
The service opens the first message (the one the client could not open) using its own key, extracting the session key and the user name requesting the use of the service.
The service then opens the second message using the session key from the previous message to extract the message with the timestamp on it. This then serves to authenticate the user. This message may also contain an encryption key that is used to provide privacy in future communications between the user and the service.
Implementing Kerberos
Implementing Kerberos on the client isn't too difficult, however, it's a different story implementing a server. The document The Moron's Guide to Kerberos does a good job of explaining Kerberos in more detail, as well as guiding users and administrators through the process of creating and using the server.Most distributions include support for Kerberos. Distributions that use PAM are much easier to configure. Applications normally require recompiling to support using Kerberos as the authentication mechanism, but PAM resolves those issues by allowing you to 'plug-in' a Kerberos authentication module.
Kerberos isn't for everyone. Install the client support for your distribution if you require it to connect to a Kerberos server on your network. Install the Kerberos server if you have to support a large number of distributed clients and require the extra authentication.
Generally, using the Secure Shell is a fine alternative for authenticating users before logging into remote machines or transferring files.
